user/gnutls: [CVE] bump to 3.6.14 (#254)

1 files changed, 33 insertions, 0 deletions

diff --git a/user/gnutls/disable-certtool-test.patch b/user/gnutls/disable-certtool-test.patch
new file mode 100644
index 000000000..2ae16a38e
--- /dev/null
+++ b/user/gnutls/disable-certtool-test.patch
@@ -0,0 +1,33 @@
+If GNUTLS_PIN is not available in the environment, the test will fail
+because it cannot ask for the password:
+
+Generating a self signed certificate...
+No PIN given.
+note: when operating in batch mode, set the GNUTLS_PIN or GNUTLS_SO_PIN environment variables
+cert generation failed
+FAIL certtool (exit status: 1)
+
+The comment above this line says "some CI runners need GNUTLS_PIN
+(GNUTLS_PIN=${PASS})" (i.e. GNUTLS_PIN=1234). When this is passed
+instead, the test fails again because "No password was asked" (it greps
+for "Enter password" in the output, but this won't happen because
+GNUTLS_PIN is set).
+
+The folks at Nix believe this is an incompatibility due to musl's
+getpass not falling back to stdin/stderr if it cannot connect to a tty,
+as glibc does.
+
+https://gitlab.com/gnutls/gnutls/-/issues/945
+
+--- gnutls-3.6.13/tests/cert-tests/certtool	2020-01-01 14:10:19.000000000 -0600
++++ gnutls-3.6.13/tests/cert-tests/certtool	2020-06-02 20:36:20.380039844 -0500
+@@ -20,6 +20,9 @@
+ 
+ #set -e
+ 
++echo 'this test is not compatible with musl'
++exit 77
++
+ srcdir="${srcdir:-.}"
+ CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}"
+ DIFF="${DIFF:-diff -b -B}"