GNU bug report logs - #64982
[PATCH v1 0/1] Fix LibreSSL CVE-2023-35784 (Score: 9.8 critical)

Previous Next

Package: guix-patches;

Reported by: Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>

Date: Mon, 31 Jul 2023 23:34:02 UTC

Severity: normal

Tags: patch

Done: Andreas Enge <andreas <at> enge.fr>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 64982 in the body.
You can then email your comments to 64982 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to guix-patches <at> gnu.org:
bug#64982; Package guix-patches. (Mon, 31 Jul 2023 23:34:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Mon, 31 Jul 2023 23:34:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>
To: guix-patches <at> gnu.org
Cc: Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>
Subject: [PATCH v1 0/1] Fix LibreSSL CVE-2023-35784 (Score: 9.8 critical)
Date: Tue,  1 Aug 2023 01:33:17 +0200
Hi,

The patch that will follow updates LibreSSL to the last version to fix the
CVE-2023-35784[1]. That CVE consist of a double free and a use after free and
is considered critical according to the NIST.

[1]https://nvd.nist.gov/vuln/detail/CVE-2023-35784

While LibreSSL builds fine and that all its test pass on x86_64, it also has a
significant number of reverse dependencies (a bit more than 30) that need to
be rebuilt, so I would need help with testing:
* axel
* catgirl
* ceph
* clamav
* epic5
* gmid
* httrack
* litterbox
* openboard
* openntpd
* openscad
* opensmtpd-extras
* opensmtpd-filter-rspamd
* pam-u2f
* pounce
* python-astroalign
* python-duckdb
* python-feather-format
* python-ikarus
* python-jwst
* python-modin
* python-poliastro
* python-regions
* python-sunpy
* python-tslearn
* python-vaex-core
* r-chromunity
* r-cistopic
* r-cistopic-next
* seek
* telescope
* xarcan
* zbackup

Denis.

Denis 'GNUtoo' Carikli (1):
  gnu: libressl: Update to 3.8.0 [fixes CVE-2023-35784].

 gnu/packages/tls.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)


base-commit: 39fbc041f92489ec30075a85937c8a38723752dc
-- 
2.41.0





Information forwarded to , guix-patches <at> gnu.org:
bug#64982; Package guix-patches. (Tue, 01 Aug 2023 00:16:02 GMT) Full text and rfc822 format available.

Message #8 received at 64982 <at> debbugs.gnu.org (full text, mbox):

From: Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>
To: 64982 <at> debbugs.gnu.org
Cc: Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>
Subject: [PATCH v1 1/1] gnu: libressl: Update to 3.8.0 [fixes CVE-2023-35784].
Date: Tue,  1 Aug 2023 02:15:05 +0200
* gnu/packages/tls.scm (libressl): Update to 3.8.0.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>
---
 gnu/packages/tls.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index f51c47db04..deec73b43f 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -659,14 +659,14 @@ (define-public bearssl
 (define-public libressl
   (package
     (name "libressl")
-    (version "3.6.1")
+    (version "3.8.0")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://openbsd/LibreSSL/"
                                   "libressl-" version ".tar.gz"))
               (sha256
                (base32
-                "0x37037rb0zx34zp0kbbqj2xwd57gh1m6bfn52f92fz92q9wdymc"))))
+                "1b5c45gkrfcvjpf5dx288r6x1zhc9dk9j61ixfmwdi88r0g1qlqj"))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags
-- 
2.41.0





Reply sent to Andreas Enge <andreas <at> enge.fr>:
You have taken responsibility. (Thu, 07 Sep 2023 16:39:05 GMT) Full text and rfc822 format available.

Notification sent to Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>:
bug acknowledged by developer. (Thu, 07 Sep 2023 16:39:05 GMT) Full text and rfc822 format available.

Message #13 received at 64982-done <at> debbugs.gnu.org (full text, mbox):

From: Andreas Enge <andreas <at> enge.fr>
To: 64982-done <at> debbugs.gnu.org
Subject: Closing
Date: Thu, 7 Sep 2023 18:38:40 +0200
Hello Denis,

thanks for the patch! This was fixed in commit
commit 310b0f72d8749376832fa1f149837a83d8e74629
Author: Tobias Geerinckx-Rice <me <at> tobias.gr>
Date:   Sun Aug 13 02:00:00 2023 +0200
    gnu: libressl: Update to 3.7.3 [fixes CVE-2023-35784].
    Thanks to Dennis 'GNUtoo' Carikli for <https://issues.guix.gnu.org/64982>,
    but upgrading to 3.8.0 breaks (at least) OpenSMTPd.
    * gnu/packages/tls.scm (libressl): Update to 3.7.3.

Indeed QA shows that opensmtpd fails:
   https://qa.guix.gnu.org/issue/64982
   https://bordeaux.guix.gnu.org/build/16cbfca4-a0a3-4374-9ae4-6c1dad67494b/log

I am closing this bug, as updating libressl to the most recent version
is a different topic. Actually the 3.8.0 and 3.8.1 releases are called
"development releases" in the release notes:
   https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.8.0-relnotes.txt
   https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.8.1-relnotes.txt
while 3.7.3 does not have the "development" term:
   https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.7.3-relnotes.txt
so we may be better off sticking with 3.7.x for the moment.

Andreas





bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Fri, 06 Oct 2023 11:24:17 GMT) Full text and rfc822 format available.

This bug report was last modified 1 year and 243 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.