user/gnutls: [CVE] bump to 3.6.14 (#254)

2 files changed, 44 insertions, 6 deletions

diff --git a/user/gnutls/APKBUILD b/user/gnutls/APKBUILD
index 616793f57..e75b1d552 100644
--- a/user/gnutls/APKBUILD
+++ b/user/gnutls/APKBUILD
@@ -2,12 +2,11 @@
 # Contributor: Michael Mason <ms13sp@gmail.com>
 # Maintainer: 
 pkgname=gnutls
-pkgver=3.6.11.1
+pkgver=3.6.14
 pkgrel=0
 pkgdesc="A TLS protocol implementation"
-url="http://www.gnutls.org/"
+url="https://www.gnutls.org/"
 arch="all"
-options="!check"  # https://gitlab.com/gnutls/gnutls/issues/560
 license="LGPL-2.1+"
 makedepends="libtasn1-dev libunistring-dev nettle-dev p11-kit-dev texinfo
 	unbound-dev cmd:which zlib-dev"
@@ -23,11 +22,16 @@ case $pkgver in
 	;;
 esac
 source="https://www.gnupg.org/ftp/gcrypt/gnutls/v${_v}/$pkgname-$pkgver.tar.xz
-	gnulib-tests-dont-require-gpg-passphrase.patch"
+	gnulib-tests-dont-require-gpg-passphrase.patch
+	disable-certtool-test.patch
+	"
 
 # secfixes:
 #   3.5.13-r0:
 #     - CVE-2017-7507
+#   3.6.14-r0:
+#     - CVE-2020-11501
+#     - CVE-2020-13777
 
 build() {
 	LIBS="-lgmp" ./configure \
@@ -79,5 +83,6 @@ xx() {
 	mv "$pkgdir"/usr/lib/lib*xx.so.* "$subpkgdir"/usr/lib/
 }
 
-sha512sums="55fbbf0ebc824fbc91ccd08d1708452c5b1c12af75e332f29414540eb2f81337fa605a693ce9f34319a927e9d71177e6e7ffea5c6747792d341fb740f68c9489  gnutls-3.6.11.1.tar.xz
-abc24ee59cc67805fe953535b0bae33080fc8b0bf788304377f6d10ec8c162c4cf203a69c98a4ba3483b4c60ed7a204433cc7db9b8190eddb0d68f6fb6dad52d  gnulib-tests-dont-require-gpg-passphrase.patch"
+sha512sums="b2d427b5542a4679117c011dffa8efb0e0bffa3ce9cebc319f8998d03f80f4168d08f9fda35df18dbeaaada59e479d325a6c1c77d5ca7f8ce221b44e42bfe604  gnutls-3.6.14.tar.xz
+abc24ee59cc67805fe953535b0bae33080fc8b0bf788304377f6d10ec8c162c4cf203a69c98a4ba3483b4c60ed7a204433cc7db9b8190eddb0d68f6fb6dad52d  gnulib-tests-dont-require-gpg-passphrase.patch
+25400be364c1f27b88451002a471cbf841b9738dd93c42dcbeaf7644c3deea6afc85300b40d5ae32d29dc4d441237e8b311f3e07f0af2fb4788701ee4e240c0f  disable-certtool-test.patch"
diff --git a/user/gnutls/disable-certtool-test.patch b/user/gnutls/disable-certtool-test.patch
new file mode 100644
index 000000000..2ae16a38e
--- /dev/null
+++ b/user/gnutls/disable-certtool-test.patch
@@ -0,0 +1,33 @@
+If GNUTLS_PIN is not available in the environment, the test will fail
+because it cannot ask for the password:
+
+Generating a self signed certificate...
+No PIN given.
+note: when operating in batch mode, set the GNUTLS_PIN or GNUTLS_SO_PIN environment variables
+cert generation failed
+FAIL certtool (exit status: 1)
+
+The comment above this line says "some CI runners need GNUTLS_PIN
+(GNUTLS_PIN=${PASS})" (i.e. GNUTLS_PIN=1234). When this is passed
+instead, the test fails again because "No password was asked" (it greps
+for "Enter password" in the output, but this won't happen because
+GNUTLS_PIN is set).
+
+The folks at Nix believe this is an incompatibility due to musl's
+getpass not falling back to stdin/stderr if it cannot connect to a tty,
+as glibc does.
+
+https://gitlab.com/gnutls/gnutls/-/issues/945
+
+--- gnutls-3.6.13/tests/cert-tests/certtool	2020-01-01 14:10:19.000000000 -0600
++++ gnutls-3.6.13/tests/cert-tests/certtool	2020-06-02 20:36:20.380039844 -0500
+@@ -20,6 +20,9 @@
+ 
+ #set -e
+ 
++echo 'this test is not compatible with musl'
++exit 77
++
+ srcdir="${srcdir:-.}"
+ CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}"
+ DIFF="${DIFF:-diff -b -B}"