[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#48648] [PATCH] gnu: gnutls: Update to 3.6.16 [fixes CVE-2021-20305]
|
From: |
Leo Famulari |
|
Subject: |
[bug#48648] [PATCH] gnu: gnutls: Update to 3.6.16 [fixes CVE-2021-20305]. |
|
Date: |
Tue, 25 May 2021 11:49:54 -0400 |
On Tue, May 25, 2021 at 12:36:04PM +0200, Solene Rapenne via Guix-patches via
wrote:
> I removed the 2 patches for previous CVEs that are now merged within
> gnutls sources.
Thanks for this patch!
> I deliberately committed it to master branch despite
> guix refresh --list-dependent gnutls returns 5287 packages and that
> https://guix.gnu.org/manual/en/guix.html#Submitting-Patches says such
> packages with more than 3000 impacted packages should be committed
> on core-updates. I did this because it's a minor update to fix a CVE
> so this would be weird to wait 6 months for this update.
Whether or not the update is minor, we still have to use a "graft" [0]
to change packages with this many dependents on the master branch.
Due to the "functional packaging model" of Guix, every dependent of
GnuTLS must be recompiled when the GnuTLS package is changed. We would
constantly be rebuilding nearly every single package if we did not use
grafts for security updates, and that would be infeasible and
inefficient.
Grafts effectively rewrite binary references in compiled software, so
it's kind of a kludge. The binary interface of the new grafted
replacement must be compatible with the original package, and if it's
not, the problems can be hidden and subtle.
For that reason, it's important to make the smallest change possible
when grafting, to reduce the chance of breakage.
So, the question is, does 3.6.16 include only the fix for
CVE-2021-20305? Or does it also include other changes? If the former, we
should instead cherry-pick the CVE bug fix instead of updating.
Can you look into that and let us know?
> --- a/gnu/packages/patches/gnutls-CVE-2021-20231.patch
> +++ /dev/null
If we do decide to update to 3.6.16, it's also necessary to deregister
the removed patch files in 'gnu/local.mk'. Check this commit for an
example:
https://git.savannah.gnu.org/cgit/guix.git/commit/?id=7c4c781aa40c42d4cd10b8d9482199f3db345e1b
Finally, here is an example of setting up a graft that includes a single
new patch file:
https://git.savannah.gnu.org/cgit/guix.git/commit/?id=7c4c781aa40c42d4cd10b8d9482199f3db345e1b
And here is an example of a graft that "updates" a package:
https://git.savannah.gnu.org/cgit/guix.git/commit/?id=250a216cdc2d5425ee0053f3e614d54e0fb6aa90
- [bug#48648] [PATCH] gnu: gnutls: Update to 3.6.16 [fixes CVE-2021-20305]., Solene Rapenne, 2021/05/25
- [bug#48648] [PATCH] gnu: gnutls: Update to 3.6.16 [fixes CVE-2021-20305].,
Leo Famulari <=
- [bug#48648] [PATCH] gnu: gnutls: Update to 3.6.16 [fixes CVE-2021-20305]., Marius Bakke, 2021/05/25
- [bug#48648] [PATCH] gnu: gnutls: Update to 3.6.16 [fixes CVE-2021-20305]., Leo Famulari, 2021/05/25
- [bug#48648] [PATCH] gnu: gnutls: Update to 3.6.16 [fixes CVE-2021-20305]., Solene Rapenne, 2021/05/25
- [bug#48648] [PATCH] gnu: gnutls: Update to 3.6.16 [fixes CVE-2021-20305]., Leo Famulari, 2021/05/27
- [bug#48648] [PATCH] gnu: gnutls: Update to 3.6.16 [fixes CVE-2021-20305]., Solene Rapenne, 2021/05/28
- bug#48648: [PATCH] gnu: gnutls: Update to 3.6.16 [fixes CVE-2021-20305]., Leo Famulari, 2021/05/28