[PATCH] gnu: gnutls: Replace with 3.8.1.

  • Done
  • quality assurance status badge
Details
2 participants
  • Ludovic Courtès
  • Christopher Baines
Owner
unassigned
Submitted by
Christopher Baines
Severity
normal
C
C
Christopher Baines wrote on 25 Sep 2023 21:06
(address . guix-patches@gnu.org)
4f21f3a5aba2851c7b943c283f5f6a21b93444eb.1695668811.git.mail@cbaines.net
The recommended way to address GNUTLS-SA-2020-07-14 / CVE-2023-0361 is to
upgrade to 3.8.0 or later.

* gnu/packages/tls.scm (gnutls-3.8.1): New variable.
(gnutls)[replacement]: Use it.
---
gnu/packages/tls.scm | 15 +++++++++++++++
1 file changed, 15 insertions(+)

Toggle diff (37 lines)
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index b669ac2e8d..99252464e6 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -200,6 +200,7 @@ (define-public gnutls
(package
(name "gnutls")
(version "3.7.7")
+ (replacement gnutls-3.8.1)
(source (origin
(method url-fetch)
;; Note: Releases are no longer on ftp.gnu.org since the
@@ -303,6 +304,20 @@ (define-public gnutls
(define-deprecated/public-alias gnutls-latest gnutls)
+(define-public gnutls-3.8.1
+ (package
+ (inherit gnutls)
+ (version "3.8.1")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append "mirror://gnupg/gnutls/v"
+ (version-major+minor version)
+ "/gnutls-" version ".tar.xz"))
+ (patches (search-patches "gnutls-skip-trust-store-test.patch"))
+ (sha256
+ (base32
+ "1742jiigwsfhx7nj5rz7dwqr8d46npsph6b68j7siar0mqarx2xs"))))))
+
(define-public gnutls/dane
;; GnuTLS with build libgnutls-dane, implementing DNS-based
;; Authentication of Named Entities. This is required for GNS functionality

base-commit: fafd3caef0d51811a5da81d6061789e2908b0dac
--
2.41.0
L
L
Ludovic Courtès wrote on 19 Oct 2023 22:17
(name . Christopher Baines)(address . mail@cbaines.net)(address . 66195@debbugs.gnu.org)
87zg0ext7e.fsf@gnu.org
Hi,

Christopher Baines <mail@cbaines.net> skribis:

Toggle quote (6 lines)
> The recommended way to address GNUTLS-SA-2020-07-14 / CVE-2023-0361 is to
> upgrade to 3.8.0 or later.
>
> * gnu/packages/tls.scm (gnutls-3.8.1): New variable.
> (gnutls)[replacement]: Use it.

Surprisingly, ‘guix lint -c cve gnutls’ doesn’t report anything with
3.7.7 as currently packaged.

Toggle quote (2 lines)
> +(define-public gnutls-3.8.1

Maybe add a comment here with the SA and CVE references.

Then, assuming the ABIs are compatible (which can be checked with
libabigail’s abidiff), LGTM.

Thanks,
Ludo’.
C
C
Christopher Baines wrote on 20 Oct 2023 13:42
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 66195-done@debbugs.gnu.org)
87h6ml4iub.fsf@cbaines.net
Ludovic Courtès <ludo@gnu.org> writes:

Toggle quote (17 lines)
> Hi,
>
> Christopher Baines <mail@cbaines.net> skribis:
>
>> The recommended way to address GNUTLS-SA-2020-07-14 / CVE-2023-0361 is to
>> upgrade to 3.8.0 or later.
>>
>> * gnu/packages/tls.scm (gnutls-3.8.1): New variable.
>> (gnutls)[replacement]: Use it.
>
> Surprisingly, ‘guix lint -c cve gnutls’ doesn’t report anything with
> 3.7.7 as currently packaged.
>
>> +(define-public gnutls-3.8.1
>
> Maybe add a comment here with the SA and CVE references.

Done, and pushed to master as 501549137853455ca39afaf79d8a623ea4494c88.

Toggle quote (3 lines)
> Then, assuming the ABIs are compatible (which can be checked with
> libabigail’s abidiff), LGTM.

→ abidiff /gnu/store/yr4lbvdyc4dgs76yij1dw2w2z8s84af8-gnutls-3.7.7/lib/libgnutls.so /gnu/store/92h0r4f0h2hz3vz9k31nfj62mv7sy1zc-gnutls-3.8.1/lib/libgnutls.so
Functions changes summary: 0 Removed, 0 Changed, 0 Added function
Variables changes summary: 0 Removed, 0 Changed, 0 Added variable
Function symbols changes summary: 0 Removed, 8 Added function symbols not referenced by debug info
Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info

8 Added function symbols not referenced by debug info:

[A] _gnutls_pathbuf_append@@GNUTLS_PRIVATE_3_4
[A] _gnutls_pathbuf_deinit@@GNUTLS_PRIVATE_3_4
[A] _gnutls_pathbuf_init@@GNUTLS_PRIVATE_3_4
[A] _gnutls_pathbuf_truncate@@GNUTLS_PRIVATE_3_4
[A] _gnutls_session_ticket_disable_server@@GNUTLS_PRIVATE_3_4
[A] gnutls_psk_format_imported_identity@@GNUTLS_3_8_1
[A] gnutls_psk_set_client_credentials_function3@@GNUTLS_3_8_1
[A] gnutls_psk_set_server_credentials_function3@@GNUTLS_3_8_1


Thanks for taking a look,

Chris
-----BEGIN PGP SIGNATURE-----

iQKlBAEBCgCPFiEEPonu50WOcg2XVOCyXiijOwuE9XcFAmUyaJxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNF
ODlFRUU3NDU4RTcyMEQ5NzU0RTBCMjVFMjhBMzNCMEI4NEY1NzcRHG1haWxAY2Jh
aW5lcy5uZXQACgkQXiijOwuE9XdLKBAArl9BvUgGVceOLsb3bKtUtmO/065qUbOE
NWUcKTnW19xCp0LLzrLgVy7+nRYFiwqv5UWGsnc0AQeC1Qaz8DXpopOrQ+1F8RZG
TL1gg9K/k1TS25cNFbZXTX1JvOev5iKXSHMQ3HoIk2jYWMaxUh/y6zVfL486D0j+
tTi5Z648MQRvhXHTROzkHfza4w0WputRkthih+yH3nu1pRqPMapgrs+ZkCtssYFq
Q7MLqUZTberanNi/2pS5r1UXJB6l0kOkD4ssOJ88oWyUM4O0VcODu5zkGNl/Bv3I
/LJ2KS+EDZur2TTLZ3hdkkHXsOXuRX5+LfwStWdP7wpr1A+hY6Weo6eiANr7eyzj
zNwuzxuZgAs4hhcDWwCeNoLR/TqBghk4AMAykO0fvOMd1Ni6bg/hKny4EGGqnDII
5pDi4GAdoDi5oCJ0MJLFEIAoSKeuOVFtkj32lp1YYUfwDkEd39YfVk9z4V/6/dRW
OqB9f9uCbNl5VgwONb32OGk8YvWHUkzg9ncvcgkEhhY92b8oMKhixq4IfjuGYqYt
StcTBE1cvqFmbzx1UP9sDPrn0Egtvefk78ZP083x1luojCxC9tqGVylWtsGJj+8R
2kij7OHHKCGsDCPVILCx7JsEbu4cjJeh6y5MDjo6j3kDrUN8RJkO4kYCS2b3Kppc
Kut2csaHTAc=
=jrB3
-----END PGP SIGNATURE-----

Closed
?