* gnutls package may be vulnerable to CVE-2021-20232 @ 2021-03-13 1:25 Léo Le Bouter 2021-03-13 10:12 ` Mark H Weaver 0 siblings, 1 reply; 4+ messages in thread From: Léo Le Bouter @ 2021-03-13 1:25 UTC (permalink / raw) To: guix-devel [-- Attachment #1: Type: text/plain, Size: 750 bytes --] CVE-2021-20232 12.03.21 20:15 A flaw was found in gnutls. A use after free issue in client_send_params in lib/ext/pre_shared_key.c may lead to memory corruption and other potential consequences. It is not certain whether 3.6.x series are affected as packaged in GNU Guix. I asked the upstream at < https://gitlab.com/gnutls/gnutls/-/issues/1151#note_528567535>. Let's wait for an answer, or then apply/backport this commit ( https://gitlab.com/gnutls/gnutls/-/commit/75a937d97f4fefc6f9b08e3791f151445f551cb3 ) to 3.6.x series. A rather low impact vulnerability upstream says, but I would be careful there as an experienced exploit writer could find reliable ways to exploit it in my opinion. Let's patch this as soon as possible! [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: gnutls package may be vulnerable to CVE-2021-20232 2021-03-13 1:25 gnutls package may be vulnerable to CVE-2021-20232 Léo Le Bouter @ 2021-03-13 10:12 ` Mark H Weaver 2021-03-13 10:50 ` Léo Le Bouter 0 siblings, 1 reply; 4+ messages in thread From: Mark H Weaver @ 2021-03-13 10:12 UTC (permalink / raw) To: Léo Le Bouter, guix-devel Léo Le Bouter <lle-bout@zaclys.net> writes: > CVE-2021-20232 12.03.21 20:15 > A flaw was found in gnutls. A use after free issue in > client_send_params in lib/ext/pre_shared_key.c may lead to memory > corruption and other potential consequences. I pushed fixes for this and CVE-2021-20231 to 'master' in commit 74e2c0e00f58c8bf948f7dc7c5ae2876af910d5a. For what it's worth, I think that <bug-guix@gnu.org> would be a more appropriate place to send these bug reports. What do you think? Thanks, Mark ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: gnutls package may be vulnerable to CVE-2021-20232 2021-03-13 10:12 ` Mark H Weaver @ 2021-03-13 10:50 ` Léo Le Bouter 2021-03-13 11:53 ` zimoun 0 siblings, 1 reply; 4+ messages in thread From: Léo Le Bouter @ 2021-03-13 10:50 UTC (permalink / raw) To: Mark H Weaver, guix-devel [-- Attachment #1: Type: text/plain, Size: 729 bytes --] On Sat, 2021-03-13 at 05:12 -0500, Mark H Weaver wrote: > I pushed fixes for this and CVE-2021-20231 to 'master' in commit > 74e2c0e00f58c8bf948f7dc7c5ae2876af910d5a. Thank you, I would otherwise have done it, I was waiting for an answer from upstream first, or some time. > For what it's worth, I think that <bug-guix@gnu.org> would be a more > appropriate place to send these bug reports. What do you think? I don't know, it seems people read guix-devel more maybe? I don't know if they are bug reports, most of the time I am handling these issues myself, I just try to keep a public log so I don't forget things and can come back later, and if I disappear, other people can still have a go at them. Léo [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: gnutls package may be vulnerable to CVE-2021-20232 2021-03-13 10:50 ` Léo Le Bouter @ 2021-03-13 11:53 ` zimoun 0 siblings, 0 replies; 4+ messages in thread From: zimoun @ 2021-03-13 11:53 UTC (permalink / raw) To: Léo Le Bouter, Mark H Weaver, guix-devel Hi Léo, On Sat, 13 Mar 2021 at 11:50, Léo Le Bouter <lle-bout@zaclys.net> wrote: > On Sat, 2021-03-13 at 05:12 -0500, Mark H Weaver wrote: >> For what it's worth, I think that <bug-guix@gnu.org> would be a more >> appropriate place to send these bug reports. What do you think? > > I don't know, it seems people read guix-devel more maybe? I don't know > if they are bug reports, most of the time I am handling these issues > myself, I just try to keep a public log so I don't forget things and > can come back later, and if I disappear, other people can still have a > go at them. I also think it is better to fill a bug report for these security issues instead of guix-devel. One reason is debbugs allows severity tags, which can be helpful to filter. Another reason is «if you disappear», people will not dig into guix-devel to read this “public log” but would probably address the items in the bug tracker. I speak for myself, when I read guix-devel or any other Guix list, I have an org-capture and capturing security issue is not in my list (I have enough on my plate :-)). Time to time, I open “M-x debbugs-gnu“ and select bugs: check the status and try to close them; and months later from now I will never search in guix-devel to check vulnerabilities of some packages. And even if I would do, the search query, assuming a pattern in the messages, would return both closed and still open security issues, so I would have to read first some messages, even the closed ones, just to find the still open ones; the length of the search results becoming larger and larger. BTW, thanks for all this effort! :-) Cheers, simon ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-03-13 12:01 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2021-03-13 1:25 gnutls package may be vulnerable to CVE-2021-20232 Léo Le Bouter 2021-03-13 10:12 ` Mark H Weaver 2021-03-13 10:50 ` Léo Le Bouter 2021-03-13 11:53 ` zimoun
Code repositories for project(s) associated with this external index https://git.savannah.gnu.org/cgit/guix.git This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.