[PATCH 0/3] Graft nss 3.88.1 with 3.98, for security patches.

  • Done
  • quality assurance status badge
Details
One participant
  • Maxim Cournoyer
Owner
unassigned
Submitted by
Maxim Cournoyer
Severity
normal
M
M
Maxim Cournoyer wrote on 25 Apr 17:33 +0200
(address . guix-patches@gnu.org)(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)
cover.1714059162.git.maxim.cournoyer@gmail.com
This series fixes recent security vulnerabilities affecting NSS and thus our
Icecat package, among others. It also handles the presence of multiple
nss-certs packages in an operating system's packages field declaration.


Maxim Cournoyer (3):
gnu: nss-3.98: Streamline source origin via inheritance.
gnu: nss: Graft with version 3.98 [security fixes].
system: Warn when multiple nss-certs packages are used.

gnu/packages/librewolf.scm | 2 +-
gnu/packages/nss.scm | 83 +++++++++++++++++---------------------
gnu/system.scm | 28 ++++++++++++-
3 files changed, 65 insertions(+), 48 deletions(-)


base-commit: e5c130c0f90a7dacc8d223eee494a1b1105dd94a
--
2.41.0
M
M
Maxim Cournoyer wrote on 25 Apr 17:54 +0200
(address . 70569@debbugs.gnu.org)
cover.1714060468.git.maxim.cournoyer@gmail.com
This series fixes recent security vulnerabilities affecting NSS and thus our
Icecat package, among others. It also handles the presence of multiple
nss-certs packages in an operating system's packages field declaration.


Maxim Cournoyer (3):
gnu: nss-3.98: Streamline source origin via inheritance.
gnu: nss: Graft with version 3.98 [security fixes].
system: Warn when multiple nss-certs packages are used.

gnu/packages/librewolf.scm | 2 +-
gnu/packages/nss.scm | 83 +++++++++++++++++---------------------
gnu/system.scm | 28 ++++++++++++-
3 files changed, 65 insertions(+), 48 deletions(-)


base-commit: e5c130c0f90a7dacc8d223eee494a1b1105dd94a
--
2.41.0
M
M
Maxim Cournoyer wrote on 25 Apr 17:54 +0200
[PATCH 3/3] system: Warn when multiple nss-certs packages are used.
(address . 70569@debbugs.gnu.org)
3c869bd9be359f4c524d26789b1260f266a6a949.1714060468.git.maxim.cournoyer@gmail.com
This can happen due to users providing 'nss-certs' and adding it to the
%base-packages, which now include 'nss-certs'.

* gnu/system.scm (operating-system-packages): Warn when multiple nss-certs
packages are detected; keep only the latest one.

Change-Id: I6104f134ea1cc155ae9e8e0ae70bb5a38fc05800
Reported-by: Ian Eure <ian@retrospec.tv>
---

gnu/system.scm | 28 ++++++++++++++++++++++++++--
1 file changed, 26 insertions(+), 2 deletions(-)

Toggle diff (55 lines)
diff --git a/gnu/system.scm b/gnu/system.scm
index c7f8003ad2..025834328c 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -43,7 +43,8 @@ (define-module (gnu system)
#:use-module (guix deprecation)
#:use-module (guix derivations)
#:use-module (guix profiles)
- #:use-module ((guix utils) #:select (substitute-keyword-arguments))
+ #:use-module ((guix utils) #:select (substitute-keyword-arguments
+ version>?))
#:use-module (guix i18n)
#:use-module (guix diagnostics)
#:use-module (guix ui)
@@ -275,7 +276,7 @@ (define-record-type* <operating-system> operating-system
(issue operating-system-issue ; string
(default %default-issue))
- (packages operating-system-packages ; list of (PACKAGE OUTPUT...)
+ (packages %operating-system-packages ; list of (PACKAGE OUTPUT...)
(default %base-packages)) ; or just PACKAGE
(timezone operating-system-timezone
@@ -316,6 +317,29 @@ (define-deprecated (operating-system-hosts-file os)
hosts-service-type
(%operating-system-hosts-file os))
+;;; XXX: Remove after a new release of Guix no longer suggests to install
+;;; nss-certs.
+(define (operating-system-packages os)
+ "Return the packages of the OS <operating-system> record object."
+ ;; This wrapper is used to warn users that their operating system packages
+ ;; field contains a duplicated nss-certs packages.
+ (let* ((packages (%operating-system-packages os))
+ (nss-certs-packages (sort (filter (lambda (p)
+ (string=? "nss-certs" (package-name p)))
+ packages)
+ (lambda (x y)
+ ;; Sort from newer to older versions.
+ (version>? (package-version x)
+ (package-version y))))))
+ (if (> (length nss-certs-packages) 1)
+ (begin
+ (warning #f
+ (G_ "multiple 'nss-certs' packages found; 'nss-certs' \
+is now included by default in '%base-packages'; ensure it is not explicitly \
+listed in the operating system 'packages' field~%"))
+ (fold delete packages (drop nss-certs-packages 1)))
+ packages)))
+
(define* (operating-system-kernel-arguments
os root-device #:key (version %boot-parameters-version))
"Return all the kernel arguments, including the ones not specified directly
--
2.41.0
M
M
Maxim Cournoyer wrote on 25 Apr 17:54 +0200
[PATCH 1/3] gnu: nss-3.98: Streamline source origin via inheritance.
(address . 70569@debbugs.gnu.org)
3418fbe66a1573937f44c1902bba6e9950426886.1714060468.git.maxim.cournoyer@gmail.com
* gnu/packages/nss.scm (nss-3.98): Simplify source via inheritance.

Change-Id: I6c1df497a7ff538162afa128eca676997d76e28f
---

gnu/packages/nss.scm | 16 +++-------------
1 file changed, 3 insertions(+), 13 deletions(-)

Toggle diff (43 lines)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 00770f11a9..a2843be17a 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -5,7 +5,7 @@
;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
;;; Copyright © 2020, 2021 Marius Bakke <marius@gnu.org>
;;; Copyright © 2020 Jonathan Brielmaier <jonathan.brielmaier@web.de>
-;;; Copyright © 2021, 2022, 2023 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright © 2021, 2022, 2023, 2024 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be>
;;;
;;; This file is part of GNU Guix.
@@ -253,7 +253,7 @@ (define-public nss-3.98
(inherit nss)
(version "3.98")
(source (origin
- (method url-fetch)
+ (inherit (package-source nss))
(uri (let ((version-with-underscores
(string-join (string-split version #\.) "_")))
(string-append
@@ -262,17 +262,7 @@ (define-public nss-3.98
"nss-" version ".tar.gz")))
(sha256
(base32
- "1kh98amfklrq6915n4mlbrcqghc3srm7rkzs9dkh21jwscrwqjgm"))
- ;; Create nss.pc and nss-config.
- (patches (search-patches "nss-3.56-pkgconfig.patch"
- "nss-getcwd-nonnull.patch"
- "nss-increase-test-timeout.patch"))
- (modules '((guix build utils)))
- (snippet
- '(begin
- ;; Delete the bundled copy of these libraries.
- (delete-file-recursively "nss/lib/zlib")
- (delete-file-recursively "nss/lib/sqlite")))))
+ "1kh98amfklrq6915n4mlbrcqghc3srm7rkzs9dkh21jwscrwqjgm"))))
(arguments
(substitute-keyword-arguments (package-arguments nss)
((#:phases phases)
--
2.41.0
M
M
Maxim Cournoyer wrote on 25 Apr 17:54 +0200
[PATCH 2/3] gnu: nss: Graft with version 3.98 [security fixes].
(address . 70569@debbugs.gnu.org)
fa5ef3de25be667f249cd6e3addfbc8c0501fdc9.1714060468.git.maxim.cournoyer@gmail.com
This fixes CVE-2023-5388, CVE-2023-6135 and CVE-2024-0743.

* gnu/packages/nss.scm (nss) [replacement]: New field.
(nss-3.98): Rename variable to...
(nss/fixed): ... this. Make it a hidden package.
* gnu/packages/librewolf.scm (librewolf) [inputs]: Replace nss-3.98 with
nss/fixed.

Change-Id: I8cc667c53a270dfe00738bf731923f1342036624
---

gnu/packages/librewolf.scm | 2 +-
gnu/packages/nss.scm | 71 ++++++++++++++++++++------------------
2 files changed, 38 insertions(+), 35 deletions(-)

Toggle diff (102 lines)
diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm
index 87b76c661f..1717bad0b5 100644
--- a/gnu/packages/librewolf.scm
+++ b/gnu/packages/librewolf.scm
@@ -581,7 +581,7 @@ (define-public librewolf
mesa
mit-krb5
nspr
- nss-3.98
+ nss/fixed
pango
pciutils
pipewire
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index a2843be17a..8f6ed06e63 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -110,6 +110,7 @@ (define-public nss
;; version and source to avoid a top-level variable reference & module
;; cycle.
(version "3.88.1")
+ (replacement nss/fixed)
(source (origin
(method url-fetch)
(uri (let ((version-with-underscores
@@ -248,38 +249,40 @@ (define-public nss
security standards.")
(license license:mpl2.0)))
-(define-public nss-3.98
- (package
- (inherit nss)
- (version "3.98")
- (source (origin
- (inherit (package-source nss))
- (uri (let ((version-with-underscores
- (string-join (string-split version #\.) "_")))
- (string-append
- "https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
- "releases/NSS_" version-with-underscores "_RTM/src/"
- "nss-" version ".tar.gz")))
- (sha256
- (base32
- "1kh98amfklrq6915n4mlbrcqghc3srm7rkzs9dkh21jwscrwqjgm"))))
- (arguments
- (substitute-keyword-arguments (package-arguments nss)
- ((#:phases phases)
- #~(modify-phases #$phases
- (replace 'check
- (lambda* (#:key tests? #:allow-other-keys)
- (if tests?
- (begin
- ;; Use 127.0.0.1 instead of $HOST.$DOMSUF as HOSTADDR for
- ;; testing. The latter requires a working DNS or /etc/hosts.
- (setenv "DOMSUF" "localdomain")
- (setenv "USE_IP" "TRUE")
- (setenv "IP_ADDRESS" "127.0.0.1")
+(define-public nss/fixed
+ (let ((actual-version "3.98"))
+ (hidden-package
+ (package
+ (inherit nss)
+ (version (string-append actual-version ".0")) ;for grafts requirements
+ (source (origin
+ (inherit (package-source nss))
+ (uri (let ((version-with-underscores
+ (string-join (string-split actual-version #\.) "_")))
+ (string-append
+ "https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
+ "releases/NSS_" version-with-underscores "_RTM/src/"
+ "nss-" actual-version ".tar.gz")))
+ (sha256
+ (base32
+ "1kh98amfklrq6915n4mlbrcqghc3srm7rkzs9dkh21jwscrwqjgm"))))
+ (arguments
+ (substitute-keyword-arguments (package-arguments nss)
+ ((#:phases phases)
+ #~(modify-phases #$phases
+ (replace 'check
+ (lambda* (#:key tests? #:allow-other-keys)
+ (if tests?
+ (begin
+ ;; Use 127.0.0.1 instead of $HOST.$DOMSUF as HOSTADDR for
+ ;; testing. The latter requires a working DNS or /etc/hosts.
+ (setenv "DOMSUF" "localdomain")
+ (setenv "USE_IP" "TRUE")
+ (setenv "IP_ADDRESS" "127.0.0.1")
- ;; The "PayPalEE.cert" certificate expires every six months,
- ;; leading to test failures:
- ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>. To
- ;; work around that, set the time to roughly the release date.
- (invoke "faketime" "2024-01-23" "./nss/tests/all.sh"))
- (format #t "test suite not run~%"))))))))))
+ ;; The "PayPalEE.cert" certificate expires every six months,
+ ;; leading to test failures:
+ ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>. To
+ ;; work around that, set the time to roughly the release date.
+ (invoke "faketime" "2024-01-23" "./nss/tests/all.sh"))
+ (format #t "test suite not run~%"))))))))))))
--
2.41.0
M
M
Maxim Cournoyer wrote on 26 Apr 13:12 +0200
Re: [bug#70569] [PATCH 0/3] Graft nss 3.88.1 with 3.98, for security patches.
(address . 70569-done@debbugs.gnu.org)
871q6sfkdw.fsf@gmail.com
Hello,

Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:

Toggle quote (10 lines)
> This series fixes recent security vulnerabilities affecting NSS and thus our
> Icecat package, among others. It also handles the presence of multiple
> nss-certs packages in an operating system's packages field declaration.
>
>
> Maxim Cournoyer (3):
> gnu: nss-3.98: Streamline source origin via inheritance.
> gnu: nss: Graft with version 3.98 [security fixes].
> system: Warn when multiple nss-certs packages are used.

Pushed to master. Closing!

--
Thanks,
Maxim
Closed
?