[PATCH] gnu: libgcrypt: Update to 1.6.5. (security update)

[PATCH] gnu: libgcrypt: Update to 1.6.5. (security update)

[Christopher Allan Webber]

[-- Attachment #1: Type: text/plain, Size: 533 bytes --]

Hello all,

New security release of libgcrypt:

> Hello!
> 
> The GNU project is pleased to announce the availability of Libgcrypt
> version 1.6.5.  This is a security fix release to mitigate a new side
> channel attack.
> 
> Noteworthy changes in version 1.6.5
> ===================================
> 
>  * Mitigate side-channel attack on ECDH with Weierstrass curves
>    [CVE-2015-7511].  See http://www.cs.tau.ac.IL/~tromer/ecdh/ for
>    details.
> 
>  * Fix build problem on Solaris.

Here's a patch.  It seems to build fine.


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-gnu-libgcrypt-Update-to-1.6.5.patch --]
[-- Type: text/x-patch, Size: 1170 bytes --]

From f45b192c0e648fea95a98d681d8ecdff3dc15bdb Mon Sep 17 00:00:00 2001
From: Christopher Allan Webber <cwebber@dustycloud.org>
Date: Tue, 9 Feb 2016 11:49:06 -0800
Subject: [PATCH] gnu: libgcrypt: Update to 1.6.5.

* gnu/packages/gnupg.scm (libgcrypt): Update to 1.6.5.
---
 gnu/packages/gnupg.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/gnupg.scm b/gnu/packages/gnupg.scm
index a35e8fc..608c437 100644
--- a/gnu/packages/gnupg.scm
+++ b/gnu/packages/gnupg.scm
@@ -70,14 +70,14 @@ Daemon and possibly more in the future.")
 (define-public libgcrypt
   (package
     (name "libgcrypt")
-    (version "1.6.4")
+    (version "1.6.5")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://gnupg/libgcrypt/libgcrypt-"
                                  version ".tar.bz2"))
              (sha256
               (base32
-               "09k06gs27gxfha07sa9rpf4xh6mvphj9sky7n09ymx75w9zjrg69"))))
+               "0959mwfzsxhallxdqlw359xg180ll2skxwyy35qawmfl89cbr7pl"))))
     (build-system gnu-build-system)
     (propagated-inputs
      `(("libgpg-error-host" ,libgpg-error)))
-- 
2.6.3

Re: [PATCH] gnu: libgcrypt: Update to 1.6.5. (security update)

[Mark H Weaver]

Hi Chris,

Christopher Allan Webber <cwebber@dustycloud.org> writes:

> Hello all,
>
> New security release of libgcrypt:
>
>> Hello!
>> 
>> The GNU project is pleased to announce the availability of Libgcrypt
>> version 1.6.5.  This is a security fix release to mitigate a new side
>> channel attack.
>> 
>> Noteworthy changes in version 1.6.5
>> ===================================
>> 
>>  * Mitigate side-channel attack on ECDH with Weierstrass curves
>>    [CVE-2015-7511].  See http://www.cs.tau.ac.IL/~tromer/ecdh/ for
>>    details.
>> 
>>  * Fix build problem on Solaris.
>
> Here's a patch.  It seems to build fine.
>
> From f45b192c0e648fea95a98d681d8ecdff3dc15bdb Mon Sep 17 00:00:00 2001
> From: Christopher Allan Webber <cwebber@dustycloud.org>
> Date: Tue, 9 Feb 2016 11:49:06 -0800
> Subject: [PATCH] gnu: libgcrypt: Update to 1.6.5.
>
> * gnu/packages/gnupg.scm (libgcrypt): Update to 1.6.5.

Thank you!  The summary line should include the CVE, like this:

  gnu: libgcrypt: Update to 1.6.5 [fixes CVE-2015-7511].

Alas, this will require at least 7000 rebuilds.  After the current
'security-updates' branch is merged, this should go on the next
'security-updates' branch, together with more fixes for graphite2 and
libsndfile.

       Mark

Re: [PATCH] gnu: libgcrypt: Update to 1.6.5. (security update)

[Christopher Allan Webber]

[-- Attachment #1: Type: text/plain, Size: 1754 bytes --]

Mark H Weaver writes:

> Hi Chris,
>
> Christopher Allan Webber <cwebber@dustycloud.org> writes:
>
>> Hello all,
>>
>> New security release of libgcrypt:
>>
>>> Hello!
>>> 
>>> The GNU project is pleased to announce the availability of Libgcrypt
>>> version 1.6.5.  This is a security fix release to mitigate a new side
>>> channel attack.
>>> 
>>> Noteworthy changes in version 1.6.5
>>> ===================================
>>> 
>>>  * Mitigate side-channel attack on ECDH with Weierstrass curves
>>>    [CVE-2015-7511].  See http://www.cs.tau.ac.IL/~tromer/ecdh/ for
>>>    details.
>>> 
>>>  * Fix build problem on Solaris.
>>
>> Here's a patch.  It seems to build fine.
>>
>> From f45b192c0e648fea95a98d681d8ecdff3dc15bdb Mon Sep 17 00:00:00 2001
>> From: Christopher Allan Webber <cwebber@dustycloud.org>
>> Date: Tue, 9 Feb 2016 11:49:06 -0800
>> Subject: [PATCH] gnu: libgcrypt: Update to 1.6.5.
>>
>> * gnu/packages/gnupg.scm (libgcrypt): Update to 1.6.5.
>
> Thank you!  The summary line should include the CVE, like this:
>
>   gnu: libgcrypt: Update to 1.6.5 [fixes CVE-2015-7511].

Okay!  I wasn't aware of that convention.

> Alas, this will require at least 7000 rebuilds.  After the current
> 'security-updates' branch is merged, this should go on the next
> 'security-updates' branch, together with more fixes for graphite2 and
> libsndfile.

Yes it's unfortunate... it seems like security researchers are upping
their game in the post-heartbleed world (whatever that means)?  I guess
that's good... better good security researchers do this stuff than some
other unspecified groups... but kind of a headache here? :)

Anyway, new patch!  I don't know what to do about the security-updates
branch so I'll let you apply/push it.

 - Chris


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-gnu-libgcrypt-Update-to-1.6.5-fixes-CVE-2015-7511.patch --]
[-- Type: text/x-patch, Size: 1192 bytes --]

From 6fec07507956efd6f7055d37d268c97ca5771d8c Mon Sep 17 00:00:00 2001
From: Christopher Allan Webber <cwebber@dustycloud.org>
Date: Tue, 9 Feb 2016 11:49:06 -0800
Subject: [PATCH] gnu: libgcrypt: Update to 1.6.5 [fixes CVE-2015-7511].

* gnu/packages/gnupg.scm (libgcrypt): Update to 1.6.5.
---
 gnu/packages/gnupg.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/gnupg.scm b/gnu/packages/gnupg.scm
index a35e8fc..608c437 100644
--- a/gnu/packages/gnupg.scm
+++ b/gnu/packages/gnupg.scm
@@ -70,14 +70,14 @@ Daemon and possibly more in the future.")
 (define-public libgcrypt
   (package
     (name "libgcrypt")
-    (version "1.6.4")
+    (version "1.6.5")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://gnupg/libgcrypt/libgcrypt-"
                                  version ".tar.bz2"))
              (sha256
               (base32
-               "09k06gs27gxfha07sa9rpf4xh6mvphj9sky7n09ymx75w9zjrg69"))))
+               "0959mwfzsxhallxdqlw359xg180ll2skxwyy35qawmfl89cbr7pl"))))
     (build-system gnu-build-system)
     (propagated-inputs
      `(("libgpg-error-host" ,libgpg-error)))
-- 
2.6.3

Re: [PATCH] gnu: libgcrypt: Update to 1.6.5. (security update)

[Andreas Enge]

Hello,

On Tue, Feb 09, 2016 at 03:15:38PM -0500, Mark H Weaver wrote:
> Alas, this will require at least 7000 rebuilds.  After the current
> 'security-updates' branch is merged, this should go on the next
> 'security-updates' branch, together with more fixes for graphite2 and
> libsndfile.

it looks like we are almost there. Do you think we could squeeze in an
evaluation and build of wip-pulseaudio after updating master and rebasing
the wip branch on master?

Andreas

wip-pulseaudio (was Re: [PATCH] gnu: libgcrypt: Update to 1.6.5. (security update))

[Efraim Flashner]

[-- Attachment #1: Type: text/plain, Size: 3416 bytes --]

On Wed, 10 Feb 2016 15:46:59 +0100
Andreas Enge <andreas@enge.fr> wrote:

> Hello,
> 
> On Tue, Feb 09, 2016 at 03:15:38PM -0500, Mark H Weaver wrote:
>  [...]  
> 
> it looks like we are almost there. Do you think we could squeeze in an
> evaluation and build of wip-pulseaudio after updating master and rebasing
> the wip branch on master?
> 
> Andreas
> 

I see it's been rebased on origin/master, I'll report back in a bit

efraim@debian-netbook:~/workspace/guix$ time ./pre-inst-env guix build gstreamer gst-plugins-base gst-plugins-good gst-plugins-ugly gst-libav --fallback
;;; note: source file /home/efraim/workspace/guix/gnu/packages/pulseaudio.scm
;;;       newer than compiled /home/efraim/workspace/guix/gnu/packages/pulseaudio.go
guix build: warning: failed to load '(efraim packages go-hello)':
ERROR: no code for module (guix build-system golang)
substitute: warning: failed to install locale: Invalid argument
substitute: updating list of substitutes from 'http://hydra.gnu.org'... 100.0%
The following derivations will be built:
   /gnu/store/qsg8g97ilakkj7hrvb7ywgqlapvx64bs-gst-libav-1.6.1.drv
   /gnu/store/j1z8qp0crifmgzfsrp9jg7p319xixp4m-gst-plugins-ugly-1.6.1.drv
   /gnu/store/xw15fnvzii6vwcr0dzgvhmy9b8w3cml7-gst-plugins-good-1.6.1.drv
   /gnu/store/6z864wqna3jklpwgb8haww7ycx5z60g7-openal-1.15.1.drv
   /gnu/store/gnkcv491lbw47rm491jf92d2f0496al0-ffmpeg-2.8.6.drv
The following files will be downloaded:
   /gnu/store/6y9i8v9lpmg286q63l72zz77pi1c91z2-gstreamer-1.6.1
   /gnu/store/2ka19awqsy3a0kz7x0n8826f5p4balgl-gstreamer-1.6.1-doc
   /gnu/store/sqbjqrszg8v4bb5qyxb5hivd9m34wpsg-gst-plugins-base-1.6.1
   /gnu/store/x1jx9xj6c9xfqa8hhgsk1sz6ily1snik-gst-plugins-base-1.6.1-doc
   /gnu/store/mppcj72lhdn7zaffakyrpzgjdm6fvkjj-gst-plugins-good-1.6.1.tar.xz
   /gnu/store/6rg1a6zh5h1clnf3ss8x2sy5178mbg3k-cairo-1.14.2
   /gnu/store/yv59gw65pypy6xjbb84p6aajk290rxy2-gdk-pixbuf-2.32.3
   /gnu/store/h8qmk26qppjlwwcvqk7hii6m5g03snxn-libcaca-0.99.beta19
   /gnu/store/sy9xwmlbzsbwbbcmd08nbg78n6kqm8jj-libsoup-2.52.1
   /gnu/store/yjnwwk25pif432gvwvqr33slwgb3f8gg-taglib-1.9.1
   /gnu/store/ar79y0mc7p6zrj2c0ilq8xrig1rpvnja-gst-plugins-ugly-1.6.1.tar.xz
   /gnu/store/82s25lxd0gfd4sqqsbv0p8vvxg948jmm-cmake-3.3.2
   /gnu/store/38cbna95gfyif3dyx2k8gds4h5fbv905-libquvi-0.4.1
   /gnu/store/pkbjdqk08ipjc3aabkvq15k8x77a2gs1-gnutls-3.4.7
   /gnu/store/rdi8195mysf340rm54xqjmxpl1qjq1wb-nettle-3.2
   /gnu/store/l04g809qjv9kfi3m1j42228n59jd7d0c-harfbuzz-1.0.6
   /gnu/store/7wrxicspxl4kz26vc5sbip0riqyq8hq6-libass-0.13.1
   /gnu/store/jpv3s592q5mrm596b9l8gzraclsmbi3g-graphite2-1.3.3
   /gnu/store/6m2li0x1f0ihvc36m4fwilmxa3bl3j88-soxr-0.1.1
   /gnu/store/8qwh8yk93p9nxbi2h5xahg0qjqxc9093-openldap-2.4.42
   /gnu/store/absyflwdck42kvs46196r54fjzvy9nsm-curl-7.47.0
   /gnu/store/ih5c39iibk2vqc717hbza4dqyxn1r2pa-shishi-1.0.2
   /gnu/store/mzkfj4vk1vfa3np2m7pm8h6q8z66f6ii-gss-1.0.3
   /gnu/store/vm7sx64bg8y343x83pww16fhigbngx8d-cyrus-sasl-2.1.26
   /gnu/store/1x6y9iby8krgskri5cdkdg8qk9yzkp03-libarchive-3.1.2
   /gnu/store/x3jlzwsn2xj0zwa1bfcj7lqv2b3mn70j-freeglut-3.0.0
   /gnu/store/29k39pj0cw9i2vzj59kbys8qmvhw2lby-pango-1.38.1

-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: wip-pulseaudio (was Re: [PATCH] gnu: libgcrypt: Update to 1.6.5. (security update))

[Efraim Flashner]

[-- Attachment #1: Type: text/plain, Size: 3509 bytes --]

On Wed, 10 Feb 2016 18:53:50 +0200
Efraim Flashner <efraim@flashner.co.il> wrote:

> On Wed, 10 Feb 2016 15:46:59 +0100
> Andreas Enge <andreas@enge.fr> wrote:
> 
>  [...]  
> 
> I see it's been rebased on origin/master, I'll report back in a bit
> 
> efraim@debian-netbook:~/workspace/guix$ time ./pre-inst-env guix build gstreamer gst-plugins-base gst-plugins-good gst-plugins-ugly gst-libav --fallback
> ;;; note: source file /home/efraim/workspace/guix/gnu/packages/pulseaudio.scm
> ;;;       newer than compiled /home/efraim/workspace/guix/gnu/packages/pulseaudio.go
> guix build: warning: failed to load '(efraim packages go-hello)':
> ERROR: no code for module (guix build-system golang)
> substitute: warning: failed to install locale: Invalid argument
> substitute: updating list of substitutes from 'http://hydra.gnu.org'... 100.0%
> The following derivations will be built:
>    /gnu/store/qsg8g97ilakkj7hrvb7ywgqlapvx64bs-gst-libav-1.6.1.drv
>    /gnu/store/j1z8qp0crifmgzfsrp9jg7p319xixp4m-gst-plugins-ugly-1.6.1.drv
>    /gnu/store/xw15fnvzii6vwcr0dzgvhmy9b8w3cml7-gst-plugins-good-1.6.1.drv
>    /gnu/store/6z864wqna3jklpwgb8haww7ycx5z60g7-openal-1.15.1.drv
>    /gnu/store/gnkcv491lbw47rm491jf92d2f0496al0-ffmpeg-2.8.6.drv
> The following files will be downloaded:
>    /gnu/store/6y9i8v9lpmg286q63l72zz77pi1c91z2-gstreamer-1.6.1
>    /gnu/store/2ka19awqsy3a0kz7x0n8826f5p4balgl-gstreamer-1.6.1-doc
>    /gnu/store/sqbjqrszg8v4bb5qyxb5hivd9m34wpsg-gst-plugins-base-1.6.1
>    /gnu/store/x1jx9xj6c9xfqa8hhgsk1sz6ily1snik-gst-plugins-base-1.6.1-doc
>    /gnu/store/mppcj72lhdn7zaffakyrpzgjdm6fvkjj-gst-plugins-good-1.6.1.tar.xz
>    /gnu/store/6rg1a6zh5h1clnf3ss8x2sy5178mbg3k-cairo-1.14.2
>    /gnu/store/yv59gw65pypy6xjbb84p6aajk290rxy2-gdk-pixbuf-2.32.3
>    /gnu/store/h8qmk26qppjlwwcvqk7hii6m5g03snxn-libcaca-0.99.beta19
>    /gnu/store/sy9xwmlbzsbwbbcmd08nbg78n6kqm8jj-libsoup-2.52.1
>    /gnu/store/yjnwwk25pif432gvwvqr33slwgb3f8gg-taglib-1.9.1
>    /gnu/store/ar79y0mc7p6zrj2c0ilq8xrig1rpvnja-gst-plugins-ugly-1.6.1.tar.xz
>    /gnu/store/82s25lxd0gfd4sqqsbv0p8vvxg948jmm-cmake-3.3.2
>    /gnu/store/38cbna95gfyif3dyx2k8gds4h5fbv905-libquvi-0.4.1
>    /gnu/store/pkbjdqk08ipjc3aabkvq15k8x77a2gs1-gnutls-3.4.7
>    /gnu/store/rdi8195mysf340rm54xqjmxpl1qjq1wb-nettle-3.2
>    /gnu/store/l04g809qjv9kfi3m1j42228n59jd7d0c-harfbuzz-1.0.6
>    /gnu/store/7wrxicspxl4kz26vc5sbip0riqyq8hq6-libass-0.13.1
>    /gnu/store/jpv3s592q5mrm596b9l8gzraclsmbi3g-graphite2-1.3.3
>    /gnu/store/6m2li0x1f0ihvc36m4fwilmxa3bl3j88-soxr-0.1.1
>    /gnu/store/8qwh8yk93p9nxbi2h5xahg0qjqxc9093-openldap-2.4.42
>    /gnu/store/absyflwdck42kvs46196r54fjzvy9nsm-curl-7.47.0
>    /gnu/store/ih5c39iibk2vqc717hbza4dqyxn1r2pa-shishi-1.0.2
>    /gnu/store/mzkfj4vk1vfa3np2m7pm8h6q8z66f6ii-gss-1.0.3
>    /gnu/store/vm7sx64bg8y343x83pww16fhigbngx8d-cyrus-sasl-2.1.26
>    /gnu/store/1x6y9iby8krgskri5cdkdg8qk9yzkp03-libarchive-3.1.2
>    /gnu/store/x3jlzwsn2xj0zwa1bfcj7lqv2b3mn70j-freeglut-3.0.0
>    /gnu/store/29k39pj0cw9i2vzj59kbys8qmvhw2lby-pango-1.38.1
> 

gst-plugins-good failed the test suite again, with 1 failed test:
FAIL: elements/splitmux

ran it two other times and had 2 failed tests:
FAIL: elements/splitmux
FAIL: elements/rtprtx

-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: wip-pulseaudio (was Re: [PATCH] gnu: libgcrypt: Update to 1.6.5. (security update))

[Andreas Enge]

On Wed, Feb 10, 2016 at 08:41:10PM +0200, Efraim Flashner wrote:
> gst-plugins-good failed the test suite again, with 1 failed test:
> FAIL: elements/splitmux
> ran it two other times and had 2 failed tests:
> FAIL: elements/splitmux
> FAIL: elements/rtprtx

This is strange; before that, it worked unless libvpx was also updated.
I will give it another try here.

Andreas

Re: wip-pulseaudio (was Re: [PATCH] gnu: libgcrypt: Update to 1.6.5. (security update))

[Andreas Enge]

On Wed, Feb 10, 2016 at 08:41:10PM +0200, Efraim Flashner wrote:
> gst-plugins-good failed the test suite again, with 1 failed test:
> FAIL: elements/splitmux
> ran it two other times and had 2 failed tests:
> FAIL: elements/splitmux
> FAIL: elements/rtprtx

I tried it again, and it passes its tests. Let us wait and see what will
happen on hydra.

Andreas

Re: [PATCH] gnu: libgcrypt: Update to 1.6.5. (security update)

[Mark H Weaver]

Andreas Enge <andreas@enge.fr> writes:

> Hello,
>
> On Tue, Feb 09, 2016 at 03:15:38PM -0500, Mark H Weaver wrote:
>> Alas, this will require at least 7000 rebuilds.  After the current
>> 'security-updates' branch is merged, this should go on the next
>> 'security-updates' branch, together with more fixes for graphite2 and
>> libsndfile.
>
> it looks like we are almost there. Do you think we could squeeze in an
> evaluation and build of wip-pulseaudio after updating master and rebasing
> the wip branch on master?

I'm reluctant to delay a critical security update like this, which
apparently allows a compromised web site to perform remote code
execution in our graphical web browsers.  I, for one, am running
text-only for now, and am impatient to return back to the modern era.

What's the nature of the pulseaudio update?  Why is it important?

What do other people think?

      Mark

Re: [PATCH] gnu: libgcrypt: Update to 1.6.5. (security update)

[Andreas Enge]

On Wed, Feb 10, 2016 at 03:46:03PM -0500, Mark H Weaver wrote:
> What's the nature of the pulseaudio update?  Why is it important?

It is not particularly important, I would say. I am just growing impatient,
we seem to be blocked by security-updates and core-updates more or less
since the beginning of December. This is all part of the gstreamer update
that we are postponing for about three weeks now.

Hooray for a new hydra!

Andreas

Re: [PATCH] gnu: libgcrypt: Update to 1.6.5. (security update)

[Ludovic Courtès]

Andreas Enge <andreas@enge.fr> skribis:

> On Wed, Feb 10, 2016 at 03:46:03PM -0500, Mark H Weaver wrote:
>> What's the nature of the pulseaudio update?  Why is it important?
>
> It is not particularly important, I would say. I am just growing impatient,

Of course having Hydra stuck building security updates is a bit
frustrating when we’d all want to have fun with the cutting edge stuff…
but I think it’s important nonetheless.  So I’m all for having the
Graphite fix take precedence over the rest.

But really, we should fix <http://bugs.gnu.org/22139>.  That would give
us some breathing room.

Ludo’.