From debbugs-submit-bounces@debbugs.gnu.org Mon Apr 06 13:49:08 2020 Received: (at submit) by debbugs.gnu.org; 6 Apr 2020 17:49:08 +0000 Received: from localhost ([127.0.0.1]:49178 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jLVrt-0003RJ-R6 for submit@debbugs.gnu.org; Mon, 06 Apr 2020 13:49:08 -0400 Received: from lists.gnu.org ([209.51.188.17]:40520) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jLVrm-0003Qc-M5 for submit@debbugs.gnu.org; Mon, 06 Apr 2020 13:49:02 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:36865) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jLVrj-00032O-Ji for guix-patches@gnu.org; Mon, 06 Apr 2020 13:48:58 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.7 required=5.0 tests=BAYES_20,RCVD_IN_DNSWL_LOW, URIBL_BLOCKED autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1jLVrg-0003Yi-6g for guix-patches@gnu.org; Mon, 06 Apr 2020 13:48:55 -0400 Received: from out5-smtp.messagingengine.com ([66.111.4.29]:59061) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1jLVrf-0003YI-UN for guix-patches@gnu.org; Mon, 06 Apr 2020 13:48:52 -0400 Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id 627585C0165; Mon, 6 Apr 2020 13:48:51 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute2.internal (MEProxy); Mon, 06 Apr 2020 13:48:51 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=from:to:subject:date:message-id:mime-version:content-type :content-transfer-encoding; s=mesmtp; bh=70lm0BNHd0bn53dMEqV0cDV gBvJsIRLShn5ikIhcriQ=; b=Kg/4+6wKhT7cd3I1j+yjmjnebbQApqCC/truCHq 7b+nfAYbGgm7SifKZcwPb3qgcPixKaSqiKppyAxSu4p1wZTplRtR0YHz8APWRclU nPM3MN+VLQpRsVWlLMmqMm689EW9fWkixN5fxYovXwI1nzPmn4nHIRyI3PDrbd/Q fzqU= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:message-id:mime-version:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=70lm0B NHd0bn53dMEqV0cDVgBvJsIRLShn5ikIhcriQ=; b=ks062x1FddBvKX/krpy7SC /T/9jlbg1R11AywualvczMokmcCN8fnhf5SedmzyE32Y/YXdSIcpOg1lIYDqsV9L leuCjKZCBHAJ9LRkYWV26h3ff3EXIfbcSdTfYaN7YpUwg7pzg7Me/VcsRSXUDANt xJPplgJ0abdF//cOWvON1rQ9Sd1MEWrlsYdtYcOt4B7PpBWFzS6g0un/gsqspNLZ 8A/Ks8BXf4pLnh4dXjHaUOgyUfSvRNkgS8WKbd8hLokKESVGZkpNWPRfSmVH5FhB qrPrkY+19aZu0oFyPfIU4X9LkMd9zoMfBTEWwnSDMel7D54OKt7+PMKjUbr5Frnw == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrudefgdduuddtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefhvffufffkofggtgfgsehtkeertd ertdejnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghr ihdrnhgrmhgvqeenucffohhmrghinhepmhhithhrvgdrohhrghdpghhithhlrggsrdgtoh hmpdhgnhhuthhlshdrohhrghenucfkphepjeeirdduvdegrddufeekrdeifeenucevlhhu shhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehlvghosehfrghmuh hlrghrihdrnhgrmhgv X-ME-Proxy: Received: from jasmine.lan (c-76-124-138-63.hsd1.pa.comcast.net [76.124.138.63]) by mail.messagingengine.com (Postfix) with ESMTPA id E88173280059 for ; Mon, 6 Apr 2020 13:48:50 -0400 (EDT) From: Leo Famulari To: guix-patches@gnu.org Subject: [PATCH] gnu: GnuTLS: Fix CVE-2020-11501. Date: Mon, 6 Apr 2020 13:48:39 -0400 Message-Id: <9c5dae480715a72446322913678ba1e6b717d73b.1586195316.git.leo@famulari.name> X-Mailer: git-send-email 2.26.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 66.111.4.29 X-Spam-Score: 0.2 (/) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.8 (/) * gnu/packages/patches/gnutls-CVE-2020-11501.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/tls.scm (gnutls)[replacement]: New field. (gnutls/fixed): New variable. (gnutls/guile-2.0, gnutls/dane, gnutls-3.6.10, gnutls3.0-gnutls): Use PACKAGE/INHERIT. --- gnu/local.mk | 1 + .../patches/gnutls-CVE-2020-11501.patch | 41 +++++++++++++++++++ gnu/packages/tls.scm | 21 ++++++---- 3 files changed, 55 insertions(+), 8 deletions(-) create mode 100644 gnu/packages/patches/gnutls-CVE-2020-11501.patch diff --git a/gnu/local.mk b/gnu/local.mk index 77f9de2440..9953754398 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -983,6 +983,7 @@ dist_patch_DATA = \ %D%/packages/patches/gnome-tweaks-search-paths.patch \ %D%/packages/patches/gnupg-default-pinentry.patch \ %D%/packages/patches/gnutls-skip-trust-store-test.patch \ + %D%/packages/patches/gnutls-CVE-2020-11501.patch \ %D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \ %D%/packages/patches/gobject-introspection-cc.patch \ %D%/packages/patches/gobject-introspection-girepository.patch \ diff --git a/gnu/packages/patches/gnutls-CVE-2020-11501.patch b/gnu/packages/patches/gnutls-CVE-2020-11501.patch new file mode 100644 index 0000000000..0d84b7d082 --- /dev/null +++ b/gnu/packages/patches/gnutls-CVE-2020-11501.patch @@ -0,0 +1,41 @@ +Fix CVE-2020-11501: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11501 +https://gitlab.com/gnutls/gnutls/issues/960 + +Patch copied from upstream source repository: + +https://gitlab.com/gnutls/gnutls/commit/c01011c2d8533dbbbe754e49e256c109cb848d0d + +From c01011c2d8533dbbbe754e49e256c109cb848d0d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Stefan=20B=C3=BChler?= +Date: Fri, 27 Mar 2020 17:17:57 +0100 +Subject: [PATCH] dtls client hello: fix zeroed random (fixes #960) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This broke with bcf4de03 "handshake: treat reply to HRR as a reply to +hello verify request", which failed to "De Morgan" properly. + +Signed-off-by: Stefan Bühler +--- + lib/handshake.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/handshake.c b/lib/handshake.c +index 5739df213..84a0e5210 100644 +--- a/lib/handshake.c ++++ b/lib/handshake.c +@@ -2167,7 +2167,7 @@ static int send_client_hello(gnutls_session_t session, int again) + /* Generate random data + */ + if (!(session->internals.hsk_flags & HSK_HRR_RECEIVED) && +- !(IS_DTLS(session) && session->internals.dtls.hsk_hello_verify_requests == 0)) { ++ !(IS_DTLS(session) && session->internals.dtls.hsk_hello_verify_requests != 0)) { + ret = _gnutls_gen_client_random(session); + if (ret < 0) { + gnutls_assert(); +-- +2.26.0 + diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index bb80d86ba4..743d80a80f 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -162,6 +162,7 @@ living in the same process.") (define-public gnutls (package (name "gnutls") + (replacement gnutls/fixed) (version "3.6.9") (source (origin (method url-fetch) @@ -244,10 +245,17 @@ required structures.") (properties '((ftp-server . "ftp.gnutls.org") (ftp-directory . "/gcrypt/gnutls"))))) -(define-public gnutls/guile-2.0 - ;; GnuTLS for Guile 2.0. +(define gnutls/fixed (package (inherit gnutls) + (source (origin + (inherit (package-source gnutls)) + (patches (append (origin-patches (package-source gnutls)) + (search-patches "gnutls-CVE-2020-11501.patch"))))))) + +(define-public gnutls/guile-2.0 + ;; GnuTLS for Guile 2.0. + (package/inherit gnutls (name "guile2.0-gnutls") (inputs `(("guile" ,guile-2.0) ,@(alist-delete "guile" (package-inputs gnutls)))))) @@ -257,8 +265,7 @@ required structures.") ;; Authentication of Named Entities. This is required for GNS functionality ;; by GNUnet and gnURL. This is done in an extra package definition ;; to have the choice between GnuTLS with Dane and without Dane. - (package - (inherit gnutls) + (package/inherit gnutls (name "gnutls-dane") (inputs `(("unbound" ,unbound) ,@(package-inputs gnutls))))) @@ -266,8 +273,7 @@ required structures.") (define gnutls-3.6.10 ;; This is for 'guile3.0-gnutls', below. Version 3.6.10 is the first to ;; introduce Guile 2.9/3.0 support. - (package - (inherit gnutls) + (package/inherit gnutls (version "3.6.10") (source (origin (inherit (package-source gnutls)) @@ -286,8 +292,7 @@ required structures.") ("util-linux" ,util-linux))))) (define-public guile3.0-gnutls - (package - (inherit gnutls-3.6.10) + (package/inherit gnutls-3.6.10 (name "guile3.0-gnutls") (arguments (substitute-keyword-arguments (package-arguments gnutls-3.6.10) -- 2.26.0