guix-patches
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#48648] [PATCH] gnu: gnutls: Update to 3.6.16 [fixes CVE-2021-20305]

From: Marius Bakke
Subject: [bug#48648] [PATCH] gnu: gnutls: Update to 3.6.16 [fixes CVE-2021-20305].
Date: Tue, 25 May 2021 21:46:10 +0200 
Leo Famulari <leo@famulari.name> skriver:

> Grafts effectively rewrite binary references in compiled software, so
> it's kind of a kludge. The binary interface of the new grafted
> replacement must be compatible with the original package, and if it's
> not, the problems can be hidden and subtle.
>
> For that reason, it's important to make the smallest change possible
> when grafting, to reduce the chance of breakage.
>
> So, the question is, does 3.6.16 include only the fix for
> CVE-2021-20305? Or does it also include other changes? If the former, we
> should instead cherry-pick the CVE bug fix instead of updating.

GnuTLS usually mention whether or not an update is ABI-compatible:

  https://lists.gnupg.org/pipermail/gnutls-help/2021-May/004707.html

However it's good practice to verify that with something like 'abidiff'
(from the 'libabigail' package).  I.e.:

  abidiff $(guix build gnutls)/lib/libgnutls.so \
          $(./pre-inst-env guix build gnutls)/lib/libgnutls.so

(this won't work because of multiple outputs, but you get the drill)

When there is no change, the graft _should_ be perfectly safe.  If there
are changes, it becomes a judgement call.  The 'abidiff' output is of
great assistance in that case.

Anyway, just some general notes on grafting.  Thanks a lot for looking
after security issues Solene.

Attachment: signature.asc
Description: PGP signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]