GNU bug report logs -
#70569
[PATCH 0/3] Graft nss 3.88.1 with 3.98, for security patches.
Previous Next
To reply to this bug, email your comments to 70569 AT debbugs.gnu.org.
There is no need to reopen the bug first.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#70569; Package
guix-patches.
(Thu, 25 Apr 2024 15:34:06 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Maxim Cournoyer <maxim.cournoyer <at> gmail.com>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Thu, 25 Apr 2024 15:34:06 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
This series fixes recent security vulnerabilities affecting NSS and thus our
Icecat package, among others. It also handles the presence of multiple
nss-certs packages in an operating system's packages field declaration.
Maxim Cournoyer (3):
gnu: nss-3.98: Streamline source origin via inheritance.
gnu: nss: Graft with version 3.98 [security fixes].
system: Warn when multiple nss-certs packages are used.
gnu/packages/librewolf.scm | 2 +-
gnu/packages/nss.scm | 83 +++++++++++++++++---------------------
gnu/system.scm | 28 ++++++++++++-
3 files changed, 65 insertions(+), 48 deletions(-)
base-commit: e5c130c0f90a7dacc8d223eee494a1b1105dd94a
--
2.41.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#70569; Package
guix-patches.
(Thu, 25 Apr 2024 15:57:11 GMT)
Full text and
rfc822 format available.
Message #8 received at 70569 <at> debbugs.gnu.org (full text, mbox):
This series fixes recent security vulnerabilities affecting NSS and thus our
Icecat package, among others. It also handles the presence of multiple
nss-certs packages in an operating system's packages field declaration.
Maxim Cournoyer (3):
gnu: nss-3.98: Streamline source origin via inheritance.
gnu: nss: Graft with version 3.98 [security fixes].
system: Warn when multiple nss-certs packages are used.
gnu/packages/librewolf.scm | 2 +-
gnu/packages/nss.scm | 83 +++++++++++++++++---------------------
gnu/system.scm | 28 ++++++++++++-
3 files changed, 65 insertions(+), 48 deletions(-)
base-commit: e5c130c0f90a7dacc8d223eee494a1b1105dd94a
--
2.41.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#70569; Package
guix-patches.
(Thu, 25 Apr 2024 15:58:23 GMT)
Full text and
rfc822 format available.
Message #11 received at 70569 <at> debbugs.gnu.org (full text, mbox):
This can happen due to users providing 'nss-certs' and adding it to the
%base-packages, which now include 'nss-certs'.
* gnu/system.scm (operating-system-packages): Warn when multiple nss-certs
packages are detected; keep only the latest one.
Change-Id: I6104f134ea1cc155ae9e8e0ae70bb5a38fc05800
Reported-by: Ian Eure <ian <at> retrospec.tv>
---
gnu/system.scm | 28 ++++++++++++++++++++++++++--
1 file changed, 26 insertions(+), 2 deletions(-)
diff --git a/gnu/system.scm b/gnu/system.scm
index c7f8003ad2..025834328c 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -43,7 +43,8 @@ (define-module (gnu system)
#:use-module (guix deprecation)
#:use-module (guix derivations)
#:use-module (guix profiles)
- #:use-module ((guix utils) #:select (substitute-keyword-arguments))
+ #:use-module ((guix utils) #:select (substitute-keyword-arguments
+ version>?))
#:use-module (guix i18n)
#:use-module (guix diagnostics)
#:use-module (guix ui)
@@ -275,7 +276,7 @@ (define-record-type* <operating-system> operating-system
(issue operating-system-issue ; string
(default %default-issue))
- (packages operating-system-packages ; list of (PACKAGE OUTPUT...)
+ (packages %operating-system-packages ; list of (PACKAGE OUTPUT...)
(default %base-packages)) ; or just PACKAGE
(timezone operating-system-timezone
@@ -316,6 +317,29 @@ (define-deprecated (operating-system-hosts-file os)
hosts-service-type
(%operating-system-hosts-file os))
+;;; XXX: Remove after a new release of Guix no longer suggests to install
+;;; nss-certs.
+(define (operating-system-packages os)
+ "Return the packages of the OS <operating-system> record object."
+ ;; This wrapper is used to warn users that their operating system packages
+ ;; field contains a duplicated nss-certs packages.
+ (let* ((packages (%operating-system-packages os))
+ (nss-certs-packages (sort (filter (lambda (p)
+ (string=? "nss-certs" (package-name p)))
+ packages)
+ (lambda (x y)
+ ;; Sort from newer to older versions.
+ (version>? (package-version x)
+ (package-version y))))))
+ (if (> (length nss-certs-packages) 1)
+ (begin
+ (warning #f
+ (G_ "multiple 'nss-certs' packages found; 'nss-certs' \
+is now included by default in '%base-packages'; ensure it is not explicitly \
+listed in the operating system 'packages' field~%"))
+ (fold delete packages (drop nss-certs-packages 1)))
+ packages)))
+
(define* (operating-system-kernel-arguments
os root-device #:key (version %boot-parameters-version))
"Return all the kernel arguments, including the ones not specified directly
--
2.41.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#70569; Package
guix-patches.
(Thu, 25 Apr 2024 15:58:29 GMT)
Full text and
rfc822 format available.
Message #14 received at 70569 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/nss.scm (nss-3.98): Simplify source via inheritance.
Change-Id: I6c1df497a7ff538162afa128eca676997d76e28f
---
gnu/packages/nss.scm | 16 +++-------------
1 file changed, 3 insertions(+), 13 deletions(-)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 00770f11a9..a2843be17a 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -5,7 +5,7 @@
;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me <at> tobias.gr>
;;; Copyright © 2020, 2021 Marius Bakke <marius <at> gnu.org>
;;; Copyright © 2020 Jonathan Brielmaier <jonathan.brielmaier <at> web.de>
-;;; Copyright © 2021, 2022, 2023 Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
+;;; Copyright © 2021, 2022, 2023, 2024 Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
;;; Copyright © 2021 Maxime Devos <maximedevos <at> telenet.be>
;;;
;;; This file is part of GNU Guix.
@@ -253,7 +253,7 @@ (define-public nss-3.98
(inherit nss)
(version "3.98")
(source (origin
- (method url-fetch)
+ (inherit (package-source nss))
(uri (let ((version-with-underscores
(string-join (string-split version #\.) "_")))
(string-append
@@ -262,17 +262,7 @@ (define-public nss-3.98
"nss-" version ".tar.gz")))
(sha256
(base32
- "1kh98amfklrq6915n4mlbrcqghc3srm7rkzs9dkh21jwscrwqjgm"))
- ;; Create nss.pc and nss-config.
- (patches (search-patches "nss-3.56-pkgconfig.patch"
- "nss-getcwd-nonnull.patch"
- "nss-increase-test-timeout.patch"))
- (modules '((guix build utils)))
- (snippet
- '(begin
- ;; Delete the bundled copy of these libraries.
- (delete-file-recursively "nss/lib/zlib")
- (delete-file-recursively "nss/lib/sqlite")))))
+ "1kh98amfklrq6915n4mlbrcqghc3srm7rkzs9dkh21jwscrwqjgm"))))
(arguments
(substitute-keyword-arguments (package-arguments nss)
((#:phases phases)
--
2.41.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#70569; Package
guix-patches.
(Thu, 25 Apr 2024 15:58:32 GMT)
Full text and
rfc822 format available.
Message #17 received at 70569 <at> debbugs.gnu.org (full text, mbox):
This fixes CVE-2023-5388, CVE-2023-6135 and CVE-2024-0743.
* gnu/packages/nss.scm (nss) [replacement]: New field.
(nss-3.98): Rename variable to...
(nss/fixed): ... this. Make it a hidden package.
* gnu/packages/librewolf.scm (librewolf) [inputs]: Replace nss-3.98 with
nss/fixed.
Change-Id: I8cc667c53a270dfe00738bf731923f1342036624
---
gnu/packages/librewolf.scm | 2 +-
gnu/packages/nss.scm | 71 ++++++++++++++++++++------------------
2 files changed, 38 insertions(+), 35 deletions(-)
diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm
index 87b76c661f..1717bad0b5 100644
--- a/gnu/packages/librewolf.scm
+++ b/gnu/packages/librewolf.scm
@@ -581,7 +581,7 @@ (define-public librewolf
mesa
mit-krb5
nspr
- nss-3.98
+ nss/fixed
pango
pciutils
pipewire
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index a2843be17a..8f6ed06e63 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -110,6 +110,7 @@ (define-public nss
;; version and source to avoid a top-level variable reference & module
;; cycle.
(version "3.88.1")
+ (replacement nss/fixed)
(source (origin
(method url-fetch)
(uri (let ((version-with-underscores
@@ -248,38 +249,40 @@ (define-public nss
security standards.")
(license license:mpl2.0)))
-(define-public nss-3.98
- (package
- (inherit nss)
- (version "3.98")
- (source (origin
- (inherit (package-source nss))
- (uri (let ((version-with-underscores
- (string-join (string-split version #\.) "_")))
- (string-append
- "https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
- "releases/NSS_" version-with-underscores "_RTM/src/"
- "nss-" version ".tar.gz")))
- (sha256
- (base32
- "1kh98amfklrq6915n4mlbrcqghc3srm7rkzs9dkh21jwscrwqjgm"))))
- (arguments
- (substitute-keyword-arguments (package-arguments nss)
- ((#:phases phases)
- #~(modify-phases #$phases
- (replace 'check
- (lambda* (#:key tests? #:allow-other-keys)
- (if tests?
- (begin
- ;; Use 127.0.0.1 instead of $HOST.$DOMSUF as HOSTADDR for
- ;; testing. The latter requires a working DNS or /etc/hosts.
- (setenv "DOMSUF" "localdomain")
- (setenv "USE_IP" "TRUE")
- (setenv "IP_ADDRESS" "127.0.0.1")
+(define-public nss/fixed
+ (let ((actual-version "3.98"))
+ (hidden-package
+ (package
+ (inherit nss)
+ (version (string-append actual-version ".0")) ;for grafts requirements
+ (source (origin
+ (inherit (package-source nss))
+ (uri (let ((version-with-underscores
+ (string-join (string-split actual-version #\.) "_")))
+ (string-append
+ "https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
+ "releases/NSS_" version-with-underscores "_RTM/src/"
+ "nss-" actual-version ".tar.gz")))
+ (sha256
+ (base32
+ "1kh98amfklrq6915n4mlbrcqghc3srm7rkzs9dkh21jwscrwqjgm"))))
+ (arguments
+ (substitute-keyword-arguments (package-arguments nss)
+ ((#:phases phases)
+ #~(modify-phases #$phases
+ (replace 'check
+ (lambda* (#:key tests? #:allow-other-keys)
+ (if tests?
+ (begin
+ ;; Use 127.0.0.1 instead of $HOST.$DOMSUF as HOSTADDR for
+ ;; testing. The latter requires a working DNS or /etc/hosts.
+ (setenv "DOMSUF" "localdomain")
+ (setenv "USE_IP" "TRUE")
+ (setenv "IP_ADDRESS" "127.0.0.1")
- ;; The "PayPalEE.cert" certificate expires every six months,
- ;; leading to test failures:
- ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>. To
- ;; work around that, set the time to roughly the release date.
- (invoke "faketime" "2024-01-23" "./nss/tests/all.sh"))
- (format #t "test suite not run~%"))))))))))
+ ;; The "PayPalEE.cert" certificate expires every six months,
+ ;; leading to test failures:
+ ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>. To
+ ;; work around that, set the time to roughly the release date.
+ (invoke "faketime" "2024-01-23" "./nss/tests/all.sh"))
+ (format #t "test suite not run~%"))))))))))))
--
2.41.0
Reply sent
to
Maxim Cournoyer <maxim.cournoyer <at> gmail.com>:
You have taken responsibility.
(Fri, 26 Apr 2024 11:13:03 GMT)
Full text and
rfc822 format available.
Notification sent
to
Maxim Cournoyer <maxim.cournoyer <at> gmail.com>:
bug acknowledged by developer.
(Fri, 26 Apr 2024 11:13:04 GMT)
Full text and
rfc822 format available.
Message #22 received at 70569-done <at> debbugs.gnu.org (full text, mbox):
Hello,
Maxim Cournoyer <maxim.cournoyer <at> gmail.com> writes:
> This series fixes recent security vulnerabilities affecting NSS and thus our
> Icecat package, among others. It also handles the presence of multiple
> nss-certs packages in an operating system's packages field declaration.
>
>
> Maxim Cournoyer (3):
> gnu: nss-3.98: Streamline source origin via inheritance.
> gnu: nss: Graft with version 3.98 [security fixes].
> system: Warn when multiple nss-certs packages are used.
Pushed to master. Closing!
--
Thanks,
Maxim
This bug report was last modified 10 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.