* bug#27308: [PATCH] gnu: gnutls: Replace with 3.5.13.
@ 2017-06-10 13:58 Marius Bakke
2017-06-10 14:29 ` Ludovic Courtès
0 siblings, 1 reply; 8+ messages in thread
From: Marius Bakke @ 2017-06-10 13:58 UTC (permalink / raw)
To: 27308
This update addresses the following security advisories:
GNUTLS-SA-2017-3 (aka CVE-2017-7869) and GNUTLS-SA-2017-4.
These links contain more information about the vulnerabilities and releases:
https://gnutls.org/security.html
https://gnutls.org/news.html
* gnu/packages/patches/gnutls-skip-pkgconfig-test.patch,
gnu/packages/patches/gnutls-skip-trust-store-test.patch: New files.
* gnu/local.mk (dist_patch_DATA): Register patches.
* gnu/packages/tls.scm (gnutls)[replacement]: New field.
(gnutls-3.5.13): New variable.
---
gnu/local.mk | 2 ++
.../patches/gnutls-skip-pkgconfig-test.patch | 24 ++++++++++++++++++++++
.../patches/gnutls-skip-trust-store-test.patch | 15 ++++++++++++++
gnu/packages/tls.scm | 20 ++++++++++++++++++
4 files changed, 61 insertions(+)
create mode 100644 gnu/packages/patches/gnutls-skip-pkgconfig-test.patch
create mode 100644 gnu/packages/patches/gnutls-skip-trust-store-test.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 686c3c639..70b4a44a1 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -640,6 +640,8 @@ dist_patch_DATA = \
%D%/packages/patches/gmp-faulty-test.patch \
%D%/packages/patches/gnome-tweak-tool-search-paths.patch \
%D%/packages/patches/gnucash-price-quotes-perl.patch \
+ %D%/packages/patches/gnutls-skip-trust-store-test.patch \
+ %D%/packages/patches/gnutls-skip-pkgconfig-test.patch \
%D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \
%D%/packages/patches/gobject-introspection-cc.patch \
%D%/packages/patches/gobject-introspection-girepository.patch \
diff --git a/gnu/packages/patches/gnutls-skip-pkgconfig-test.patch b/gnu/packages/patches/gnutls-skip-pkgconfig-test.patch
new file mode 100644
index 000000000..1fad7c14e
--- /dev/null
+++ b/gnu/packages/patches/gnutls-skip-pkgconfig-test.patch
@@ -0,0 +1,24 @@
+FIXME: The static test fails with an error such as:
+
+/tmp/guix-build-gnutls-3.5.13.drv-0/ccOnGPmc.o: In function `main':
+c.29617.tmp.c:(.text+0x5): undefined reference to `gnutls_global_init'
+collect2: error: ld returned 1 exit status
+FAIL pkgconfig.sh (exit status: 1)
+
+diff --git a/tests/pkgconfig.sh b/tests/pkgconfig.sh
+index 6bd4e62f9..05aab8278 100755
+--- a/tests/pkgconfig.sh
++++ b/tests/pkgconfig.sh
+@@ -57,11 +57,7 @@ echo "Trying dynamic linking with:"
+ echo " * flags: $(${PKGCONFIG} --libs gnutls)"
+ echo " * common: ${COMMON}"
+ echo " * lib: ${CFLAGS}"
+-cc ${TMPFILE} -o ${TMPFILE_O} $(${PKGCONFIG} --libs gnutls) $(${PKGCONFIG} --cflags gnutls) ${COMMON}
+-
+-echo ""
+-echo "Trying static linking with $(${PKGCONFIG} --libs --static gnutls)"
+-cc ${TMPFILE} -o ${TMPFILE_O} $(${PKGCONFIG} --static --libs gnutls) $(${PKGCONFIG} --cflags gnutls) ${COMMON}
++gcc ${TMPFILE} -o ${TMPFILE_O} $(${PKGCONFIG} --libs gnutls) $(${PKGCONFIG} --cflags gnutls) ${COMMON}
+
+ rm -f ${TMPFILE} ${TMPFILE_O}
+
diff --git a/gnu/packages/patches/gnutls-skip-trust-store-test.patch b/gnu/packages/patches/gnutls-skip-trust-store-test.patch
new file mode 100644
index 000000000..e0536712a
--- /dev/null
+++ b/gnu/packages/patches/gnutls-skip-trust-store-test.patch
@@ -0,0 +1,15 @@
+Version 3.5.11 added a test to check that the default trust store is readable.
+It does not exist in the build environment, so pretend everything is fine.
+
+diff a/tests/trust-store.c b/tests/trust-store.c
+--- a/tests/trust-store.c
++++ b/tests/trust-store.c
+@@ -61,7 +61,7 @@
+ } else if (ret < 0) {
+ fail("error loading system trust store: %s\n", gnutls_strerror(ret));
+ } else if (ret == 0) {
+- fail("no certificates were found in system trust store!\n");
++ success("no trust store in the Guix build environment!\n");
+ }
+
+ gnutls_certificate_free_credentials(x509_cred);
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 8964abb2f..69dcb015b 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -8,6 +8,7 @@
;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2016, 2017 ng0 <contact.ng0@cryptolab.net>
;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
+;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -142,6 +143,7 @@ living in the same process.")
(define-public gnutls
(package
(name "gnutls")
+ (replacement gnutls-3.5.13)
(version "3.5.9")
(source (origin
(method url-fetch)
@@ -214,6 +216,24 @@ required structures.")
(properties '((ftp-server . "ftp.gnutls.org")
(ftp-directory . "/gcrypt/gnutls")))))
+(define gnutls-3.5.13
+ (package
+ (inherit gnutls)
+ (version "3.5.13")
+ (replacement #f)
+ (source (origin
+ (method url-fetch)
+ (uri
+ (string-append "mirror://gnupg/gnutls/v"
+ (version-major+minor version)
+ "/gnutls-" version ".tar.xz"))
+ (patches
+ (search-patches "gnutls-skip-trust-store-test.patch"
+ "gnutls-skip-pkgconfig-test.patch"))
+ (sha256
+ (base32
+ "15ihq6p0hnnhs8cnjrkj40dmlcaa1jjg8xg0g2ydbnlqs454ixbr"))))))
+
(define-public gnutls/guile-2.2
;; GnuTLS for Guile 2.2. This is supported by GnuTLS >= 3.5.5.
(package
--
2.13.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* bug#27308: [PATCH] gnu: gnutls: Replace with 3.5.13.
2017-06-10 13:58 bug#27308: [PATCH] gnu: gnutls: Replace with 3.5.13 Marius Bakke
@ 2017-06-10 14:29 ` Ludovic Courtès
2017-06-10 16:16 ` Marius Bakke
0 siblings, 1 reply; 8+ messages in thread
From: Ludovic Courtès @ 2017-06-10 14:29 UTC (permalink / raw)
To: Marius Bakke; +Cc: 27308
Hi Marius,
Marius Bakke <mbakke@fastmail.com> skribis:
> This update addresses the following security advisories:
>
> GNUTLS-SA-2017-3 (aka CVE-2017-7869) and GNUTLS-SA-2017-4.
>
> These links contain more information about the vulnerabilities and releases:
>
> https://gnutls.org/security.html
> https://gnutls.org/news.html
>
> * gnu/packages/patches/gnutls-skip-pkgconfig-test.patch,
> gnu/packages/patches/gnutls-skip-trust-store-test.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Register patches.
> * gnu/packages/tls.scm (gnutls)[replacement]: New field.
> (gnutls-3.5.13): New variable.
Assuming binary compatibility, that looks good to me.
While you’re at it, could you update GnuTLS in ‘core-updates’?
For the trust-store.c test, we could ask upstream to arrange so that the
test is skipped when the trust store doesn’t exist; would the test still
make sense?
Thanks,
Ludo’.
^ permalink raw reply [flat|nested] 8+ messages in thread
* bug#27308: [PATCH] gnu: gnutls: Replace with 3.5.13.
2017-06-10 14:29 ` Ludovic Courtès
@ 2017-06-10 16:16 ` Marius Bakke
2017-06-10 16:37 ` Marius Bakke
0 siblings, 1 reply; 8+ messages in thread
From: Marius Bakke @ 2017-06-10 16:16 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 27308
[-- Attachment #1: Type: text/plain, Size: 3422 bytes --]
Ludovic Courtès <ludo@gnu.org> writes:
> Hi Marius,
>
> Marius Bakke <mbakke@fastmail.com> skribis:
>
>> This update addresses the following security advisories:
>>
>> GNUTLS-SA-2017-3 (aka CVE-2017-7869) and GNUTLS-SA-2017-4.
>>
>> These links contain more information about the vulnerabilities and releases:
>>
>> https://gnutls.org/security.html
>> https://gnutls.org/news.html
>>
>> * gnu/packages/patches/gnutls-skip-pkgconfig-test.patch,
>> gnu/packages/patches/gnutls-skip-trust-store-test.patch: New files.
>> * gnu/local.mk (dist_patch_DATA): Register patches.
>> * gnu/packages/tls.scm (gnutls)[replacement]: New field.
>> (gnutls-3.5.13): New variable.
>
> Assuming binary compatibility, that looks good to me.
The release notes since version 3.5.9 explicitly mention no API or ABI
changes.
> While you’re at it, could you update GnuTLS in ‘core-updates’?
Indeed; that was the intention. Will merge-and-ungraft after committing.
> For the trust-store.c test, we could ask upstream to arrange so that the
> test is skipped when the trust store doesn’t exist; would the test still
> make sense?
The test *only* checks that the --default-trust-store exists. However,
the current solution is rather hacky, will check for proper skipping
mechanisms.
I tested this graft on my profile, but apparently the grafting code
checks the store item length and refuses since the .13 is one byte
longer than .9:
Backtrace:
In ice-9/boot-9.scm:
160: 14 [catch #t #<catch-closure 8c5dc0> ...]
In unknown file:
?: 13 [apply-smob/1 #<catch-closure 8c5dc0>]
In ice-9/boot-9.scm:
66: 12 [call-with-prompt prompt0 ...]
In ice-9/eval.scm:
432: 11 [eval # #]
In ice-9/boot-9.scm:
2412: 10 [save-module-excursion #<procedure 8e6840 at ice-9/boot-9.scm:4084:3 ()>]
4089: 9 [#<procedure 8e6840 at ice-9/boot-9.scm:4084:3 ()>]
1734: 8 [%start-stack load-stack #<procedure 8f6e20 at ice-9/boot-9.scm:4080:10 ()>]
1739: 7 [#<procedure 8f8960 ()>]
In unknown file:
?: 6 [primitive-load "/gnu/store/aaxbysgk1j098i8i6ag24jslnizwmdlw-ffmpeg-3.3.2-guile-builder"]
In ice-9/eval.scm:
387: 5 [eval # ()]
In ice-9/boot-9.scm:
797: 4 [for-each #<procedure d0cd20 at ice-9/eval.scm:416:20 (a b)> # #]
In /gnu/store/9a54ididkvfkgkv7rgjw07vmdc16k9cv-module-import/guix/build/graft.scm:
262: 3 [rewrite-directory "/gnu/store/kx3gc2swra9f2clkrgxall1bb5mcxhpc-ffmpeg-3.3.2" ...]
In srfi/srfi-1.scm:
575: 2 [map #<procedure ae0860 at /gnu/store/9a54ididkvfkgkv7rgjw07vmdc16k9cv-module-import/guix/build/graft.scm:262:11 (expr)> ...]
In /gnu/store/9a54ididkvfkgkv7rgjw07vmdc16k9cv-module-import/guix/build/graft.scm:
268: 1 [#<procedure ae0860 at /gnu/store/9a54ididkvfkgkv7rgjw07vmdc16k9cv-module-import/guix/build/graft.scm:262:11 (expr)> #]
In unknown file:
?: 0 [scm-error misc-error #f ...]
ERROR: In procedure scm-error:
ERROR: replacement length differs from the original length "56dbd2gw33g3wdxmq78lr39lamg8gxnq-gnutls-3.5.9" "78kvf0ma45z3h14850wzkcvz3zqg59xy-gnutls-3.5.13"
builder for `/gnu/store/hjzqpxdirqv5hmlyc2cg1pisnchnfisi-ffmpeg-3.3.2.drv' failed with exit code 1
cannot build derivation `/gnu/store/dn6qzxbp9xk659ypldnpgdb07fvx4343-profile.drv': 1 dependencies couldn't be built
guix package: error: build failed: build of `/gnu/store/dn6qzxbp9xk659ypldnpgdb07fvx4343-profile.drv' failed
Not sure what to do about it. Ideas?
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* bug#27308: [PATCH] gnu: gnutls: Replace with 3.5.13.
2017-06-10 16:16 ` Marius Bakke
@ 2017-06-10 16:37 ` Marius Bakke
2017-06-10 18:07 ` Marius Bakke
2017-06-11 13:57 ` Ludovic Courtès
0 siblings, 2 replies; 8+ messages in thread
From: Marius Bakke @ 2017-06-10 16:37 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 27308
[-- Attachment #1.1: Type: text/plain, Size: 505 bytes --]
Marius Bakke <mbakke@fastmail.com> writes:
> I tested this graft on my profile, but apparently the grafting code
> checks the store item length and refuses since the .13 is one byte
> longer than .9:
[...]
> ERROR: In procedure scm-error:
> ERROR: replacement length differs from the original length "56dbd2gw33g3wdxmq78lr39lamg8gxnq-gnutls-3.5.9" "78kvf0ma45z3h14850wzkcvz3zqg59xy-gnutls-3.5.13"
The attached patch allows the graft to proceed, but I'm not sure about
the sanity of it all. Thoughts?
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.2: 0001-build-graft-Allow-longer-replacement-store-names.patch --]
[-- Type: text/x-patch, Size: 1326 bytes --]
From 5f122f6e1b73fb7a664142a20ac70890cb6956f9 Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Sat, 10 Jun 2017 18:31:03 +0200
Subject: [PATCH] build: graft: Allow longer replacement store names.
* guix/build/graft.scm (rewrite-directory): Only fail if replacement name is shorter.
---
guix/build/graft.scm | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/guix/build/graft.scm b/guix/build/graft.scm
index 16df169ec..2b3b99cb1 100644
--- a/guix/build/graft.scm
+++ b/guix/build/graft.scm
@@ -263,9 +263,9 @@ file name pairs."
(((= hash+rest (origin-hash origin-string))
.
(= hash+rest (replacement-hash replacement-string)))
- (unless (= (string-length origin-string)
- (string-length replacement-string))
- (error "replacement length differs from the original length"
+ (unless (<= (string-length origin-string)
+ (string-length replacement-string))
+ (error "replacement length is shorter than the original length"
origin-string replacement-string))
(cons origin-hash (string->utf8 replacement-string)))
((origin . replacement)
--
2.13.1
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
^ permalink raw reply related [flat|nested] 8+ messages in thread
* bug#27308: [PATCH] gnu: gnutls: Replace with 3.5.13.
2017-06-10 16:37 ` Marius Bakke
@ 2017-06-10 18:07 ` Marius Bakke
2017-06-10 23:05 ` Leo Famulari
2017-06-11 13:57 ` Ludovic Courtès
1 sibling, 1 reply; 8+ messages in thread
From: Marius Bakke @ 2017-06-10 18:07 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 27308
[-- Attachment #1: Type: text/plain, Size: 868 bytes --]
Marius Bakke <mbakke@fastmail.com> writes:
> Marius Bakke <mbakke@fastmail.com> writes:
>
>> I tested this graft on my profile, but apparently the grafting code
>> checks the store item length and refuses since the .13 is one byte
>> longer than .9:
>
> [...]
>
>> ERROR: In procedure scm-error:
>> ERROR: replacement length differs from the original length "56dbd2gw33g3wdxmq78lr39lamg8gxnq-gnutls-3.5.9" "78kvf0ma45z3h14850wzkcvz3zqg59xy-gnutls-3.5.13"
>
> The attached patch allows the graft to proceed, but I'm not sure about
> the sanity of it all. Thoughts?
[...]
> Subject: [PATCH] build: graft: Allow longer replacement store names.
Thinking further about this, replacing a string of a fixed length with
that of another sounds highly unsafe. So I'm not sure what the best
approach here is. Maybe some dummy version number like 3.5.a? Or simply
keep 3.5.9?
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* bug#27308: [PATCH] gnu: gnutls: Replace with 3.5.13.
2017-06-10 18:07 ` Marius Bakke
@ 2017-06-10 23:05 ` Leo Famulari
2017-06-10 23:25 ` Marius Bakke
0 siblings, 1 reply; 8+ messages in thread
From: Leo Famulari @ 2017-06-10 23:05 UTC (permalink / raw)
To: Marius Bakke; +Cc: 27308
[-- Attachment #1: Type: text/plain, Size: 608 bytes --]
On Sat, Jun 10, 2017 at 08:07:57PM +0200, Marius Bakke wrote:
> Thinking further about this, replacing a string of a fixed length with
> that of another sounds highly unsafe. So I'm not sure what the best
> approach here is. Maybe some dummy version number like 3.5.a? Or simply
> keep 3.5.9?
We did something similar when grafting bash [0], changing 4.4.0 to
4.4.A. It's not great, but it worked.
[0] commit 50b8a527efe375ac5377670ff0f159fbbce45312 (gnu: bash: Add
graft for patch #7 [fixes CVE-2017-5932].).
https://git.savannah.gnu.org/cgit/guix.git/commit/?id=50b8a527efe375ac5377670ff0f159fbbce45312
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* bug#27308: [PATCH] gnu: gnutls: Replace with 3.5.13.
2017-06-10 23:05 ` Leo Famulari
@ 2017-06-10 23:25 ` Marius Bakke
0 siblings, 0 replies; 8+ messages in thread
From: Marius Bakke @ 2017-06-10 23:25 UTC (permalink / raw)
To: Leo Famulari; +Cc: 27308-done
[-- Attachment #1: Type: text/plain, Size: 615 bytes --]
Leo Famulari <leo@famulari.name> writes:
> On Sat, Jun 10, 2017 at 08:07:57PM +0200, Marius Bakke wrote:
>> Thinking further about this, replacing a string of a fixed length with
>> that of another sounds highly unsafe. So I'm not sure what the best
>> approach here is. Maybe some dummy version number like 3.5.a? Or simply
>> keep 3.5.9?
>
> We did something similar when grafting bash [0], changing 4.4.0 to
> 4.4.A. It's not great, but it worked.
Ha, I already settled on 'D'. Works until version .16 ;-)
I realized 'guile2.2-gnutls' needed (replacement #f) and inheriting the
fixed sources as well. Pushed!
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* bug#27308: [PATCH] gnu: gnutls: Replace with 3.5.13.
2017-06-10 16:37 ` Marius Bakke
2017-06-10 18:07 ` Marius Bakke
@ 2017-06-11 13:57 ` Ludovic Courtès
1 sibling, 0 replies; 8+ messages in thread
From: Ludovic Courtès @ 2017-06-11 13:57 UTC (permalink / raw)
To: Marius Bakke; +Cc: 27308
Marius Bakke <mbakke@fastmail.com> skribis:
> Marius Bakke <mbakke@fastmail.com> writes:
>
>> I tested this graft on my profile, but apparently the grafting code
>> checks the store item length and refuses since the .13 is one byte
>> longer than .9:
[...]
> index 16df169ec..2b3b99cb1 100644
> --- a/guix/build/graft.scm
> +++ b/guix/build/graft.scm
> @@ -263,9 +263,9 @@ file name pairs."
> (((= hash+rest (origin-hash origin-string))
> .
> (= hash+rest (replacement-hash replacement-string)))
> - (unless (= (string-length origin-string)
> - (string-length replacement-string))
> - (error "replacement length differs from the original length"
> + (unless (<= (string-length origin-string)
> + (string-length replacement-string))
> + (error "replacement length is shorter than the original length"
That won’t work.
The workaround is to use a version string with the right length, say
“3.5.A”. It’s enough to allow users to distinguish it from the affected
version, so that’s okay IMO.
Ludo’.
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2017-06-11 13:59 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-06-10 13:58 bug#27308: [PATCH] gnu: gnutls: Replace with 3.5.13 Marius Bakke
2017-06-10 14:29 ` Ludovic Courtès
2017-06-10 16:16 ` Marius Bakke
2017-06-10 16:37 ` Marius Bakke
2017-06-10 18:07 ` Marius Bakke
2017-06-10 23:05 ` Leo Famulari
2017-06-10 23:25 ` Marius Bakke
2017-06-11 13:57 ` Ludovic Courtès
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.