gnutls: upgraded package to upstream
Upgraded net-libs/gnutls to version 3.8.3 on amd64
BUG=b/322246880,b/322247481
TEST=None
RELEASE_NOTE=Fixed CVE-2024-0567 and CVE-2024-0553 in net-libs/gnutls.
cos-patch: security-high
Change-Id: I1090149252101b2dd1f3fc0e03a30d1b8c434fc0
Reviewed-on: https://cos-review.googlesource.com/c/third_party/overlays/portage-stable/+/64274
Reviewed-by: Oleksandr Tymoshenko <ovt@google.com>
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
Main-Branch-Verified: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
diff --git a/net-libs/gnutls/Manifest b/net-libs/gnutls/Manifest
index 700b6a0..de811b1 100644
--- a/net-libs/gnutls/Manifest
+++ b/net-libs/gnutls/Manifest
@@ -1,2 +1,16 @@
+DIST gnutls-3.7.6.tar.xz 6338276 BLAKE2B 9f3cce8dfc0b88f2c42d1d2633417dac649a265407b620b6d15967e5210debb99d287ef31d2b9dc37a527ac1e5b9db4c240b98a63293078fbd2e26ac694bf3d3 SHA512 f872339df80ec31d292821ff00eaafbe50e0bd4cdbb86e21e4f78541cd0a26d843596d5e69c91de4db8ce7d027fc639ae6462b57d89fb116162ae63c5a97486a
+DIST gnutls-3.7.6.tar.xz.sig 685 BLAKE2B eae022d6cb0d772e465257411381afd97f3dfd19d6f794a1c3e0f8c3c1232a8a1b91269ca7252a5662782183b11ca393c31efe3f88171a526884400fd0534528 SHA512 c969da9a938b9d29a70cea3b00cce337f9a4c4304aae7f501ef6263894f81a420395ddbe1b005f35dff2e900d3fac75e288f10bbfde0ebea034f7e257bb16d0e
DIST gnutls-3.7.7.tar.xz 6351664 BLAKE2B a66037ecc6da660ff12949f50012840263c2e0b174079e41b62a2d884f060cee56f0c64a2815d07321a54b08cce016d2b4c8f0e059636c1ab5f7db9c8d64c7c6 SHA512 ba00b20126379ec7e96c6bfa606cfb7bb0d9a5853318b29b5278a42a85ae40d39d8442778938e1f165debcdb1adaf9c63bcec59a4eb3387dd1ac99b08bcc5c08
DIST gnutls-3.7.7.tar.xz.sig 685 BLAKE2B 53d76a06ed5a74664d6c193459eb310f06e87dd3db97aca9e9fa78837677df58d8de66f187c182b9375786ee0308c5da55f08414183c959c7acb4527c38cd7c7 SHA512 6463bc4661e20051ff9f31c1a557cece34d06b748f4e24f98e807ddc72a3daa9348aa9f0afa83a0f9cd226421c575210eec1936fbeb9a55849e2c397ace9d03d
+DIST gnutls-3.7.8.tar.xz 6029220 BLAKE2B 0a21e63c7cb0ba4eeff23593c7282e0b4d704fa2d2a1cd5289998fd04b58ea36fc343f872225ad05478e278b1cdebbcd0fd376459abcb58547f8fa1488485530 SHA512 4199bcf7c9e3aab2f52266aadceefc563dfe2d938d0ea1f3ec3be95d66f4a8c8e5494d3a800c03dd02ad386dec1738bd63e1fe0d8b394a2ccfc7d6c6a0cc9359
+DIST gnutls-3.7.8.tar.xz.sig 1250 BLAKE2B 66c6a335c3b2290a4e44ffa6ae715ad71d2bcd7df485c1d2d9490985d9dcd445768d6eb021ad3a61614431183c6652254c63ebd8abd0f0a03d3164a6193b6192 SHA512 cecf9843e8683a278d065b663dc98ac2b5fcad1905ee25333038c93c2289b518c974629367e77e66552ac1c9d122d551616edba35cb0c4204202ec676f1a2db7
+DIST gnutls-3.7.9.tar.xz 6377212 BLAKE2B c8263381132b0c96f23a580823cfaf57112056876e5f2cc21aec4eeddec641b0c01fa02ff9493ea686f49fd917190b06f89379eb448a510cf4d50fe3a0742851 SHA512 56ccbab5f214f9e3cf10a43dd90dedc1e10a38d08b8359a4305dc05c59ddb4a1d3680b282077b6446605c31675a4261cd0579c2c0d976e0b2ced02e6dba224c1
+DIST gnutls-3.7.9.tar.xz.sig 685 BLAKE2B 2e7ba793d026cf96c54c75a81160c58cf21d6d5f034a603ffe88d5fa4cbfa1d4fd590efbe81fbee7790cd4956776085b7827fead67c9b07f1d7eadd405815eb7 SHA512 906227a0d6f57878e85e9acdf754d20b7628a7a95b40aeffced398a0a0c6220f5e32191a9f988f55b8b903bf55212179dce2abcc08c2bb3397a2704dd2319438
+DIST gnutls-3.8.0.tar.xz 6378480 BLAKE2B 64784e9c0ac4dcab2c9e90d7d17d0bd8a0021224be285c12a53673f3a52aa3f189152b1b0b4aaae5a8fb41951361af1fd04a5b535774c4a26c26eb895519af40 SHA512 2507b3133423fdaf90fbd826ccb1142e9ff6fc90fcd5531720218f19ddf0e6bbb8267d23bad35c0954860e5a4179da74823e0c8357db56a14f252e6ec9d59629
+DIST gnutls-3.8.0.tar.xz.sig 684 BLAKE2B c5dbed12b8233ed8502dac16b77d6043591296f4b9ddb0445271e8fe875c2a05b9663ad6523cca6355faaa9d244cc6e6fb8ff0d65fee47b36ab6b57f57d89f64 SHA512 9db8db74aa0ebd871287b07b6a8a9f4ce90188633618e669fe07cb8bb314b624c14761f6fe1970e2fbffa87f7c0d6daa4b0fa838bd05f74b8b18cd1b5325c654
+DIST gnutls-3.8.1.tar.xz 6447056 BLAKE2B 16cb6d2dc7d67724ff45765ae3f154c8d268d8c4547df591a95ff014fc18f16f572a76e3cd00b3e13615ba41e80141cef21aa9915b467a1c452edfe314e2e0c7 SHA512 22e78db86b835843df897d14ad633d8a553c0f9b1389daa0c2f864869c6b9ca889028d434f9552237dc4f1b37c978fbe0cce166e3768e5d4e8850ff69a6fc872
+DIST gnutls-3.8.1.tar.xz.sig 685 BLAKE2B bfafa80bef81c2a24556f010f00294643ba7901eff07f055a0ebd9ca532b47b7b3d3403e9d1a1389c14e6f37f474a37afa2844f326d5ab35fa35b195f2ff1ade SHA512 f03fde611927c83f6b57af695d5610ba3cefbb88a261cf5485c94b3fb32c7480a77c68a353a6a28185337195e30011d6b5578c53ea4180a656cf7b175156f7f1
+DIST gnutls-3.8.2.tar.xz 6456540 BLAKE2B d70524f17919bc02fefc610ede948d209e50e3276fc1e2d40aaed5c208265455da220d948f4a3f21db57f9d253c103f3a1b9a6daa2229d02c7c224448acc2777 SHA512 b3aa6e0fa7272cfca0bb0d364fe5dc9ca70cfd41878631d57271ba0a597cf6020a55a19e97a2c02f13a253455b119d296cf6f701be2b4e6880ebeeb07c93ef38
+DIST gnutls-3.8.2.tar.xz.sig 685 BLAKE2B 7f82c047991d327cc1040bc38ba59e49bb1698968a833d73ec9ea8827b8d49586d5e5b6b6be313810d57ca60d09057b151264731ce5d995032a462717bcdc4ad SHA512 9feb30bfccb8c83e83d3d6df009f2a61f4c48eb357c988789c93b2e5a06a34cb490f33741ad0fd4f881fcd34747b3cf9c5aa45bbb15da680ebba35e07ba602f6
+DIST gnutls-3.8.3.tar.xz 6463720 BLAKE2B 27a4bb4d8a5697e2187113351b2ad1e849bca7bcfb556c1b54fc2d02bef16e2789e7c437ac8db8fe6d2bcfc0e3e3467bbff2dd5d2fc0adb9bf8bda81cb89e452 SHA512 74eddba01ce4c2ffdca781c85db3bb52c85f1db3c09813ee2b8ceea0608f92ca3912fd9266f55deb36a8ba4d01802895ca5d5d219e7d9caec45e1a8534e45a84
+DIST gnutls-3.8.3.tar.xz.sig 580 BLAKE2B 25875eb17d9e59bf1f1b6a61dfc7657d838ac154dbb3e26c8df1995884077878ca607de62a8ce3b9287df1ea7ff523c0abc7c4548f1ca789c308eb6bda0edbaa SHA512 5b2ca0648ca5feeda1de933de2bbaf71fadb70e830a8f0d494d2f0380b6d0d7b79445257cc79e59bba1a7ff639ab4573da3e3e124eb80c20ac6141e29a4827ff
diff --git a/net-libs/gnutls/files/gnutls-3.8.1-fix-gnutls-header.patch b/net-libs/gnutls/files/gnutls-3.8.1-fix-gnutls-header.patch
new file mode 100644
index 0000000..b3d10c1
--- /dev/null
+++ b/net-libs/gnutls/files/gnutls-3.8.1-fix-gnutls-header.patch
@@ -0,0 +1,46 @@
+https://bugs.gentoo.org/911872
+https://gitlab.com/gnutls/gnutls/-/commit/abfa8634db940115a11a07596ce53c8f9c4f87d2
+
+From abfa8634db940115a11a07596ce53c8f9c4f87d2 Mon Sep 17 00:00:00 2001
+From: Adrian Bunk <bunk@debian.org>
+Date: Sun, 6 Aug 2023 22:46:22 +0300
+Subject: [PATCH] Move the GNUTLS_NO_EXTENSIONS compatibility #define to
+ gnutls.h
+
+Signed-off-by: Adrian Bunk <bunk@debian.org>
+--- a/lib/ext/ext_master_secret.h
++++ b/lib/ext/ext_master_secret.h
+@@ -23,9 +23,6 @@
+ #ifndef GNUTLS_LIB_EXT_EXT_MASTER_SECRET_H
+ #define GNUTLS_LIB_EXT_EXT_MASTER_SECRET_H
+
+-/* Keep backward compatibility */
+-#define GNUTLS_NO_EXTENSIONS GNUTLS_NO_DEFAULT_EXTENSIONS
+-
+ #include <hello_ext.h>
+
+ extern const hello_ext_entry_st ext_mod_ext_master_secret;
+--- a/lib/includes/gnutls/gnutls.h.in
++++ b/lib/includes/gnutls/gnutls.h.in
+@@ -542,6 +542,9 @@ typedef enum {
+ #define GNUTLS_ENABLE_CERT_TYPE_NEG 0
+ // Here for compatibility reasons
+
++/* Keep backward compatibility */
++#define GNUTLS_NO_EXTENSIONS GNUTLS_NO_DEFAULT_EXTENSIONS
++
+ /**
+ * gnutls_alert_level_t:
+ * @GNUTLS_AL_WARNING: Alert of warning severity.
+--- a/lib/state.h
++++ b/lib/state.h
+@@ -110,7 +110,4 @@ inline static int _gnutls_PRF(gnutls_session_t session, const uint8_t *secret,
+
+ #define DEFAULT_CERT_TYPE GNUTLS_CRT_X509
+
+-/* Keep backward compatibility */
+-#define GNUTLS_NO_EXTENSIONS GNUTLS_NO_DEFAULT_EXTENSIONS
+-
+ #endif /* GNUTLS_LIB_STATE_H */
+--
+GitLab
diff --git a/net-libs/gnutls/gnutls-3.7.7.ebuild b/net-libs/gnutls/gnutls-3.8.3.ebuild
similarity index 77%
rename from net-libs/gnutls/gnutls-3.7.7.ebuild
rename to net-libs/gnutls/gnutls-3.8.3.ebuild
index 3dfe5ff..b6b1f91 100644
--- a/net-libs/gnutls/gnutls-3.7.7.ebuild
+++ b/net-libs/gnutls/gnutls-3.8.3.ebuild
@@ -1,9 +1,9 @@
-# Copyright 1999-2022 Gentoo Authors
+# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
-VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/gnutls.asc
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnutls.asc
inherit libtool multilib-minimal verify-sig
DESCRIPTION="A secure communications library implementing the SSL, TLS and DTLS protocols"
@@ -12,60 +12,68 @@
SRC_URI+=" verify-sig? ( mirror://gnupg/gnutls/v$(ver_cut 1-2)/${P}.tar.xz.sig )"
LICENSE="GPL-3 LGPL-2.1+"
-SLOT="0/30.30" # <libgnutls.so number>.<libgnutlsxx.so number>
+# As of 3.8.0, the C++ library is header-only, but we won't drop the subslot
+# component for it until libgnutls.so breaks ABI, to avoid pointless rebuilds.
+# Subslot format:
+# <libgnutls.so number>.<libgnutlsxx.so number>
+SLOT="0/30.30"
KEYWORDS="*"
-IUSE="brotli +cxx dane doc examples guile +idn nls +openssl pkcs11 seccomp sslv2 sslv3 static-libs test test-full +tls-heartbeat tools valgrind zlib zstd"
-
-REQUIRED_USE="test-full? ( cxx dane doc examples guile idn nls openssl pkcs11 seccomp tls-heartbeat tools )"
+IUSE="brotli +cxx dane doc examples +idn nls +openssl pkcs11 seccomp sslv2 sslv3 static-libs test test-full +tls-heartbeat tools zlib zstd"
+REQUIRED_USE="test-full? ( cxx dane doc examples idn nls openssl pkcs11 seccomp tls-heartbeat tools )"
RESTRICT="!test? ( test )"
-RDEPEND=">=dev-libs/libtasn1-4.9:=[${MULTILIB_USEDEP}]
+RDEPEND="
+ >=dev-libs/libtasn1-4.9:=[${MULTILIB_USEDEP}]
dev-libs/libunistring:=[${MULTILIB_USEDEP}]
>=dev-libs/nettle-3.6:=[gmp,${MULTILIB_USEDEP}]
>=dev-libs/gmp-5.1.3-r1:=[${MULTILIB_USEDEP}]
brotli? ( >=app-arch/brotli-1.0.0:=[${MULTILIB_USEDEP}] )
dane? ( >=net-dns/unbound-1.4.20:=[${MULTILIB_USEDEP}] )
- guile? ( >=dev-scheme/guile-2:=[networking] )
nls? ( >=virtual/libintl-0-r1:=[${MULTILIB_USEDEP}] )
pkcs11? ( >=app-crypt/p11-kit-0.23.1[${MULTILIB_USEDEP}] )
idn? ( >=net-dns/libidn2-0.16-r1:=[${MULTILIB_USEDEP}] )
zlib? ( sys-libs/zlib[${MULTILIB_USEDEP}] )
- zstd? ( >=app-arch/zstd-1.3.0:=[${MULTILIB_USEDEP}] )"
-DEPEND="${RDEPEND}
+ zstd? ( >=app-arch/zstd-1.3.0:=[${MULTILIB_USEDEP}] )
+"
+DEPEND="
+ ${RDEPEND}
test? (
seccomp? ( sys-libs/libseccomp )
- )"
+ )
+"
BDEPEND="
- dev-util/gtk-doc-am
>=virtual/pkgconfig-0-r1
doc? ( dev-util/gtk-doc )
nls? ( sys-devel/gettext )
- valgrind? ( dev-util/valgrind )
test-full? (
app-crypt/dieharder
- >=app-misc/datefudge-1.22
+ || ( sys-libs/libfaketime >=app-misc/datefudge-1.22 )
dev-libs/softhsm:2[-bindist(-)]
net-dialup/ppp
net-misc/socat
)
- verify-sig? ( >=sec-keys/openpgp-keys-gnutls-20220320 )"
+ verify-sig? ( >=sec-keys/openpgp-keys-gnutls-20231129 )
+"
DOCS=( README.md doc/certtool.cfg )
HTML_DOCS=()
-pkg_setup() {
- # bug #520818
- export TZ=UTC
-
- use doc && HTML_DOCS+=(
- doc/gnutls.html
- )
-}
+QA_CONFIG_IMPL_DECL_SKIP=(
+ # gnulib FPs
+ MIN
+ alignof
+ static_assert
+)
src_prepare() {
default
+ # bug #520818
+ export TZ=UTC
+
+ use doc && HTML_DOCS+=( doc/gnutls.html )
+
# don't try to use system certificate store on macOS, it is
# confusingly ignoring our ca-certificates and more importantly
# fails to compile in certain configurations
@@ -92,24 +100,20 @@
# complains about duplicate symbols
[[ ${CHOST} == *-darwin* ]] && libconf+=( --disable-hardware-acceleration )
- # Cygwin as does not understand these asm files at all
- [[ ${CHOST} == *-cygwin* ]] && libconf+=( --disable-hardware-acceleration )
-
# -fanalyzer substantially slows down the build and isn't useful for
# us. It's useful for upstream as it's static analysis, but it's not
# useful when just getting something built.
export gl_cv_warn_c__fanalyzer=no
local myeconfargs=(
+ --disable-valgrind-tests
$(multilib_native_enable manpages)
$(multilib_native_use_enable doc gtk-doc)
$(multilib_native_use_enable doc)
- $(multilib_native_use_enable guile)
$(multilib_native_use_enable seccomp seccomp-tests)
$(multilib_native_use_enable test tests)
$(multilib_native_use_enable test-full full-test-suite)
$(multilib_native_use_enable tools)
- $(multilib_native_use_enable valgrind valgrind-tests)
$(use_enable cxx)
$(use_enable dane libdane)
$(use_enable nls)
@@ -142,4 +146,3 @@
dodoc doc/examples/*.c
fi
}
-
diff --git a/net-libs/gnutls/metadata.xml b/net-libs/gnutls/metadata.xml
index 8a72ba7..85a1b40 100644
--- a/net-libs/gnutls/metadata.xml
+++ b/net-libs/gnutls/metadata.xml
@@ -5,9 +5,6 @@
<email>base-system@gentoo.org</email>
</maintainer>
<use>
- <flag name="brotli">
- Enable brotli decompression support via <pkg>app-arch/brotli</pkg>
- </flag>
<flag name="dane">
Build libgnutls-dane, implementing DNS-based Authentication of
Named Entities. Requires <pkg>net-dns/unbound</pkg>
@@ -33,9 +30,6 @@
<flag name="test-full">
Enable full test mode
</flag>
- <flag name="valgrind">
- Enable usage of <pkg>dev-util/valgrind</pkg> in debug
- </flag>
</use>
<slots>
<subslots>Reflect ABI compatibility of libgnutls.so</subslots>
