[PATCH] gnu: GnuTLS: Fix CVE-2020-11501.

DoneSubmitted by Leo Famulari.
Details
One participant
  • Leo Famulari
Owner
unassigned
Severity
normal
L
L
Leo Famulari wrote on 6 Apr 19:48 +0200
(address . guix-patches@gnu.org)
9c5dae480715a72446322913678ba1e6b717d73b.1586195316.git.leo@famulari.name
* gnu/packages/patches/gnutls-CVE-2020-11501.patch: New file.* gnu/local.mk (dist_patch_DATA): Add it.* gnu/packages/tls.scm (gnutls)[replacement]: New field.(gnutls/fixed): New variable.(gnutls/guile-2.0, gnutls/dane, gnutls-3.6.10, gnutls3.0-gnutls): UsePACKAGE/INHERIT.--- gnu/local.mk | 1 + .../patches/gnutls-CVE-2020-11501.patch | 41 +++++++++++++++++++ gnu/packages/tls.scm | 21 ++++++---- 3 files changed, 55 insertions(+), 8 deletions(-) create mode 100644 gnu/packages/patches/gnutls-CVE-2020-11501.patch
Toggle diff (123 lines)diff --git a/gnu/local.mk b/gnu/local.mkindex 77f9de2440..9953754398 100644--- a/gnu/local.mk+++ b/gnu/local.mk@@ -983,6 +983,7 @@ dist_patch_DATA = \ %D%/packages/patches/gnome-tweaks-search-paths.patch \ %D%/packages/patches/gnupg-default-pinentry.patch \ %D%/packages/patches/gnutls-skip-trust-store-test.patch \+ %D%/packages/patches/gnutls-CVE-2020-11501.patch \ %D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \ %D%/packages/patches/gobject-introspection-cc.patch \ %D%/packages/patches/gobject-introspection-girepository.patch \diff --git a/gnu/packages/patches/gnutls-CVE-2020-11501.patch b/gnu/packages/patches/gnutls-CVE-2020-11501.patchnew file mode 100644index 0000000000..0d84b7d082--- /dev/null+++ b/gnu/packages/patches/gnutls-CVE-2020-11501.patch@@ -0,0 +1,41 @@+Fix CVE-2020-11501:++https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11501+https://gitlab.com/gnutls/gnutls/issues/960++Patch copied from upstream source repository:++https://gitlab.com/gnutls/gnutls/commit/c01011c2d8533dbbbe754e49e256c109cb848d0d++From c01011c2d8533dbbbe754e49e256c109cb848d0d Mon Sep 17 00:00:00 2001+From: =?UTF-8?q?Stefan=20B=C3=BChler?= <stbuehler@web.de>+Date: Fri, 27 Mar 2020 17:17:57 +0100+Subject: [PATCH] dtls client hello: fix zeroed random (fixes #960)+MIME-Version: 1.0+Content-Type: text/plain; charset=UTF-8+Content-Transfer-Encoding: 8bit++This broke with bcf4de03 "handshake: treat reply to HRR as a reply to+hello verify request", which failed to "De Morgan" properly.++Signed-off-by: Stefan Bühler <stbuehler@web.de>+---+ lib/handshake.c | 2 +-+ 1 file changed, 1 insertion(+), 1 deletion(-)++diff --git a/lib/handshake.c b/lib/handshake.c+index 5739df213..84a0e5210 100644+--- a/lib/handshake.c++++ b/lib/handshake.c+@@ -2167,7 +2167,7 @@ static int send_client_hello(gnutls_session_t session, int again)+ /* Generate random data+ */+ if (!(session->internals.hsk_flags & HSK_HRR_RECEIVED) &&+- !(IS_DTLS(session) && session->internals.dtls.hsk_hello_verify_requests == 0)) {++ !(IS_DTLS(session) && session->internals.dtls.hsk_hello_verify_requests != 0)) {+ ret = _gnutls_gen_client_random(session);+ if (ret < 0) {+ gnutls_assert();+-- +2.26.0+diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scmindex bb80d86ba4..743d80a80f 100644--- a/gnu/packages/tls.scm+++ b/gnu/packages/tls.scm@@ -162,6 +162,7 @@ living in the same process.") (define-public gnutls (package (name "gnutls")+ (replacement gnutls/fixed) (version "3.6.9") (source (origin (method url-fetch)@@ -244,10 +245,17 @@ required structures.") (properties '((ftp-server . "ftp.gnutls.org") (ftp-directory . "/gcrypt/gnutls"))))) -(define-public gnutls/guile-2.0- ;; GnuTLS for Guile 2.0.+(define gnutls/fixed (package (inherit gnutls)+ (source (origin+ (inherit (package-source gnutls))+ (patches (append (origin-patches (package-source gnutls))+ (search-patches "gnutls-CVE-2020-11501.patch")))))))++(define-public gnutls/guile-2.0+ ;; GnuTLS for Guile 2.0.+ (package/inherit gnutls (name "guile2.0-gnutls") (inputs `(("guile" ,guile-2.0) ,@(alist-delete "guile" (package-inputs gnutls))))))@@ -257,8 +265,7 @@ required structures.") ;; Authentication of Named Entities. This is required for GNS functionality ;; by GNUnet and gnURL. This is done in an extra package definition ;; to have the choice between GnuTLS with Dane and without Dane.- (package- (inherit gnutls)+ (package/inherit gnutls (name "gnutls-dane") (inputs `(("unbound" ,unbound) ,@(package-inputs gnutls)))))@@ -266,8 +273,7 @@ required structures.") (define gnutls-3.6.10 ;; This is for 'guile3.0-gnutls', below. Version 3.6.10 is the first to ;; introduce Guile 2.9/3.0 support.- (package- (inherit gnutls)+ (package/inherit gnutls (version "3.6.10") (source (origin (inherit (package-source gnutls))@@ -286,8 +292,7 @@ required structures.") ("util-linux" ,util-linux))))) (define-public guile3.0-gnutls- (package- (inherit gnutls-3.6.10)+ (package/inherit gnutls-3.6.10 (name "guile3.0-gnutls") (arguments (substitute-keyword-arguments (package-arguments gnutls-3.6.10)-- 2.26.0
L
L
Leo Famulari wrote on 6 Apr 20:22 +0200
[v2] gnu: GnuTLS: Fix CVE-2020-11501.
b41bc77213b10f076710b4ad21b0e17a418a96ce.1586197341.git.leo@famulari.name
* gnu/packages/tls.scm (gnutls)[replacement]: New field.(gnutls-3.6.13): New variable.(gnutls/guile-2.0, gnutls/dane, gnutls-3.6.10, gnutls3.0-gnutls): UsePACKAGE/INHERIT.--- gnu/packages/tls.scm | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-)
Toggle diff (70 lines)diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scmindex bb80d86ba4..e8b3d88944 100644--- a/gnu/packages/tls.scm+++ b/gnu/packages/tls.scm@@ -162,6 +162,7 @@ living in the same process.") (define-public gnutls (package (name "gnutls")+ (replacement gnutls-3.6.13) (version "3.6.9") (source (origin (method url-fetch)@@ -244,10 +245,23 @@ required structures.") (properties '((ftp-server . "ftp.gnutls.org") (ftp-directory . "/gcrypt/gnutls"))))) -(define-public gnutls/guile-2.0- ;; GnuTLS for Guile 2.0.+(define gnutls-3.6.13 (package (inherit gnutls)+ (version "3.6.A")+ (source (origin+ (method url-fetch)+ (uri (string-append "mirror://gnupg/gnutls/v"+ (version-major+minor version)+ "/gnutls-3.6.13.tar.xz"))+ (patches (search-patches "gnutls-skip-trust-store-test.patch"))+ (sha256+ (base32+ "0f1gnm0756qms5cpx6yn6xb8d3imc2gkqmygf12n9x6r8zs1s11j"))))))++(define-public gnutls/guile-2.0+ ;; GnuTLS for Guile 2.0.+ (package/inherit gnutls (name "guile2.0-gnutls") (inputs `(("guile" ,guile-2.0) ,@(alist-delete "guile" (package-inputs gnutls))))))@@ -257,8 +271,7 @@ required structures.") ;; Authentication of Named Entities. This is required for GNS functionality ;; by GNUnet and gnURL. This is done in an extra package definition ;; to have the choice between GnuTLS with Dane and without Dane.- (package- (inherit gnutls)+ (package/inherit gnutls (name "gnutls-dane") (inputs `(("unbound" ,unbound) ,@(package-inputs gnutls)))))@@ -266,8 +279,7 @@ required structures.") (define gnutls-3.6.10 ;; This is for 'guile3.0-gnutls', below. Version 3.6.10 is the first to ;; introduce Guile 2.9/3.0 support.- (package- (inherit gnutls)+ (package/inherit gnutls (version "3.6.10") (source (origin (inherit (package-source gnutls))@@ -286,8 +298,7 @@ required structures.") ("util-linux" ,util-linux))))) (define-public guile3.0-gnutls- (package- (inherit gnutls-3.6.10)+ (package/inherit gnutls-3.6.10 (name "guile3.0-gnutls") (arguments (substitute-keyword-arguments (package-arguments gnutls-3.6.10)-- 2.26.0
L
L
Leo Famulari wrote on 6 Apr 20:53 +0200
20200406185326.GB5608@jasmine.lan
On Mon, Apr 06, 2020 at 02:22:21PM -0400, Leo Famulari wrote:
Toggle quote (5 lines)> * gnu/packages/tls.scm (gnutls)[replacement]: New field.> (gnutls-3.6.13): New variable.> (gnutls/guile-2.0, gnutls/dane, gnutls-3.6.10, gnutls3.0-gnutls): Use> PACKAGE/INHERIT.
Pushed as a270af317d60e3a9aec23b54952717fffa117bda after review bymbakke on the #guix IRC channel.
Closed
?