[PATCH] gnu: gnutls: Replace with 3.8.1.

  • Done
  • quality assurance status badge
Details
2 participants
  • Ludovic Courtès
  • Christopher Baines
Owner
unassigned
Submitted by
Christopher Baines
Severity
normal

Debbugs page

Christopher Baines wrote 1 years ago
(address . guix-patches@gnu.org)
4f21f3a5aba2851c7b943c283f5f6a21b93444eb.1695668811.git.mail@cbaines.net
The recommended way to address GNUTLS-SA-2020-07-14 / CVE-2023-0361 is to
upgrade to 3.8.0 or later.

* gnu/packages/tls.scm (gnutls-3.8.1): New variable.
(gnutls)[replacement]: Use it.
---
gnu/packages/tls.scm | 15 +++++++++++++++
1 file changed, 15 insertions(+)

Toggle diff (37 lines)
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index b669ac2e8d..99252464e6 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -200,6 +200,7 @@ (define-public gnutls
(package
(name "gnutls")
(version "3.7.7")
+ (replacement gnutls-3.8.1)
(source (origin
(method url-fetch)
;; Note: Releases are no longer on ftp.gnu.org since the
@@ -303,6 +304,20 @@ (define-public gnutls
(define-deprecated/public-alias gnutls-latest gnutls)
+(define-public gnutls-3.8.1
+ (package
+ (inherit gnutls)
+ (version "3.8.1")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append "mirror://gnupg/gnutls/v"
+ (version-major+minor version)
+ "/gnutls-" version ".tar.xz"))
+ (patches (search-patches "gnutls-skip-trust-store-test.patch"))
+ (sha256
+ (base32
+ "1742jiigwsfhx7nj5rz7dwqr8d46npsph6b68j7siar0mqarx2xs"))))))
+
(define-public gnutls/dane
;; GnuTLS with build libgnutls-dane, implementing DNS-based
;; Authentication of Named Entities. This is required for GNS functionality

base-commit: fafd3caef0d51811a5da81d6061789e2908b0dac
--
2.41.0
Ludovic Courtès wrote 1 years ago
(name . Christopher Baines)(address . mail@cbaines.net)(address . 66195@debbugs.gnu.org)
87zg0ext7e.fsf@gnu.org
Hi,

Christopher Baines <mail@cbaines.net> skribis:

Toggle quote (6 lines)
> The recommended way to address GNUTLS-SA-2020-07-14 / CVE-2023-0361 is to
> upgrade to 3.8.0 or later.
>
> * gnu/packages/tls.scm (gnutls-3.8.1): New variable.
> (gnutls)[replacement]: Use it.

Surprisingly, ‘guix lint -c cve gnutls’ doesn’t report anything with
3.7.7 as currently packaged.

Toggle quote (2 lines)
> +(define-public gnutls-3.8.1

Maybe add a comment here with the SA and CVE references.

Then, assuming the ABIs are compatible (which can be checked with
libabigail’s abidiff), LGTM.

Thanks,
Ludo’.
Christopher Baines wrote 1 years ago
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 66195-done@debbugs.gnu.org)
87h6ml4iub.fsf@cbaines.net
Ludovic Courtès <ludo@gnu.org> writes:

Toggle quote (17 lines)
> Hi,
>
> Christopher Baines <mail@cbaines.net> skribis:
>
>> The recommended way to address GNUTLS-SA-2020-07-14 / CVE-2023-0361 is to
>> upgrade to 3.8.0 or later.
>>
>> * gnu/packages/tls.scm (gnutls-3.8.1): New variable.
>> (gnutls)[replacement]: Use it.
>
> Surprisingly, ‘guix lint -c cve gnutls’ doesn’t report anything with
> 3.7.7 as currently packaged.
>
>> +(define-public gnutls-3.8.1
>
> Maybe add a comment here with the SA and CVE references.

Done, and pushed to master as 501549137853455ca39afaf79d8a623ea4494c88.

Toggle quote (3 lines)
> Then, assuming the ABIs are compatible (which can be checked with
> libabigail’s abidiff), LGTM.

→ abidiff /gnu/store/yr4lbvdyc4dgs76yij1dw2w2z8s84af8-gnutls-3.7.7/lib/libgnutls.so /gnu/store/92h0r4f0h2hz3vz9k31nfj62mv7sy1zc-gnutls-3.8.1/lib/libgnutls.so
Functions changes summary: 0 Removed, 0 Changed, 0 Added function
Variables changes summary: 0 Removed, 0 Changed, 0 Added variable
Function symbols changes summary: 0 Removed, 8 Added function symbols not referenced by debug info
Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info

8 Added function symbols not referenced by debug info:

[A] _gnutls_pathbuf_append@@GNUTLS_PRIVATE_3_4
[A] _gnutls_pathbuf_deinit@@GNUTLS_PRIVATE_3_4
[A] _gnutls_pathbuf_init@@GNUTLS_PRIVATE_3_4
[A] _gnutls_pathbuf_truncate@@GNUTLS_PRIVATE_3_4
[A] _gnutls_session_ticket_disable_server@@GNUTLS_PRIVATE_3_4
[A] gnutls_psk_format_imported_identity@@GNUTLS_3_8_1
[A] gnutls_psk_set_client_credentials_function3@@GNUTLS_3_8_1
[A] gnutls_psk_set_server_credentials_function3@@GNUTLS_3_8_1


Thanks for taking a look,

Chris
-----BEGIN PGP SIGNATURE-----

iQKlBAEBCgCPFiEEPonu50WOcg2XVOCyXiijOwuE9XcFAmUyaJxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNF
ODlFRUU3NDU4RTcyMEQ5NzU0RTBCMjVFMjhBMzNCMEI4NEY1NzcRHG1haWxAY2Jh
aW5lcy5uZXQACgkQXiijOwuE9XdLKBAArl9BvUgGVceOLsb3bKtUtmO/065qUbOE
NWUcKTnW19xCp0LLzrLgVy7+nRYFiwqv5UWGsnc0AQeC1Qaz8DXpopOrQ+1F8RZG
TL1gg9K/k1TS25cNFbZXTX1JvOev5iKXSHMQ3HoIk2jYWMaxUh/y6zVfL486D0j+
tTi5Z648MQRvhXHTROzkHfza4w0WputRkthih+yH3nu1pRqPMapgrs+ZkCtssYFq
Q7MLqUZTberanNi/2pS5r1UXJB6l0kOkD4ssOJ88oWyUM4O0VcODu5zkGNl/Bv3I
/LJ2KS+EDZur2TTLZ3hdkkHXsOXuRX5+LfwStWdP7wpr1A+hY6Weo6eiANr7eyzj
zNwuzxuZgAs4hhcDWwCeNoLR/TqBghk4AMAykO0fvOMd1Ni6bg/hKny4EGGqnDII
5pDi4GAdoDi5oCJ0MJLFEIAoSKeuOVFtkj32lp1YYUfwDkEd39YfVk9z4V/6/dRW
OqB9f9uCbNl5VgwONb32OGk8YvWHUkzg9ncvcgkEhhY92b8oMKhixq4IfjuGYqYt
StcTBE1cvqFmbzx1UP9sDPrn0Egtvefk78ZP083x1luojCxC9tqGVylWtsGJj+8R
2kij7OHHKCGsDCPVILCx7JsEbu4cjJeh6y5MDjo6j3kDrUN8RJkO4kYCS2b3Kppc
Kut2csaHTAc=
=jrB3
-----END PGP SIGNATURE-----

Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 66195@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 66195
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch
You may also tag this issue. See list of standard tags. For example, to set the confirmed and easy tags
mumi command -t +confirmed -t +easy
Or, remove the moreinfo tag and set the help tag
mumi command -t -moreinfo -t +help