[PATCH] gnu: GnuTLS: Fix CVE-2020-11501.

DoneSubmitted by Leo Famulari.
Details
One participant
  • Leo Famulari
Owner
unassigned
Severity
normal
L
L
Leo Famulari wrote on 6 Apr 2020 19:48
(address . guix-patches@gnu.org)
9c5dae480715a72446322913678ba1e6b717d73b.1586195316.git.leo@famulari.name
* gnu/packages/patches/gnutls-CVE-2020-11501.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/tls.scm (gnutls)[replacement]: New field.
(gnutls/fixed): New variable.
(gnutls/guile-2.0, gnutls/dane, gnutls-3.6.10, gnutls3.0-gnutls): Use
PACKAGE/INHERIT.
---
gnu/local.mk | 1 +
.../patches/gnutls-CVE-2020-11501.patch | 41 +++++++++++++++++++
gnu/packages/tls.scm | 21 ++++++----
3 files changed, 55 insertions(+), 8 deletions(-)
create mode 100644 gnu/packages/patches/gnutls-CVE-2020-11501.patch

Toggle diff (123 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index 77f9de2440..9953754398 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -983,6 +983,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/gnome-tweaks-search-paths.patch		\
   %D%/packages/patches/gnupg-default-pinentry.patch		\
   %D%/packages/patches/gnutls-skip-trust-store-test.patch	\
+  %D%/packages/patches/gnutls-CVE-2020-11501.patch		\
   %D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \
   %D%/packages/patches/gobject-introspection-cc.patch		\
   %D%/packages/patches/gobject-introspection-girepository.patch	\
diff --git a/gnu/packages/patches/gnutls-CVE-2020-11501.patch b/gnu/packages/patches/gnutls-CVE-2020-11501.patch
new file mode 100644
index 0000000000..0d84b7d082
--- /dev/null
+++ b/gnu/packages/patches/gnutls-CVE-2020-11501.patch
@@ -0,0 +1,41 @@
+Fix CVE-2020-11501:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11501
+https://gitlab.com/gnutls/gnutls/issues/960
+
+Patch copied from upstream source repository:
+
+https://gitlab.com/gnutls/gnutls/commit/c01011c2d8533dbbbe754e49e256c109cb848d0d
+
+From c01011c2d8533dbbbe754e49e256c109cb848d0d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Stefan=20B=C3=BChler?= <stbuehler@web.de>
+Date: Fri, 27 Mar 2020 17:17:57 +0100
+Subject: [PATCH] dtls client hello: fix zeroed random (fixes #960)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This broke with bcf4de03 "handshake: treat reply to HRR as a reply to
+hello verify request", which failed to "De Morgan" properly.
+
+Signed-off-by: Stefan Bühler <stbuehler@web.de>
+---
+ lib/handshake.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/handshake.c b/lib/handshake.c
+index 5739df213..84a0e5210 100644
+--- a/lib/handshake.c
++++ b/lib/handshake.c
+@@ -2167,7 +2167,7 @@ static int send_client_hello(gnutls_session_t session, int again)
+ 		/* Generate random data
+ 		 */
+ 		if (!(session->internals.hsk_flags & HSK_HRR_RECEIVED) &&
+-		    !(IS_DTLS(session) && session->internals.dtls.hsk_hello_verify_requests == 0)) {
++		    !(IS_DTLS(session) && session->internals.dtls.hsk_hello_verify_requests != 0)) {
+ 			ret = _gnutls_gen_client_random(session);
+ 			if (ret < 0) {
+ 				gnutls_assert();
+-- 
+2.26.0
+
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index bb80d86ba4..743d80a80f 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -162,6 +162,7 @@ living in the same process.")
 (define-public gnutls
   (package
     (name "gnutls")
+    (replacement gnutls/fixed)
     (version "3.6.9")
     (source (origin
              (method url-fetch)
@@ -244,10 +245,17 @@ required structures.")
     (properties '((ftp-server . "ftp.gnutls.org")
                   (ftp-directory . "/gcrypt/gnutls")))))
 
-(define-public gnutls/guile-2.0
-  ;; GnuTLS for Guile 2.0.
+(define gnutls/fixed
   (package
     (inherit gnutls)
+    (source (origin
+              (inherit (package-source gnutls))
+              (patches (append (origin-patches (package-source gnutls))
+                               (search-patches "gnutls-CVE-2020-11501.patch")))))))
+
+(define-public gnutls/guile-2.0
+  ;; GnuTLS for Guile 2.0.
+  (package/inherit gnutls
     (name "guile2.0-gnutls")
     (inputs `(("guile" ,guile-2.0)
               ,@(alist-delete "guile" (package-inputs gnutls))))))
@@ -257,8 +265,7 @@ required structures.")
   ;; Authentication of Named Entities.  This is required for GNS functionality
   ;; by GNUnet and gnURL.  This is done in an extra package definition
   ;; to have the choice between GnuTLS with Dane and without Dane.
-  (package
-    (inherit gnutls)
+  (package/inherit gnutls
     (name "gnutls-dane")
     (inputs `(("unbound" ,unbound)
               ,@(package-inputs gnutls)))))
@@ -266,8 +273,7 @@ required structures.")
 (define gnutls-3.6.10
   ;; This is for 'guile3.0-gnutls', below.  Version 3.6.10 is the first to
   ;; introduce Guile 2.9/3.0 support.
-  (package
-    (inherit gnutls)
+  (package/inherit gnutls
     (version "3.6.10")
     (source (origin
               (inherit (package-source gnutls))
@@ -286,8 +292,7 @@ required structures.")
        ("util-linux" ,util-linux)))))
 
 (define-public guile3.0-gnutls
-  (package
-    (inherit gnutls-3.6.10)
+  (package/inherit gnutls-3.6.10
     (name "guile3.0-gnutls")
     (arguments
      (substitute-keyword-arguments (package-arguments gnutls-3.6.10)
-- 
2.26.0
L
L
Leo Famulari wrote on 6 Apr 2020 20:22
[v2] gnu: GnuTLS: Fix CVE-2020-11501.
b41bc77213b10f076710b4ad21b0e17a418a96ce.1586197341.git.leo@famulari.name
* gnu/packages/tls.scm (gnutls)[replacement]: New field.
(gnutls-3.6.13): New variable.
(gnutls/guile-2.0, gnutls/dane, gnutls-3.6.10, gnutls3.0-gnutls): Use
PACKAGE/INHERIT.
---
gnu/packages/tls.scm | 27 +++++++++++++++++++--------
1 file changed, 19 insertions(+), 8 deletions(-)

Toggle diff (70 lines)
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index bb80d86ba4..e8b3d88944 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -162,6 +162,7 @@ living in the same process.")
 (define-public gnutls
   (package
     (name "gnutls")
+    (replacement gnutls-3.6.13)
     (version "3.6.9")
     (source (origin
              (method url-fetch)
@@ -244,10 +245,23 @@ required structures.")
     (properties '((ftp-server . "ftp.gnutls.org")
                   (ftp-directory . "/gcrypt/gnutls")))))
 
-(define-public gnutls/guile-2.0
-  ;; GnuTLS for Guile 2.0.
+(define gnutls-3.6.13
   (package
     (inherit gnutls)
+    (version "3.6.A")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "mirror://gnupg/gnutls/v"
+                                  (version-major+minor version)
+                                  "/gnutls-3.6.13.tar.xz"))
+              (patches (search-patches "gnutls-skip-trust-store-test.patch"))
+              (sha256
+               (base32
+                "0f1gnm0756qms5cpx6yn6xb8d3imc2gkqmygf12n9x6r8zs1s11j"))))))
+
+(define-public gnutls/guile-2.0
+  ;; GnuTLS for Guile 2.0.
+  (package/inherit gnutls
     (name "guile2.0-gnutls")
     (inputs `(("guile" ,guile-2.0)
               ,@(alist-delete "guile" (package-inputs gnutls))))))
@@ -257,8 +271,7 @@ required structures.")
   ;; Authentication of Named Entities.  This is required for GNS functionality
   ;; by GNUnet and gnURL.  This is done in an extra package definition
   ;; to have the choice between GnuTLS with Dane and without Dane.
-  (package
-    (inherit gnutls)
+  (package/inherit gnutls
     (name "gnutls-dane")
     (inputs `(("unbound" ,unbound)
               ,@(package-inputs gnutls)))))
@@ -266,8 +279,7 @@ required structures.")
 (define gnutls-3.6.10
   ;; This is for 'guile3.0-gnutls', below.  Version 3.6.10 is the first to
   ;; introduce Guile 2.9/3.0 support.
-  (package
-    (inherit gnutls)
+  (package/inherit gnutls
     (version "3.6.10")
     (source (origin
               (inherit (package-source gnutls))
@@ -286,8 +298,7 @@ required structures.")
        ("util-linux" ,util-linux)))))
 
 (define-public guile3.0-gnutls
-  (package
-    (inherit gnutls-3.6.10)
+  (package/inherit gnutls-3.6.10
     (name "guile3.0-gnutls")
     (arguments
      (substitute-keyword-arguments (package-arguments gnutls-3.6.10)
-- 
2.26.0
L
L
Leo Famulari wrote on 6 Apr 2020 20:53
20200406185326.GB5608@jasmine.lan
On Mon, Apr 06, 2020 at 02:22:21PM -0400, Leo Famulari wrote:
Toggle quote (5 lines)
> * gnu/packages/tls.scm (gnutls)[replacement]: New field.
> (gnutls-3.6.13): New variable.
> (gnutls/guile-2.0, gnutls/dane, gnutls-3.6.10, gnutls3.0-gnutls): Use
> PACKAGE/INHERIT.

Pushed as a270af317d60e3a9aec23b54952717fffa117bda after review by
mbakke on the #guix IRC channel.
Closed
?
Your comment

This issue is archived.

To comment on this conversation send email to 40475@debbugs.gnu.org