Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
GNUTLS Security Alert.
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
CrankyPenguin
Apprentice
Apprentice


Joined: 19 Jun 2003
Posts: 274

PostPosted: Thu Mar 06, 2014 3:43 am    Post subject: GNUTLS Security Alert. Reply with quote

Quote:
EDIT: Per Kh's post below this has been patched into the main trunk via the stable net-libs/gnutls-2.12.23-r4


According to recent news and a security alert GNUTLS, one of the basic SSL libraries, has a flaw similar to the Apple hole which allows for attacks against machines via malformed security certificates.

http://readwrite.com/2014/03/05/gnutls-bug-linux-security-flaw-leaves-users-vulnerable-hacks

Users are recommended to update to version 3.2.12 or higher. While a bug has been found for version 3.2.12 (https://bugs.gentoo.org/show_bug.cgi?id=503460) version 3.2.12.1 passes tests at least on my system.

For the present the updated form is not in portage but it is possible to modify the 3.2.11 ebuild by name to 3.2.12.1.ebuild and install it in /usr/local/portage/ and build. The file is in source below. For those who have not installed a local ebuild it is necessary to create a directory in /usr/local/portage/ called /usr/local/portage/net-libs/gnutls/ and then to copy the file below as gnutls-3.2.12.1.ebuild. Then call:

Code:
ebuild digest


to build the necessary digest code.

Code:

# Copyright 1999-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2

# Header: /var/cvsroot/gentoo-x86/net-libs/gnutls/gnutls-3.2.12.1.ebuild,v 1.4 2014/02/17 09:35:44 alonbl Exp $

EAPI=5

inherit autotools libtool eutils versionator

DESCRIPTION="A TLS 1.2 and SSL 3.0 implementation for the GNU project"
HOMEPAGE="http://www.gnutls.org/"
SRC_URI="ftp://ftp.gnutls.org/gcrypt/gnutls/v$(get_version_component_range 1-2)/${P}.tar.xz"

# LGPL-3 for libgnutls library and GPL-3 for libgnutls-extra library.
# soon to be relicensed as LGPL-2.1 unless heartbeat extension enabled.
LICENSE="GPL-3 LGPL-3"
SLOT="0"
KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~x86-solaris"
IUSE_LINGUAS=" en cs de fi fr it ms nl pl sv uk vi zh_CN"
IUSE="+cxx +crywrap dane doc examples guile nls pkcs11 static-libs test zlib ${IUSE_LINGUAS// / linguas_}"
# heartbeat support is not disabled until re-licensing happens fullyf

# NOTICE: sys-devel/autogen is required at runtime as we
# use system libopts
RDEPEND=">=dev-libs/libtasn1-2.14
   >=dev-libs/nettle-2.7[gmp]
   dev-libs/gmp
   sys-devel/autogen
   crywrap? ( net-dns/libidn )
   dane? ( net-dns/unbound )
   guile? ( >=dev-scheme/guile-1.8[networking] )
   nls? ( virtual/libintl )
   pkcs11? ( >=app-crypt/p11-kit-0.19.2 )
   zlib? ( >=sys-libs/zlib-1.2.3.1 )"
DEPEND="${RDEPEND}
   >=sys-devel/automake-1.11.6
   virtual/pkgconfig
   doc? ( dev-util/gtk-doc )
   nls? ( sys-devel/gettext )
   test? ( app-misc/datefudge )"

DOCS=( AUTHORS ChangeLog NEWS README THANKS doc/TODO )

src_prepare() {
   # tests/suite directory is not distributed
   sed -i \
      -e ':AC_CONFIG_FILES(\[tests/suite/Makefile\]):d' \
      -e '/^AM_INIT_AUTOMAKE/s/-Werror//' \
      configure.ac || die

   sed -i \
      -e 's/imagesdir = $(infodir)/imagesdir = $(htmldir)/' \
      doc/Makefile.am || die

   # force regeneration of autogen-ed files
   local file
   for file in $(grep -l AutoGen-ed src/*.c) ; do
      rm src/$(basename ${file} .c).{c,h} || die
   done

   # support user patches
   epatch_user

   eautoreconf

   # Use sane .so versioning on FreeBSD.
   elibtoolize

   # bug 497472
   use cxx || epunt_cxx
}

src_configure() {
   LINGUAS="${LINGUAS//en/en@boldquot en@quot}"

   # TPM needs to be tested before being enabled
   # hardware-accell is disabled on OSX because the asm files force
   #   GNU-stack (as doesn't support that) and when that's removed ld
   #   complains about duplicate symbols
   econf \
      --htmldir="${EPREFIX}/usr/share/doc/${PF}/html" \
      --disable-valgrind-tests \
      --enable-heartbeat-support \
      $(use_enable cxx) \
      $(use_enable dane libdane) \
      $(use_enable doc gtk-doc) \
      $(use_enable doc gtk-doc-pdf) \
      $(use_enable guile) \
      $(use_enable crywrap) \
      $(use_enable nls) \
      $(use_enable static-libs static) \
      $(use_with pkcs11 p11-kit) \
      $(use_with zlib) \
      --without-tpm \
      $([[ ${CHOST} == *-darwin* ]] && echo --disable-hardware-acceleration)
}

src_test() {
   # parallel testing often fails
   emake -j1 check
}

src_install() {
   default

   find "${ED}" -name '*.la' -delete

   dodoc doc/certtool.cfg

   if use doc; then
      dodoc doc/gnutls.pdf
      dohtml doc/gnutls.html
   fi

   if use examples; then
      docinto examples
      dodoc doc/examples/*.c
   fi
}


EDIT: The GNUtls site appears to be down (www.gnutls.org) appears to be offline for the moment.
_________________
Linux, the OS for the obsessive-compulsive speed freak in all of us.


Last edited by CrankyPenguin on Fri Mar 07, 2014 7:11 pm; edited 1 time in total
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Thu Mar 06, 2014 7:36 am    Post subject: Re: GNUTLS Security Alert. Reply with quote

CrankyPenguin wrote:
For the present the updated form is not in portage but it is possible to modify the 3.2.11 ebuild by name to 3.2.12.1.ebuild and install it in /usr/local/portage/ and build.

CrankyPenguin ... this isn't correct, gnutls-3* isn't being stabilised, its =net-libs/gnutls-2.12.23-r4 ... see bugs #503394 and #501282.

Code:
# equery c net-libs/gnutls
*gnutls-2.12.23-r4 (04 Mar 2014)

  04 Mar 2014; Alon Bar-Lev <alonbl@gentoo.org>
  +files/gnutls-2.12.23-CVE-2014-1959.patch, +gnutls-2.12.23-r4.ebuild,
  -gnutls-2.12.23-r2.ebuild, -gnutls-2.12.23-r3.ebuild:
  Fix CVE-2014-1959, bug#501282

So, though not stablised as yet for all arches one could do so with package.accept_keywords ...

Code:
=net-libs/gnutls-2.12.23-r4

best ... khay
Back to top
View user's profile Send private message
mrbassie
Guru
Guru


Joined: 31 May 2013
Posts: 555

PostPosted: Thu Mar 06, 2014 4:49 pm    Post subject: Re: GNUTLS Security Alert. Reply with quote

khayyam wrote:
CrankyPenguin wrote:
For the present the updated form is not in portage but it is possible to modify the 3.2.11 ebuild by name to 3.2.12.1.ebuild and install it in /usr/local/portage/ and build.

CrankyPenguin ... this isn't correct, gnutls-3* isn't being stabilised, its =net-libs/gnutls-2.12.23-r4 ... see bugs #503394 and #501282.

Code:
# equery c net-libs/gnutls
*gnutls-2.12.23-r4 (04 Mar 2014)

  04 Mar 2014; Alon Bar-Lev <alonbl@gentoo.org>
  +files/gnutls-2.12.23-CVE-2014-1959.patch, +gnutls-2.12.23-r4.ebuild,
  -gnutls-2.12.23-r2.ebuild, -gnutls-2.12.23-r3.ebuild:
  Fix CVE-2014-1959, bug#501282

So, though not stablised as yet for all arches one could do so with package.accept_keywords ...

Code:
=net-libs/gnutls-2.12.23-r4

best ... khay


So is this fixed already?

=net-libs/gnutls-2.12.23-r4 came through on my two comps x86 and x86_64 respectively today.
Back to top
View user's profile Send private message
CrankyPenguin
Apprentice
Apprentice


Joined: 19 Jun 2003
Posts: 274

PostPosted: Fri Mar 07, 2014 7:10 pm    Post subject: Ahh. Reply with quote

Didn't find those notices in my search. Thanks K.
_________________
Linux, the OS for the obsessive-compulsive speed freak in all of us.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum