From 954dcc16c6c5c1c7513b180bcf1e7704b7e3f707 Mon Sep 17 00:00:00 2001 From: Max Rees Date: Tue, 2 Jun 2020 19:54:29 -0500 Subject: user/gnutls: [CVE] bump to 3.6.14 (#254) --- user/gnutls/APKBUILD | 17 +++++++++++------ user/gnutls/disable-certtool-test.patch | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+), 6 deletions(-) create mode 100644 user/gnutls/disable-certtool-test.patch diff --git a/user/gnutls/APKBUILD b/user/gnutls/APKBUILD index 616793f57..e75b1d552 100644 --- a/user/gnutls/APKBUILD +++ b/user/gnutls/APKBUILD @@ -2,12 +2,11 @@ # Contributor: Michael Mason # Maintainer: pkgname=gnutls -pkgver=3.6.11.1 +pkgver=3.6.14 pkgrel=0 pkgdesc="A TLS protocol implementation" -url="http://www.gnutls.org/" +url="https://www.gnutls.org/" arch="all" -options="!check" # https://gitlab.com/gnutls/gnutls/issues/560 license="LGPL-2.1+" makedepends="libtasn1-dev libunistring-dev nettle-dev p11-kit-dev texinfo unbound-dev cmd:which zlib-dev" @@ -23,11 +22,16 @@ case $pkgver in ;; esac source="https://www.gnupg.org/ftp/gcrypt/gnutls/v${_v}/$pkgname-$pkgver.tar.xz - gnulib-tests-dont-require-gpg-passphrase.patch" + gnulib-tests-dont-require-gpg-passphrase.patch + disable-certtool-test.patch + " # secfixes: # 3.5.13-r0: # - CVE-2017-7507 +# 3.6.14-r0: +# - CVE-2020-11501 +# - CVE-2020-13777 build() { LIBS="-lgmp" ./configure \ @@ -79,5 +83,6 @@ xx() { mv "$pkgdir"/usr/lib/lib*xx.so.* "$subpkgdir"/usr/lib/ } -sha512sums="55fbbf0ebc824fbc91ccd08d1708452c5b1c12af75e332f29414540eb2f81337fa605a693ce9f34319a927e9d71177e6e7ffea5c6747792d341fb740f68c9489 gnutls-3.6.11.1.tar.xz -abc24ee59cc67805fe953535b0bae33080fc8b0bf788304377f6d10ec8c162c4cf203a69c98a4ba3483b4c60ed7a204433cc7db9b8190eddb0d68f6fb6dad52d gnulib-tests-dont-require-gpg-passphrase.patch" +sha512sums="b2d427b5542a4679117c011dffa8efb0e0bffa3ce9cebc319f8998d03f80f4168d08f9fda35df18dbeaaada59e479d325a6c1c77d5ca7f8ce221b44e42bfe604 gnutls-3.6.14.tar.xz +abc24ee59cc67805fe953535b0bae33080fc8b0bf788304377f6d10ec8c162c4cf203a69c98a4ba3483b4c60ed7a204433cc7db9b8190eddb0d68f6fb6dad52d gnulib-tests-dont-require-gpg-passphrase.patch +25400be364c1f27b88451002a471cbf841b9738dd93c42dcbeaf7644c3deea6afc85300b40d5ae32d29dc4d441237e8b311f3e07f0af2fb4788701ee4e240c0f disable-certtool-test.patch" diff --git a/user/gnutls/disable-certtool-test.patch b/user/gnutls/disable-certtool-test.patch new file mode 100644 index 000000000..2ae16a38e --- /dev/null +++ b/user/gnutls/disable-certtool-test.patch @@ -0,0 +1,33 @@ +If GNUTLS_PIN is not available in the environment, the test will fail +because it cannot ask for the password: + +Generating a self signed certificate... +No PIN given. +note: when operating in batch mode, set the GNUTLS_PIN or GNUTLS_SO_PIN environment variables +cert generation failed +FAIL certtool (exit status: 1) + +The comment above this line says "some CI runners need GNUTLS_PIN +(GNUTLS_PIN=${PASS})" (i.e. GNUTLS_PIN=1234). When this is passed +instead, the test fails again because "No password was asked" (it greps +for "Enter password" in the output, but this won't happen because +GNUTLS_PIN is set). + +The folks at Nix believe this is an incompatibility due to musl's +getpass not falling back to stdin/stderr if it cannot connect to a tty, +as glibc does. + +https://gitlab.com/gnutls/gnutls/-/issues/945 + +--- gnutls-3.6.13/tests/cert-tests/certtool 2020-01-01 14:10:19.000000000 -0600 ++++ gnutls-3.6.13/tests/cert-tests/certtool 2020-06-02 20:36:20.380039844 -0500 +@@ -20,6 +20,9 @@ + + #set -e + ++echo 'this test is not compatible with musl' ++exit 77 ++ + srcdir="${srcdir:-.}" + CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" + DIFF="${DIFF:-diff -b -B}" -- cgit v1.2.3-60-g2f50