Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

libgcrypt: 1.8.2 -> 1.8.3 #42044

Closed
wants to merge 1 commit into from
Closed

libgcrypt: 1.8.2 -> 1.8.3 #42044

wants to merge 1 commit into from

Conversation

andir
Copy link
Member

@andir andir commented Jun 14, 2018
edited

Motivation for this change

From the changelog:

  • Use blinding for ECDSA signing to mitigate a novel side-channel
    attack. [CVE-2018-0495]

  • Fix incorrect counter overflow handling for GCM when using an IV
    size other than 96 bit.

  • Fix incorrect output of AES-keywrap mode for in-place encryption
    on some platforms.

  • Fix the gcry_mpi_ec_curve_point point validation function.

  • Fix rare assertion failure in gcry_prime_check.

Release info at https://dev.gnupg.org/T4016.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

@andir
libgcrypt: 1.8.2 -> 1.8.3
2f24d32 
From the changelog:

   - Use blinding for ECDSA signing to mitigate a novel side-channel
     attack.  [NixOS#4011,CVE-2018-0495]

   - Fix incorrect counter overflow handling for GCM when using an IV
     size other than 96 bit.  [NixOS#3764]

   - Fix incorrect output of AES-keywrap mode for in-place encryption
     on some platforms.

   - Fix the gcry_mpi_ec_curve_point point validation function.

   - Fix rare assertion failure in gcry_prime_check.

   Release info at <https://dev.gnupg.org/T4016>.
@andir
Copy link
Member Author

andir commented Jun 14, 2018

@GrahamcOfBorg build libgcrypt

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: libgcrypt

Partial log (click to expand)

strip is /nix/store/21ymadblbmsbb2bk4q7gl4kjasp8zmgd-binutils-2.30/bin/strip
stripping (with command strip and flags -S) in /nix/store/passbhkkwn20vkfsr2b9g5ks4zdkwlp9-libgcrypt-1.8.3-dev/bin
patching script interpreter paths in /nix/store/passbhkkwn20vkfsr2b9g5ks4zdkwlp9-libgcrypt-1.8.3-dev
/nix/store/passbhkkwn20vkfsr2b9g5ks4zdkwlp9-libgcrypt-1.8.3-dev/bin/libgcrypt-config: interpreter directive changed from "/bin/sh" to "/nix/store/qckzjk3406va7h6s40cy9s75z2w715rq-bash-4.4-p19/bin/sh"
checking for references to /build in /nix/store/passbhkkwn20vkfsr2b9g5ks4zdkwlp9-libgcrypt-1.8.3-dev...
shrinking RPATHs of ELF executables and libraries in /nix/store/051qrcbrg2kp8vvknll1hqz4ds2r4jnv-libgcrypt-1.8.3-info
strip is /nix/store/21ymadblbmsbb2bk4q7gl4kjasp8zmgd-binutils-2.30/bin/strip
patching script interpreter paths in /nix/store/051qrcbrg2kp8vvknll1hqz4ds2r4jnv-libgcrypt-1.8.3-info
checking for references to /build in /nix/store/051qrcbrg2kp8vvknll1hqz4ds2r4jnv-libgcrypt-1.8.3-info...
/nix/store/l8rkxbya80bcipvr7bww6db6ssci7dz6-libgcrypt-1.8.3

@GrahamcOfBorg
Copy link

Failure on x86_64-darwin (full log)

Attempted: libgcrypt

Partial log (click to expand)

make[2]: Entering directory '/private/tmp/nix-build-libgcrypt-1.8.3.drv-0/libgcrypt-1.8.3/doc'
make[2]: Nothing to be done for 'check-am'.
make[2]: Leaving directory '/private/tmp/nix-build-libgcrypt-1.8.3.drv-0/libgcrypt-1.8.3/doc'
make[1]: Leaving directory '/private/tmp/nix-build-libgcrypt-1.8.3.drv-0/libgcrypt-1.8.3/doc'
Making check in tests
make[1]: Entering directory '/private/tmp/nix-build-libgcrypt-1.8.3.drv-0/libgcrypt-1.8.3/tests'
make  check-TESTS
make[2]: Entering directory '/private/tmp/nix-build-libgcrypt-1.8.3.drv-0/libgcrypt-1.8.3/tests'
building of '/nix/store/nh2r6x98v1v3w5sy24wgnjc41yq53y0s-libgcrypt-1.8.3.drv' timed out after 1800 seconds
error: build of '/nix/store/nh2r6x98v1v3w5sy24wgnjc41yq53y0s-libgcrypt-1.8.3.drv' failed

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: libgcrypt

Partial log (click to expand)

/nix/store/l8rkxbya80bcipvr7bww6db6ssci7dz6-libgcrypt-1.8.3

@GrahamcOfBorg
Copy link

Failure on x86_64-darwin (full log)

Attempted: libgcrypt

Partial log (click to expand)

make[2]: Entering directory '/private/tmp/nix-build-libgcrypt-1.8.3.drv-0/libgcrypt-1.8.3/doc'
make[2]: Nothing to be done for 'check-am'.
make[2]: Leaving directory '/private/tmp/nix-build-libgcrypt-1.8.3.drv-0/libgcrypt-1.8.3/doc'
make[1]: Leaving directory '/private/tmp/nix-build-libgcrypt-1.8.3.drv-0/libgcrypt-1.8.3/doc'
Making check in tests
make[1]: Entering directory '/private/tmp/nix-build-libgcrypt-1.8.3.drv-0/libgcrypt-1.8.3/tests'
make  check-TESTS
make[2]: Entering directory '/private/tmp/nix-build-libgcrypt-1.8.3.drv-0/libgcrypt-1.8.3/tests'
building of '/nix/store/nh2r6x98v1v3w5sy24wgnjc41yq53y0s-libgcrypt-1.8.3.drv' timed out after 1800 seconds
error: build of '/nix/store/nh2r6x98v1v3w5sy24wgnjc41yq53y0s-libgcrypt-1.8.3.drv' failed

@andir
Copy link
Member Author

andir commented Jun 14, 2018
edited

@GrahamcOfBorg build libgcrypt

Trying to get an successful darwin build.

@NixOS/darwin-maintainers Could you try if this upgrade works on your machines?

I'd like to have this pushed out sooner then later to fix an side-channel attack on private ECDSA keys.

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: libgcrypt

Partial log (click to expand)

/nix/store/l8rkxbya80bcipvr7bww6db6ssci7dz6-libgcrypt-1.8.3

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: libgcrypt

Partial log (click to expand)

/nix/store/l8rkxbya80bcipvr7bww6db6ssci7dz6-libgcrypt-1.8.3

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: libgcrypt

Partial log (click to expand)

strip is /nix/store/3c42aixy417vmgs0h5yl5806zx81qz8y-binutils-2.30/bin/strip
stripping (with command strip and flags -S) in /nix/store/86ylz2yk61q3djwpv7kg3ykymbf5vpp0-libgcrypt-1.8.3-dev/bin
patching script interpreter paths in /nix/store/86ylz2yk61q3djwpv7kg3ykymbf5vpp0-libgcrypt-1.8.3-dev
/nix/store/86ylz2yk61q3djwpv7kg3ykymbf5vpp0-libgcrypt-1.8.3-dev/bin/libgcrypt-config: interpreter directive changed from "/bin/sh" to "/nix/store/bkjfiwh7v0gbxfrynvm9xzj2h0xid604-bash-4.4-p19/bin/sh"
checking for references to /build in /nix/store/86ylz2yk61q3djwpv7kg3ykymbf5vpp0-libgcrypt-1.8.3-dev...
shrinking RPATHs of ELF executables and libraries in /nix/store/iajzkrn8nimr2j03wmph7yq6ya00qvyf-libgcrypt-1.8.3-info
strip is /nix/store/3c42aixy417vmgs0h5yl5806zx81qz8y-binutils-2.30/bin/strip
patching script interpreter paths in /nix/store/iajzkrn8nimr2j03wmph7yq6ya00qvyf-libgcrypt-1.8.3-info
checking for references to /build in /nix/store/iajzkrn8nimr2j03wmph7yq6ya00qvyf-libgcrypt-1.8.3-info...
/nix/store/km9x4kb9q67rnmniy0dsry90d908k2h4-libgcrypt-1.8.3

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: libgcrypt

Partial log (click to expand)

these derivations will be built:
  /nix/store/pq99bf7r2rb3x4x0ww86vhwqjg0sysxn-gettext-0.19.8.drv
  /nix/store/h7qy0g27nykdldk57qmgy7pdckyhxmns-libgpg-error-1.28.drv
  /nix/store/k8l0461xflw5lxx46skr1my77b6pwvs4-libgcrypt-1.8.3.drv
waiting for locks or build slots...
/nix/store/km9x4kb9q67rnmniy0dsry90d908k2h4-libgcrypt-1.8.3

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: libgcrypt

Partial log (click to expand)

these derivations will be built:
  /nix/store/pq99bf7r2rb3x4x0ww86vhwqjg0sysxn-gettext-0.19.8.drv
  /nix/store/h7qy0g27nykdldk57qmgy7pdckyhxmns-libgpg-error-1.28.drv
  /nix/store/k8l0461xflw5lxx46skr1my77b6pwvs4-libgcrypt-1.8.3.drv
waiting for locks or build slots...
/nix/store/km9x4kb9q67rnmniy0dsry90d908k2h4-libgcrypt-1.8.3

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: libgcrypt

Partial log (click to expand)

  /nix/store/s0nm796spxc107i25m7rp3dxh263160v-gnutar-1.30.drv
  /nix/store/si9bl522y9r25j8h6mln90p87yd151gf-patchelf-0.9.drv
  /nix/store/xzl8jvq2h7vizc701jf2yrxbyh9qw7vb-patch-2.7.6.drv
  /nix/store/yk4zyzws8bgfsrksz7wzr4al8v6rvs30-gnused-4.5.drv
  /nix/store/gnsmrq9kqgcf0pxq0qpyvnnzkz4p59v7-stdenv-linux.drv
  /nix/store/pq99bf7r2rb3x4x0ww86vhwqjg0sysxn-gettext-0.19.8.drv
  /nix/store/h7qy0g27nykdldk57qmgy7pdckyhxmns-libgpg-error-1.28.drv
  /nix/store/k8l0461xflw5lxx46skr1my77b6pwvs4-libgcrypt-1.8.3.drv
waiting for locks or build slots...
/nix/store/km9x4kb9q67rnmniy0dsry90d908k2h4-libgcrypt-1.8.3

@GrahamcOfBorg
Copy link

Failure on x86_64-darwin (full log)

Attempted: libgcrypt

Partial log (click to expand)

make[2]: Entering directory '/private/tmp/nix-build-libgcrypt-1.8.3.drv-0/libgcrypt-1.8.3/doc'
make[2]: Nothing to be done for 'check-am'.
make[2]: Leaving directory '/private/tmp/nix-build-libgcrypt-1.8.3.drv-0/libgcrypt-1.8.3/doc'
make[1]: Leaving directory '/private/tmp/nix-build-libgcrypt-1.8.3.drv-0/libgcrypt-1.8.3/doc'
Making check in tests
make[1]: Entering directory '/private/tmp/nix-build-libgcrypt-1.8.3.drv-0/libgcrypt-1.8.3/tests'
make  check-TESTS
make[2]: Entering directory '/private/tmp/nix-build-libgcrypt-1.8.3.drv-0/libgcrypt-1.8.3/tests'
building of '/nix/store/nh2r6x98v1v3w5sy24wgnjc41yq53y0s-libgcrypt-1.8.3.drv' timed out after 1800 seconds
error: build of '/nix/store/nh2r6x98v1v3w5sy24wgnjc41yq53y0s-libgcrypt-1.8.3.drv' failed

@GrahamcOfBorg
Copy link

Failure on x86_64-darwin (full log)

Attempted: libgcrypt

Partial log (click to expand)

make[2]: Entering directory '/private/tmp/nix-build-libgcrypt-1.8.3.drv-0/libgcrypt-1.8.3/doc'
make[2]: Nothing to be done for 'check-am'.
make[2]: Leaving directory '/private/tmp/nix-build-libgcrypt-1.8.3.drv-0/libgcrypt-1.8.3/doc'
make[1]: Leaving directory '/private/tmp/nix-build-libgcrypt-1.8.3.drv-0/libgcrypt-1.8.3/doc'
Making check in tests
make[1]: Entering directory '/private/tmp/nix-build-libgcrypt-1.8.3.drv-0/libgcrypt-1.8.3/tests'
make  check-TESTS
make[2]: Entering directory '/private/tmp/nix-build-libgcrypt-1.8.3.drv-0/libgcrypt-1.8.3/tests'
building of '/nix/store/nh2r6x98v1v3w5sy24wgnjc41yq53y0s-libgcrypt-1.8.3.drv' timed out after 1800 seconds
error: build of '/nix/store/nh2r6x98v1v3w5sy24wgnjc41yq53y0s-libgcrypt-1.8.3.drv' failed

LnL7
LnL7 reviewed Jun 14, 2018
View reviewed changes
Copy link
Member

@LnL7 LnL7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The tests seem to get hang for some reason. 😕

@lukateras
Copy link
Member

Merged in a0b2ce5.

@lukateras lukateras closed this Jun 15, 2018
@andir andir deleted the libgcrypt branch June 15, 2018 07:03
@copumpkin
Copy link
Member

With this many rebuilds, it would've been better to send to staging

@copumpkin
Copy link
Member

Oh I see, @yegortimoshenko already did that. @andir just take my comment for future reference for you then 😄

@lukateras
Copy link
Member

@vcunat pulled it into master, though (b6b6786), so it didn't matter at the end. This is a security-sensitive update, so makes sense.

@vcunat
Copy link
Member

vcunat commented Jun 15, 2018
edited

15k rebuilds? I thought it was less. Perhaps I ran the script wrongly locally? Hmm, no, I just remembered incorrectly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@LnL7 LnL7 LnL7 left review comments

Assignees
No one assigned
Labels
10.rebuild-darwin: 101-500 10.rebuild-linux: 501+
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@andir @GrahamcOfBorg @lukateras @copumpkin @vcunat @LnL7