Patchwork GnuTLS security update

login
register
mail settings
Submitter Leo Famulari
Date Sept. 12, 2016, 1:53 a.m.
Message ID <20160912015322.GA3951@jasmine>
Download mbox | patch
Permalink /patch/15532/
State New
Headers show

Comments

Leo Famulari - Sept. 12, 2016, 1:53 a.m.
On Sun, Sep 11, 2016 at 10:54:09PM +0200, Ludovic Courtès wrote:
> These 3 GnuTLS commits appear to be related to this issue:

[...]

> If applying these patches on top of our current GnuTLS version (and then
> using it as a graft) works, we could do that.

Unfortunately the test fails in the same way, even with all 3 commits.

> If not, using the later 3.5.x release should be OK (API- and
> ABI-compatible).

The release notes for 3.5.3 and 3.5.4 [0] only mention the addition of
new macros and functions, but no removals or modifications of existing
interfaces.

I've attached a patch that uses a graft to replace gnutls@3.5.2 with
gnutls-3.5.4, which is the latest release.

However, while testing the patch, I noticed something surprising:

$ git show
commit 2f6a667cfe87d13a878e7ca97e3f760771f22ce1
Author: Leo Famulari <leo@famulari.name>
Date:   Sat Sep 10 18:09:20 2016 -0400

    gnu: gnutls: Replace with 3.5.4 [fixes GNUTLS-SA-2016-3].
[...]

$ ./pre-inst-env guix build gnutls            
/gnu/store/4x9r7rkinycxr7xda5a92knm8ikila6p-gnutls-3.5.2-debug
/gnu/store/n93gb4n301rz46k9cm0d12hb26gq5lg5-gnutls-3.5.2-doc
/gnu/store/di3yhn5hy4hzshpazkc6dkb4r67dbhks-gnutls-3.5.2

$ guix build gnutls # This Guix is from `guix pull`, not my Git repo.
/gnu/store/7dy8xca0y8vz94af242cqnq9ddk2nwxn-gnutls-3.5.2-debug
/gnu/store/q27cnlfkf8kc6gjl0cdw5nvq45lfllvx-gnutls-3.5.2-doc
/gnu/store/yrl3c1mxqwcpppyh0sjlwn3sj2w5qj54-gnutls-3.5.2

$ guix gc --references $(./pre-inst-env guix build msmtp) 
/gnu/store/9nifwk709wajpyfwa0jzaa3p6mf10vxs-gcc-4.9.3-lib
/gnu/store/l1s4cw9g58hmcpd2qgbckfl228143qzx-glib-2.48.0
/gnu/store/m9vxvhdj691bq1f85lpflvnhcvrdilih-glibc-2.23
/gnu/store/nwzi32dmlrvqkfy5fplrh9ndnivxv851-libsecret-0.18.5
/gnu/store/ppd0q1mwl6rz51y5bmmwz3x89hc561cw-msmtp-1.6.5
/gnu/store/r60cjgawd6dqz3gfdmw4ihkvbcp27f3a-gsasl-1.8.0
/gnu/store/ykzwykkvr2c80rw4l1qh3mvfdkl7jibi-bash-4.3.42
/gnu/store/yrl3c1mxqwcpppyh0sjlwn3sj2w5qj54-gnutls-3.5.2

The problem is that the msmtp package I have built using this patch does
not refer to the grafted gnutls. I got the same result after building a
fresh Git clone of Guix.

[0]
https://lists.gnupg.org/pipermail/gnutls-devel/2016-August/008126.html
https://lists.gnupg.org/pipermail/gnutls-devel/2016-September/008152.html
From 2f6a667cfe87d13a878e7ca97e3f760771f22ce1 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Sat, 10 Sep 2016 18:09:20 -0400
Subject: [PATCH] gnu: gnutls: Replace with 3.5.4 [fixes GNUTLS-SA-2016-3].

* gnu/packages/tls.scm (gnutls)[replacement]: New field.
(gnutls-3.5.4): New variable.
---
 gnu/packages/tls.scm | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
Leo Famulari - Sept. 12, 2016, 3:28 a.m.
On Sun, Sep 11, 2016 at 09:53:22PM -0400, Leo Famulari wrote:
> The problem is that the msmtp package I have built using this patch does
> not refer to the grafted gnutls. I got the same result after building a
> fresh Git clone of Guix.

To clarify, I think that the msmtp package is using the wrong gnutls
because of the hash, not the version string.
Ludovic Courtès - Sept. 12, 2016, 12:56 p.m.
Leo Famulari <leo@famulari.name> skribis:

> $ ./pre-inst-env guix build gnutls            
> /gnu/store/4x9r7rkinycxr7xda5a92knm8ikila6p-gnutls-3.5.2-debug
> /gnu/store/n93gb4n301rz46k9cm0d12hb26gq5lg5-gnutls-3.5.2-doc
> /gnu/store/di3yhn5hy4hzshpazkc6dkb4r67dbhks-gnutls-3.5.2
>
> $ guix build gnutls # This Guix is from `guix pull`, not my Git repo.
> /gnu/store/7dy8xca0y8vz94af242cqnq9ddk2nwxn-gnutls-3.5.2-debug
> /gnu/store/q27cnlfkf8kc6gjl0cdw5nvq45lfllvx-gnutls-3.5.2-doc
> /gnu/store/yrl3c1mxqwcpppyh0sjlwn3sj2w5qj54-gnutls-3.5.2
>
> $ guix gc --references $(./pre-inst-env guix build msmtp) 
> /gnu/store/9nifwk709wajpyfwa0jzaa3p6mf10vxs-gcc-4.9.3-lib
> /gnu/store/l1s4cw9g58hmcpd2qgbckfl228143qzx-glib-2.48.0
> /gnu/store/m9vxvhdj691bq1f85lpflvnhcvrdilih-glibc-2.23
> /gnu/store/nwzi32dmlrvqkfy5fplrh9ndnivxv851-libsecret-0.18.5
> /gnu/store/ppd0q1mwl6rz51y5bmmwz3x89hc561cw-msmtp-1.6.5
> /gnu/store/r60cjgawd6dqz3gfdmw4ihkvbcp27f3a-gsasl-1.8.0
> /gnu/store/ykzwykkvr2c80rw4l1qh3mvfdkl7jibi-bash-4.3.42
> /gnu/store/yrl3c1mxqwcpppyh0sjlwn3sj2w5qj54-gnutls-3.5.2
>
> The problem is that the msmtp package I have built using this patch does
> not refer to the grafted gnutls. I got the same result after building a
> fresh Git clone of Guix.

Indeed, there’s a bug.  :-/

With your patch, I get:

--8<---------------cut here---------------start------------->8---
$ git describe
v0.11.0-970-g8d4169a
$ guix gc --references $(./pre-inst-env guix build msmtp)|grep gnutls
/gnu/store/yrl3c1mxqwcpppyh0sjlwn3sj2w5qj54-gnutls-3.5.2
$ ./pre-inst-env guix build gnutls
/gnu/store/4x9r7rkinycxr7xda5a92knm8ikila6p-gnutls-3.5.2-debug
/gnu/store/n93gb4n301rz46k9cm0d12hb26gq5lg5-gnutls-3.5.2-doc
/gnu/store/di3yhn5hy4hzshpazkc6dkb4r67dbhks-gnutls-3.5.2
$ ./pre-inst-env guix build gnutls --no-grafts
/gnu/store/23vx0mdw6q96pakyps2cjjvcjng1mxqx-gnutls-3.5.2-debug
/gnu/store/p0zrk9424l0aljzsqyqx5zgh86x9glmi-gnutls-3.5.2-doc
/gnu/store/1qv5i6rfxjc4d0rg7z6r9dapmf85kzmy-gnutls-3.5.2
$ /gnu/store/yrl3c1mxqwcpppyh0sjlwn3sj2w5qj54-gnutls-3.5.2/bin/gnutls-cli --version
gnutls-cli 3.5.2
Copyright (C) 2000-2016 Free Software Foundation, and others, all rights reserved.
This is free software. It is licensed for use, modification and
redistribution under the terms of the GNU General Public License,
version 3 or later <http://gnu.org/licenses/gpl.html>


Please send bug reports to:  <bugs@gnutls.org>
$ /gnu/store/di3yhn5hy4hzshpazkc6dkb4r67dbhks-gnutls-3.5.2/bin/gnutls-cli --version
gnutls-cli 3.5.4
Copyright (C) 2000-2016 Free Software Foundation, and others, all rights reserved.
This is free software. It is licensed for use, modification and
redistribution under the terms of the GNU General Public License,
version 3 or later <http://gnu.org/licenses/gpl.html>


Please send bug reports to:  <bugs@gnutls.org>
--8<---------------cut here---------------end--------------->8---

msmtp uses a GnuTLS that is different from from both other GnuTLS.

I think the bug has to do with the fact that GnuTLS has a replacement
and at the same time needs to be grafted (the libidn and libgcrypt
grafts apply to GnuTLS).

In the meantime, I suggest that you apply the patch anyway.

Ludo’.
Leo Famulari - Sept. 12, 2016, 4:34 p.m.
On Mon, Sep 12, 2016 at 02:56:13PM +0200, Ludovic Courtès wrote:
> msmtp uses a GnuTLS that is different from from both other GnuTLS.

The GnuTLS being used [0] corresponds to the GnuTLS on the master branch
from before I pushed this graft.

> I think the bug has to do with the fact that GnuTLS has a replacement
> and at the same time needs to be grafted (the libidn and libgcrypt
> grafts apply to GnuTLS).
> 
> In the meantime, I suggest that you apply the patch anyway.

Okay, done as 974e2b297104d2de01632df1a56069b383e645f4

[0]
yrl3c1mxqwcpppyh0sjlwn3sj2w5qj54-gnutls-3.5.2

Patch

diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 4b04cac..ad9dee0 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -137,6 +137,7 @@  living in the same process.")
 (define-public gnutls
   (package
     (name "gnutls")
+    (replacement gnutls-3.5.4)
     (version "3.5.2")
     (source (origin
              (method url-fetch)
@@ -210,6 +211,20 @@  required structures.")
     (properties '((ftp-server . "ftp.gnutls.org")
                   (ftp-directory . "/gcrypt/gnutls")))))
 
+(define gnutls-3.5.4
+  (package
+    (inherit gnutls)
+    (source
+      (let ((version "3.5.4"))
+        (origin
+          (method url-fetch)
+          (uri (string-append "mirror://gnupg/gnutls/v"
+                              (version-major+minor version)
+                              "/gnutls-" version ".tar.xz"))
+          (sha256
+           (base32
+            "1sx8p7v452s9m854r2c5pvcd1k15a3caiv5h35fhrxz0691h2f2f")))))))
+
 (define-public openssl
   (package
    (name "openssl")