Re: GnuTLS security update

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GnuTLS security update

From:	Leo Famulari
Subject:	Re: GnuTLS security update
Date:	Sun, 11 Sep 2016 21:53:22 -0400
User-agent:	Mutt/1.7.0 (2016-08-17)

On Sun, Sep 11, 2016 at 10:54:09PM +0200, Ludovic Courtès wrote:
> These 3 GnuTLS commits appear to be related to this issue:

[...]

> If applying these patches on top of our current GnuTLS version (and then
> using it as a graft) works, we could do that.

Unfortunately the test fails in the same way, even with all 3 commits.

> If not, using the later 3.5.x release should be OK (API- and
> ABI-compatible).

The release notes for 3.5.3 and 3.5.4 [0] only mention the addition of
new macros and functions, but no removals or modifications of existing
interfaces.

I've attached a patch that uses a graft to replace address@hidden with
gnutls-3.5.4, which is the latest release.

However, while testing the patch, I noticed something surprising:

$ git show
commit 2f6a667cfe87d13a878e7ca97e3f760771f22ce1
Author: Leo Famulari <address@hidden>
Date:   Sat Sep 10 18:09:20 2016 -0400

    gnu: gnutls: Replace with 3.5.4 [fixes GNUTLS-SA-2016-3].
[...]

$ ./pre-inst-env guix build gnutls            
/gnu/store/4x9r7rkinycxr7xda5a92knm8ikila6p-gnutls-3.5.2-debug
/gnu/store/n93gb4n301rz46k9cm0d12hb26gq5lg5-gnutls-3.5.2-doc
/gnu/store/di3yhn5hy4hzshpazkc6dkb4r67dbhks-gnutls-3.5.2

$ guix build gnutls # This Guix is from `guix pull`, not my Git repo.
/gnu/store/7dy8xca0y8vz94af242cqnq9ddk2nwxn-gnutls-3.5.2-debug
/gnu/store/q27cnlfkf8kc6gjl0cdw5nvq45lfllvx-gnutls-3.5.2-doc
/gnu/store/yrl3c1mxqwcpppyh0sjlwn3sj2w5qj54-gnutls-3.5.2

$ guix gc --references $(./pre-inst-env guix build msmtp) 
/gnu/store/9nifwk709wajpyfwa0jzaa3p6mf10vxs-gcc-4.9.3-lib
/gnu/store/l1s4cw9g58hmcpd2qgbckfl228143qzx-glib-2.48.0
/gnu/store/m9vxvhdj691bq1f85lpflvnhcvrdilih-glibc-2.23
/gnu/store/nwzi32dmlrvqkfy5fplrh9ndnivxv851-libsecret-0.18.5
/gnu/store/ppd0q1mwl6rz51y5bmmwz3x89hc561cw-msmtp-1.6.5
/gnu/store/r60cjgawd6dqz3gfdmw4ihkvbcp27f3a-gsasl-1.8.0
/gnu/store/ykzwykkvr2c80rw4l1qh3mvfdkl7jibi-bash-4.3.42
/gnu/store/yrl3c1mxqwcpppyh0sjlwn3sj2w5qj54-gnutls-3.5.2

The problem is that the msmtp package I have built using this patch does
not refer to the grafted gnutls. I got the same result after building a
fresh Git clone of Guix.

[0]
https://lists.gnupg.org/pipermail/gnutls-devel/2016-August/008126.html
https://lists.gnupg.org/pipermail/gnutls-devel/2016-September/008152.html

0001-gnu-gnutls-Replace-with-3.5.4-fixes-GNUTLS-SA-2016-3.patch
Description: Text document

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

GnuTLS security update, Leo Famulari, 2016/09/11
- Re: GnuTLS security update, Vincent Legoll, 2016/09/11
  - Re: GnuTLS security update, Ludovic Courtès, 2016/09/11
- Re: GnuTLS security update, Ludovic Courtès, 2016/09/11
  - Re: GnuTLS security update, Leo Famulari <=
    - Re: GnuTLS security update, Leo Famulari, 2016/09/11
    - Re: GnuTLS security update, Ludovic Courtès, 2016/09/12
    - Re: GnuTLS security update, Leo Famulari, 2016/09/12

Prev by Date: [PATCH] gnu: Add sslh.
Next by Date: Re: [PATCH] gnu: Add sslh.
Previous by thread: Re: GnuTLS security update
Next by thread: Re: GnuTLS security update
Index(es):
- Date
- Thread