[PATCH] gnu: nghttp2: Replace with 1.57.0.

  • Done
  • quality assurance status badge
Details
2 participants
  • Ludovic Courtès
  • Philip McGrath
Owner
unassigned
Submitted by
Philip McGrath
Severity
normal
P
P
Philip McGrath wrote on 21 Oct 2023 06:20
(address . guix-patches@gnu.org)(name . Philip McGrath)(address . philip@philipmcgrath.com)
4cb10aa33d799603e45b839396261b8cfdaccbc6.1697861438.git.philip@philipmcgrath.com
This release mitigates CVE-2023-44487.

* gnu/packages/web.scm (nghttp2-1.57): New variable.
(nghttp2)[replacement]: Use it.
---

I've never attempted to create a graft before, and I have **definitely not**
tested this adequately, but `guix refresh` says:

Toggle quote (3 lines)
> Building the following 7989 packages would ensure 20638 dependent packages
> are rebuilt:

so it seems like a graft would be needed.

The upstream nghttp2 advisory about the impact of CVE-2023-44487 is at:

Philip


gnu/packages/web.scm | 14 ++++++++++++++
1 file changed, 14 insertions(+)

Toggle diff (36 lines)
diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index b46286c690..4a66fada51 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -7958,6 +7958,7 @@ (define-public nghttp2
(package
(name "nghttp2")
(version "1.49.0")
+ (replacement nghttp2-1.57)
(source
(origin
(method url-fetch)
@@ -8068,6 +8069,19 @@ (define-public nghttp2-for-node
(("print \\(ver >= '3\\.8'\\)")
"print (tuple(map(int, ver.split('.'))) >= (3,8))")))))))))))
+(define-public nghttp2-1.57
+ (package
+ (inherit nghttp2)
+ (version "1.57.0")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append "https://github.com/nghttp2/nghttp2/"
+ "releases/download/v" version "/"
+ "nghttp2-" version ".tar.xz"))
+ (sha256
+ (base32
+ "0n598w7w8rqdqiay2fad3a11253hibakan5c4vjkpx09648v044j"))))))
+
(define-public hpcguix-web
(package
(name "hpcguix-web")

base-commit: fed6ac2ae182597a492b17a29ed8b26986498755
--
2.41.0
P
P
Philip McGrath wrote on 21 Oct 2023 06:28
control message for bug #66658
(address . control@debbugs.gnu.org)(name . Philip McGrath)(address . philip@philipmcgrath.com)
7df4f70a-f2e8-41d8-b928-52517f73df1f@philipmcgrath.com
tags 66658 + security
quit
L
L
Ludovic Courtès wrote on 30 Oct 2023 00:35
Re: [bug#66658] [PATCH] gnu: nghttp2: Replace with 1.57.0.
(name . Philip McGrath)(address . philip@philipmcgrath.com)(address . 66658-done@debbugs.gnu.org)
871qdd6lyr.fsf@gnu.org
Hi Philip,

Philip McGrath <philip@philipmcgrath.com> skribis:

Toggle quote (14 lines)
> This release mitigates CVE-2023-44487.
>
> * gnu/packages/web.scm (nghttp2-1.57): New variable.
> (nghttp2)[replacement]: Use it.
> ---
>
> I've never attempted to create a graft before, and I have **definitely not**
> tested this adequately, but `guix refresh` says:
>
>> Building the following 7989 packages would ensure 20638 dependent packages
>> are rebuilt:
>
> so it seems like a graft would be needed.

Indeed.

The two seem to be ABI-compatible:

Toggle snippet (17 lines)
$ guix shell libabigail -- abidiff /gnu/store/n0xrvryfjg2yciifxb2c0ac5rx9wy0xi-nghttp2-1.49.0-lib/lib/libnghttp2.so.14 /gnu/store/kimb54icxfxyi51v5vnr6x3pcf1km6q7-nghttp2-1.57.0-lib/lib/libnghttp2.so.14
Functions changes summary: 0 Removed, 0 Changed, 0 Added function
Variables changes summary: 0 Removed, 0 Changed, 0 Added variable
Function symbols changes summary: 0 Removed, 2 Added function symbols not referenced by debug info
Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info

2 Added function symbols not referenced by debug info:

[A] nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation
[A] nghttp2_option_set_stream_reset_rate_limit

$ readelf -a /gnu/store/n0xrvryfjg2yciifxb2c0ac5rx9wy0xi-nghttp2-1.49.0-lib/lib/libnghttp2.so.14 |grep SONAME
0x000000000000000e (SONAME) Library soname: [libnghttp2.so.14]
$ readelf -a /gnu/store/kimb54icxfxyi51v5vnr6x3pcf1km6q7-nghttp2-1.57.0-lib/lib/libnghttp2.so.14 |grep SONAME
0x000000000000000e (SONAME) Library soname: [libnghttp2.so.14]

(Bit questionable that the SONAME is exactly the same. Oh well.)

Toggle quote (3 lines)
> The upstream nghttp2 advisory about the impact of CVE-2023-44487 is at:
> https://github.com/nghttp2/nghttp2/security/advisories/GHSA-vx74-f528-fxqg

Applied, thanks!

Ludo’.
Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 66658@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 66658
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch