[PATCH 0/3] Graft nss 3.88.1 with 3.98, for security patches.

  • Done
  • quality assurance status badge
Details
One participant
  • Maxim Cournoyer
Owner
unassigned
Submitted by
Maxim Cournoyer
Severity
normal
M
M
Maxim Cournoyer wrote on 25 Apr 17:33 +0200
(address . guix-patches@gnu.org)(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)
cover.1714059162.git.maxim.cournoyer@gmail.com
This series fixes recent security vulnerabilities affecting NSS and thus our
Icecat package, among others. It also handles the presence of multiple
nss-certs packages in an operating system's packages field declaration.


Maxim Cournoyer (3):
gnu: nss-3.98: Streamline source origin via inheritance.
gnu: nss: Graft with version 3.98 [security fixes].
system: Warn when multiple nss-certs packages are used.

gnu/packages/librewolf.scm | 2 +-
gnu/packages/nss.scm | 83 +++++++++++++++++---------------------
gnu/system.scm | 28 ++++++++++++-
3 files changed, 65 insertions(+), 48 deletions(-)


base-commit: e5c130c0f90a7dacc8d223eee494a1b1105dd94a
--
2.41.0
M
M
Maxim Cournoyer wrote on 25 Apr 17:54 +0200
(address . 70569@debbugs.gnu.org)
cover.1714060468.git.maxim.cournoyer@gmail.com
This series fixes recent security vulnerabilities affecting NSS and thus our
Icecat package, among others. It also handles the presence of multiple
nss-certs packages in an operating system's packages field declaration.


Maxim Cournoyer (3):
gnu: nss-3.98: Streamline source origin via inheritance.
gnu: nss: Graft with version 3.98 [security fixes].
system: Warn when multiple nss-certs packages are used.

gnu/packages/librewolf.scm | 2 +-
gnu/packages/nss.scm | 83 +++++++++++++++++---------------------
gnu/system.scm | 28 ++++++++++++-
3 files changed, 65 insertions(+), 48 deletions(-)


base-commit: e5c130c0f90a7dacc8d223eee494a1b1105dd94a
--
2.41.0
M
M
Maxim Cournoyer wrote on 25 Apr 17:54 +0200
[PATCH 3/3] system: Warn when multiple nss-certs packages are used.
(address . 70569@debbugs.gnu.org)
3c869bd9be359f4c524d26789b1260f266a6a949.1714060468.git.maxim.cournoyer@gmail.com
This can happen due to users providing 'nss-certs' and adding it to the
%base-packages, which now include 'nss-certs'.

* gnu/system.scm (operating-system-packages): Warn when multiple nss-certs
packages are detected; keep only the latest one.

Change-Id: I6104f134ea1cc155ae9e8e0ae70bb5a38fc05800
Reported-by: Ian Eure <ian@retrospec.tv>
---

gnu/system.scm | 28 ++++++++++++++++++++++++++--
1 file changed, 26 insertions(+), 2 deletions(-)

Toggle diff (55 lines)
diff --git a/gnu/system.scm b/gnu/system.scm
index c7f8003ad2..025834328c 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -43,7 +43,8 @@ (define-module (gnu system)
#:use-module (guix deprecation)
#:use-module (guix derivations)
#:use-module (guix profiles)
- #:use-module ((guix utils) #:select (substitute-keyword-arguments))
+ #:use-module ((guix utils) #:select (substitute-keyword-arguments
+ version>?))
#:use-module (guix i18n)
#:use-module (guix diagnostics)
#:use-module (guix ui)
@@ -275,7 +276,7 @@ (define-record-type* <operating-system> operating-system
(issue operating-system-issue ; string
(default %default-issue))
- (packages operating-system-packages ; list of (PACKAGE OUTPUT...)
+ (packages %operating-system-packages ; list of (PACKAGE OUTPUT...)
(default %base-packages)) ; or just PACKAGE
(timezone operating-system-timezone
@@ -316,6 +317,29 @@ (define-deprecated (operating-system-hosts-file os)
hosts-service-type
(%operating-system-hosts-file os))
+;;; XXX: Remove after a new release of Guix no longer suggests to install
+;;; nss-certs.
+(define (operating-system-packages os)
+ "Return the packages of the OS <operating-system> record object."
+ ;; This wrapper is used to warn users that their operating system packages
+ ;; field contains a duplicated nss-certs packages.
+ (let* ((packages (%operating-system-packages os))
+ (nss-certs-packages (sort (filter (lambda (p)
+ (string=? "nss-certs" (package-name p)))
+ packages)
+ (lambda (x y)
+ ;; Sort from newer to older versions.
+ (version>? (package-version x)
+ (package-version y))))))
+ (if (> (length nss-certs-packages) 1)
+ (begin
+ (warning #f
+ (G_ "multiple 'nss-certs' packages found; 'nss-certs' \
+is now included by default in '%base-packages'; ensure it is not explicitly \
+listed in the operating system 'packages' field~%"))
+ (fold delete packages (drop nss-certs-packages 1)))
+ packages)))
+
(define* (operating-system-kernel-arguments
os root-device #:key (version %boot-parameters-version))
"Return all the kernel arguments, including the ones not specified directly
--
2.41.0
M
M
Maxim Cournoyer wrote on 25 Apr 17:54 +0200
[PATCH 1/3] gnu: nss-3.98: Streamline source origin via inheritance.
(address . 70569@debbugs.gnu.org)
3418fbe66a1573937f44c1902bba6e9950426886.1714060468.git.maxim.cournoyer@gmail.com
* gnu/packages/nss.scm (nss-3.98): Simplify source via inheritance.

Change-Id: I6c1df497a7ff538162afa128eca676997d76e28f
---

gnu/packages/nss.scm | 16 +++-------------
1 file changed, 3 insertions(+), 13 deletions(-)

Toggle diff (43 lines)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 00770f11a9..a2843be17a 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -5,7 +5,7 @@
;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
;;; Copyright © 2020, 2021 Marius Bakke <marius@gnu.org>
;;; Copyright © 2020 Jonathan Brielmaier <jonathan.brielmaier@web.de>
-;;; Copyright © 2021, 2022, 2023 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright © 2021, 2022, 2023, 2024 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be>
;;;
;;; This file is part of GNU Guix.
@@ -253,7 +253,7 @@ (define-public nss-3.98
(inherit nss)
(version "3.98")
(source (origin
- (method url-fetch)
+ (inherit (package-source nss))
(uri (let ((version-with-underscores
(string-join (string-split version #\.) "_")))
(string-append
@@ -262,17 +262,7 @@ (define-public nss-3.98
"nss-" version ".tar.gz")))
(sha256
(base32
- "1kh98amfklrq6915n4mlbrcqghc3srm7rkzs9dkh21jwscrwqjgm"))
- ;; Create nss.pc and nss-config.
- (patches (search-patches "nss-3.56-pkgconfig.patch"
- "nss-getcwd-nonnull.patch"
- "nss-increase-test-timeout.patch"))
- (modules '((guix build utils)))
- (snippet
- '(begin
- ;; Delete the bundled copy of these libraries.
- (delete-file-recursively "nss/lib/zlib")
- (delete-file-recursively "nss/lib/sqlite")))))
+ "1kh98amfklrq6915n4mlbrcqghc3srm7rkzs9dkh21jwscrwqjgm"))))
(arguments
(substitute-keyword-arguments (package-arguments nss)
((#:phases phases)
--
2.41.0
M
M
Maxim Cournoyer wrote on 25 Apr 17:54 +0200
[PATCH 2/3] gnu: nss: Graft with version 3.98 [security fixes].
(address . 70569@debbugs.gnu.org)
fa5ef3de25be667f249cd6e3addfbc8c0501fdc9.1714060468.git.maxim.cournoyer@gmail.com
This fixes CVE-2023-5388, CVE-2023-6135 and CVE-2024-0743.

* gnu/packages/nss.scm (nss) [replacement]: New field.
(nss-3.98): Rename variable to...
(nss/fixed): ... this. Make it a hidden package.
* gnu/packages/librewolf.scm (librewolf) [inputs]: Replace nss-3.98 with
nss/fixed.

Change-Id: I8cc667c53a270dfe00738bf731923f1342036624
---

gnu/packages/librewolf.scm | 2 +-
gnu/packages/nss.scm | 71 ++++++++++++++++++++------------------
2 files changed, 38 insertions(+), 35 deletions(-)

Toggle diff (102 lines)
diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm
index 87b76c661f..1717bad0b5 100644
--- a/gnu/packages/librewolf.scm
+++ b/gnu/packages/librewolf.scm
@@ -581,7 +581,7 @@ (define-public librewolf
mesa
mit-krb5
nspr
- nss-3.98
+ nss/fixed
pango
pciutils
pipewire
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index a2843be17a..8f6ed06e63 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -110,6 +110,7 @@ (define-public nss
;; version and source to avoid a top-level variable reference & module
;; cycle.
(version "3.88.1")
+ (replacement nss/fixed)
(source (origin
(method url-fetch)
(uri (let ((version-with-underscores
@@ -248,38 +249,40 @@ (define-public nss
security standards.")
(license license:mpl2.0)))
-(define-public nss-3.98
- (package
- (inherit nss)
- (version "3.98")
- (source (origin
- (inherit (package-source nss))
- (uri (let ((version-with-underscores
- (string-join (string-split version #\.) "_")))
- (string-append
- "https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
- "releases/NSS_" version-with-underscores "_RTM/src/"
- "nss-" version ".tar.gz")))
- (sha256
- (base32
- "1kh98amfklrq6915n4mlbrcqghc3srm7rkzs9dkh21jwscrwqjgm"))))
- (arguments
- (substitute-keyword-arguments (package-arguments nss)
- ((#:phases phases)
- #~(modify-phases #$phases
- (replace 'check
- (lambda* (#:key tests? #:allow-other-keys)
- (if tests?
- (begin
- ;; Use 127.0.0.1 instead of $HOST.$DOMSUF as HOSTADDR for
- ;; testing. The latter requires a working DNS or /etc/hosts.
- (setenv "DOMSUF" "localdomain")
- (setenv "USE_IP" "TRUE")
- (setenv "IP_ADDRESS" "127.0.0.1")
+(define-public nss/fixed
+ (let ((actual-version "3.98"))
+ (hidden-package
+ (package
+ (inherit nss)
+ (version (string-append actual-version ".0")) ;for grafts requirements
+ (source (origin
+ (inherit (package-source nss))
+ (uri (let ((version-with-underscores
+ (string-join (string-split actual-version #\.) "_")))
+ (string-append
+ "https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
+ "releases/NSS_" version-with-underscores "_RTM/src/"
+ "nss-" actual-version ".tar.gz")))
+ (sha256
+ (base32
+ "1kh98amfklrq6915n4mlbrcqghc3srm7rkzs9dkh21jwscrwqjgm"))))
+ (arguments
+ (substitute-keyword-arguments (package-arguments nss)
+ ((#:phases phases)
+ #~(modify-phases #$phases
+ (replace 'check
+ (lambda* (#:key tests? #:allow-other-keys)
+ (if tests?
+ (begin
+ ;; Use 127.0.0.1 instead of $HOST.$DOMSUF as HOSTADDR for
+ ;; testing. The latter requires a working DNS or /etc/hosts.
+ (setenv "DOMSUF" "localdomain")
+ (setenv "USE_IP" "TRUE")
+ (setenv "IP_ADDRESS" "127.0.0.1")
- ;; The "PayPalEE.cert" certificate expires every six months,
- ;; leading to test failures:
- ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>. To
- ;; work around that, set the time to roughly the release date.
- (invoke "faketime" "2024-01-23" "./nss/tests/all.sh"))
- (format #t "test suite not run~%"))))))))))
+ ;; The "PayPalEE.cert" certificate expires every six months,
+ ;; leading to test failures:
+ ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>. To
+ ;; work around that, set the time to roughly the release date.
+ (invoke "faketime" "2024-01-23" "./nss/tests/all.sh"))
+ (format #t "test suite not run~%"))))))))))))
--
2.41.0
M
M
Maxim Cournoyer wrote on 26 Apr 13:12 +0200
Re: [bug#70569] [PATCH 0/3] Graft nss 3.88.1 with 3.98, for security patches.
(address . 70569-done@debbugs.gnu.org)
871q6sfkdw.fsf@gmail.com
Hello,

Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:

Toggle quote (10 lines)
> This series fixes recent security vulnerabilities affecting NSS and thus our
> Icecat package, among others. It also handles the presence of multiple
> nss-certs packages in an operating system's packages field declaration.
>
>
> Maxim Cournoyer (3):
> gnu: nss-3.98: Streamline source origin via inheritance.
> gnu: nss: Graft with version 3.98 [security fixes].
> system: Warn when multiple nss-certs packages are used.

Pushed to master. Closing!

--
Thanks,
Maxim
Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 70569@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 70569
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch