~ruther/guix-local

caeadfddb01d2cda19d2f761ba9906ef8f162173 — Ludovic Courtès 10 years ago c22a132 
gnu: openssl: Replace with 1.0.2g [fixes CVE-2016-{0800,0705,0798,0797,0799,0702,0703,0704}].

See <http://openssl.org/news/secadv/20160301.txt>.
Also fixes <http://bugs.gnu.org/22831>.

* gnu/packages/patches/openssl-c-rehash-in.patch: New file.
* gnu/packages/tls.scm (openssl)[replacement]: New field.
(openssl-1.0.2g): New variable.
patch browse .tar.gz 
3 files changed, 40 insertions(+), 1 deletions(-)

M gnu-system.am
A gnu/packages/patches/openssl-c-rehash-in.patch
M gnu/packages/tls.scm

M gnu-system.am => gnu-system.am +1 -0
@@ 631,6 631,7 @@ dist_patch_DATA =						\
  gnu/packages/patches/openjpeg-use-after-free-fix.patch	\
  gnu/packages/patches/openssl-runpath.patch			\
  gnu/packages/patches/openssl-c-rehash.patch			\
  gnu/packages/patches/openssl-c-rehash-in.patch		\
  gnu/packages/patches/orpheus-cast-errors-and-includes.patch	\
  gnu/packages/patches/ots-no-include-missing-file.patch	\
  gnu/packages/patches/patchelf-page-size.patch			\


A gnu/packages/patches/openssl-c-rehash-in.patch => gnu/packages/patches/openssl-c-rehash-in.patch +17 -0
@@ 0,0 1,17 @@
This patch removes the explicit reference to the 'perl' binary,
such that OpenSSL does not retain a reference to Perl.

The 'c_rehash' program is seldom used, but it is used nonetheless
to create symbolic links to certificates, for instance in the 'nss-certs'
package.

--- openssl-1.0.2g/tools/c_rehash.in	2015-09-09 18:36:07.313316482 +0200
+++ openssl-1.0.2g/tools/c_rehash.in	2015-09-09 18:36:28.965458458 +0200
@@ -1,4 +1,6 @@
-#!/usr/local/bin/perl
+eval '(exit $?0)' && eval 'exec perl -wS "$0" ${1+"$@"}'
+  & eval 'exec perl -wS "$0" $argv:q'
+    if 0;
 
 # Perl c_rehash script, scan all files in a directory
 # and add symbolic links to their hash values.


M gnu/packages/tls.scm => gnu/packages/tls.scm +22 -1
@@ 1,5 1,5 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2012, 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>


@@ 179,6 179,7 @@ required structures.")

(define-public openssl
  (package
   (replacement openssl-1.0.2g)
   (name "openssl")
   (version "1.0.2f")
   (source (origin


@@ 282,6 283,26 @@ required structures.")
   (license license:openssl)
   (home-page "http://www.openssl.org/")))

(define openssl-1.0.2g
  (package
    (inherit openssl)
    (replacement #f)
    (source
     (let ((name "openssl") (version "1.0.2g"))
       (origin
         (method url-fetch)
         (uri (list (string-append "ftp://ftp.openssl.org/source/"
                                   name "-" version ".tar.gz")
                    (string-append "ftp://ftp.openssl.org/source/old/"
                                   (string-trim-right version char-set:letter)
                                   "/" name "-" version ".tar.gz")))
         (sha256
          (base32
           "0cxajjayi859czi545ddafi24m9nwsnjsw4q82zrmqvwj2rv315p"))
         (patches (map search-patch
                       '("openssl-runpath.patch"
                         "openssl-c-rehash-in.patch"))))))))

(define-public libressl
  (package
    (name "libressl")