Bug 207107 - security/libgcrypt: Update to 1.6.5 with security fix
Summary: security/libgcrypt: Update to 1.6.5 with security fix
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Carlos J. Puga Medina
URL:
Keywords: patch, patch-ready
Depends on:
Blocks: 207042
  Show dependency treegraph
 
Reported: 2016-02-11 13:40 UTC by Carlos J. Puga Medina
Modified: 2016-02-16 13:36 UTC (History)
1 user (show)

See Also:
cpm: merge-quarterly+


Attachments
v0 (2.96 KB, patch)
2016-02-11 13:40 UTC, Carlos J. Puga Medina
cpm: maintainer-approval+
Details | Diff
v1 (5.75 KB, patch)
2016-02-15 23:19 UTC, Carlos J. Puga Medina
cpm: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos J. Puga Medina freebsd_committer 2016-02-11 13:40:21 UTC
Created attachment 166867 [details]
v0

- Update libgcrypt to 1.6.5
- Change LICENSE since support has been added for "or later" variants of GNU licenses.

Changes:
https://lists.gnupg.org/pipermail/gnupg-announce/2016q1/000384.html
Comment 1 Carlos J. Puga Medina freebsd_committer 2016-02-11 13:45:34 UTC
patch-cipher_Makefile.in was re-added to fix bug 207042.
Comment 2 Jason Unovitch freebsd_committer 2016-02-13 22:59:08 UTC
1. When we re-add a file we deleted before it would be copied in a manner similar to re-adding a deleted port [1].  Just copy it from just before the revision it was deleted (your commit r408514)

svn cp 'svn+ssh://repo.freebsd.org/ports/head/security/libgcrypt/files/patch-cipher-Makefile.in@408513' files/patch-cipher_Makefile.in

M       Makefile
M       distinfo
A  +    files/patch-cipher_Makefile.in
M       pkg-plist

[1] https://www.FreeBSD.org/doc/en_US.ISO8859-1/articles/committers-guide/ports.html#ports-qa-re-adding

2. I noticed the patch had the key words 'svn:keywords FreeBSD=%H' in the diff.  This is what expands the $FreeBSD$ in Makefiles but not needed on patches.  The auto-props.txt file described in "5.3.7. Adding and Removing Files" of the subversion primer shows where the ports specific auto-prop file is located and describes how to configure it.

[2] https://www.FreeBSD.org/doc/en_US.ISO8859-1/articles/committers-guide/subversion-primer.html

3. Given the "Mitigate side-channel attack on ECDH with Weierstrass curves [CVE-2015-7511].  See http://www.cs.tau.ac.IL/~tromer/ecdh/ for details.", we'll need to add a VuXML entry here to and MFH the batch of changes when we're done.  Take a look at the Porter's Handbook on VuXML [3] and the "QUICK GUIDE TO ADDING A NEW ENTRY" in the security/vuxml/vuln.xml file.  Take a go at the entry and add the patch for the PR for review.

[3] https://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/security-notify.html

Thanks!
Comment 3 Carlos J. Puga Medina freebsd_committer 2016-02-15 23:19:08 UTC
Created attachment 167055 [details]
v1
Comment 4 Jason Unovitch freebsd_committer 2016-02-16 01:03:11 UTC
(In reply to Carlos J. Puga Medina from comment #3)
Can you add a patch for security/vuxml/vuln.xml for the CVE-2015-7511 comment mentioned in 3 above?
Comment 5 Jason Unovitch freebsd_committer 2016-02-16 01:04:30 UTC
(In reply to Carlos J. Puga Medina from comment #3)
Your `svn status` in your local repo should show:
M       Makefile
M       distinfo
A  +    files/patch-cipher_Makefile.in
D       files/patch-cipher_salsa20.c
M       pkg-plist

The 'A  +' reflects the restoration of the previous files/patch-cipher_Makefile.in from before.
Comment 6 Carlos J. Puga Medina freebsd_committer 2016-02-16 01:34:58 UTC
(In reply to Jason Unovitch from comment #4)

Sure! I'm on it.
Comment 7 Carlos J. Puga Medina freebsd_committer 2016-02-16 02:13:45 UTC
Index: security/vuxml/vuln.xml
===================================================================
--- security/vuxml/vuln.xml	(revision 408968)
+++ security/vuxml/vuln.xml	(working copy)
@@ -57,6 +57,32 @@
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="95b92e3b-d451-11e5-9794-e8e0b747a45a">
+    <topic>libgcrypt -- side-channel attack on ECDH</topic>
+    <affects>
+      <package>
+	<name>libgcrypt</name>
+	<range><lt>1.6.4</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>GnuPG reports:</p>
+	<blockquote cite="https://lists.gnupg.org/pipermail/gnupg-announce/2016q1/000384.html">
+	  <p>Mitigate side-channel attack on ECDH with Weierstrass curves.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2015-7511</cvename>
+      <url>https://lists.gnupg.org/pipermail/gnupg-announce/2016q1/000384.html</url>
+    </references>
+    <dates>
+      <discovery>2016-02-09</discovery>
+      <entry>2016-02-16</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="f1bf28c5-d447-11e5-b2bd-002590263bf5">
     <topic>xdelta3 -- buffer overflow vulnerability</topic>
     <affects>
Comment 8 Carlos J. Puga Medina freebsd_committer 2016-02-16 02:15:15 UTC
(In reply to Jason Unovitch from comment #5)

`svn status` output:
M       security/libgcrypt/Makefile
M       security/libgcrypt/distinfo
A  +    security/libgcrypt/files/patch-cipher-Makefile.in
D       security/libgcrypt/files/patch-cipher_salsa20.c
M       security/libgcrypt/pkg-plist
M       security/vuxml/vuln.xml
Comment 9 Carlos J. Puga Medina freebsd_committer 2016-02-16 02:19:21 UTC
Poudriere testports build fine on 9.3a, 9.3i, 10.2a and 10.2i.
Comment 10 Jason Unovitch freebsd_committer 2016-02-16 02:27:04 UTC
(In reply to Carlos J. Puga Medina from comment #7)

It's less than for the <lt> tags, so it must be 1.6.5 between the tags.  I can confirm `make validate` passes and the content other than the version is good.  Approved once the version is fixed.

VuXML would be approved with something like this:

Document libgcrypt side-channel attach on ECDH

PR:		207107
Security:	CVE-2015-7511
Security:	https://vuxml.FreeBSD.org/freebsd/95b92e3b-d451-11e5-9794-e8e0b747a45a.html
Comment 11 Carlos J. Puga Medina freebsd_committer 2016-02-16 02:29:09 UTC
(In reply to Jason Unovitch from comment #10)

Oops! Thanks for your review, Jason :)
Comment 12 Jason Unovitch freebsd_committer 2016-02-16 02:30:07 UTC
(In reply to Carlos J. Puga Medina from comment #9)

Builds are good.

Portlint is good.

Runtime from Tobias in bug 207042 comment 8 is good.

If your SVN status reflects the comment 8 here then this is approved.  Please use the commit message we agreed upon in the earlier email and fill out the VuXML URL reference like shown in comment 10.
Comment 13 Jason Unovitch freebsd_committer 2016-02-16 02:31:04 UTC
(In reply to Jason Unovitch from comment #10)

"attach" to "attack".  Sorry about the spelling in the example.
Comment 14 commit-hook freebsd_committer 2016-02-16 02:40:47 UTC
A commit references this bug:

Author: cpm
Date: Tue Feb 16 02:40:27 UTC 2016
New revision: 408971
URL: https://svnweb.freebsd.org/changeset/ports/408971

Log:
  Document libgcrypt side-channel attack on ECDH

  PR:		207107
  Security:	CVE-2015-7511
  Security:	https://vuxml.FreeBSD.org/freebsd/95b92e3b-d451-11e5-9794-e8e0b747a45a.html

Changes:
  head/security/vuxml/vuln.xml
Comment 15 commit-hook freebsd_committer 2016-02-16 02:53:49 UTC
A commit references this bug:

Author: cpm
Date: Tue Feb 16 02:52:56 UTC 2016
New revision: 408972
URL: https://svnweb.freebsd.org/changeset/ports/408972

Log:
  - Update libgcrypt to 1.6.5
  - Change LICENSE since support has been added for "or later" variants of GNU licenses.
  - Remove needless patch-cipher_salsa20.c

  Changes:
    https://lists.gnupg.org/pipermail/gnupg-announce/2016q1/000384.html

  PR:		207107
  Approved by:	junovitch (mentor)

Changes:
  head/security/libgcrypt/Makefile
  head/security/libgcrypt/distinfo
  head/security/libgcrypt/files/patch-cipher-Makefile.in
  head/security/libgcrypt/files/patch-cipher_salsa20.c
  head/security/libgcrypt/pkg-plist
Comment 16 Jason Unovitch freebsd_committer 2016-02-16 03:13:56 UTC
Open and set merge-quarterly? until the MFH approval is done.
Comment 17 commit-hook freebsd_committer 2016-02-16 13:29:46 UTC
A commit references this bug:

Author: cpm
Date: Tue Feb 16 13:29:13 UTC 2016
New revision: 408993
URL: https://svnweb.freebsd.org/changeset/ports/408993

Log:
  MFH: r408972

  - Update libgcrypt to 1.6.5
  - Change LICENSE since support has been added for "or later" variants of GNU licenses.
  - Remove needless patch-cipher_salsa20.c

  Changes:
    https://lists.gnupg.org/pipermail/gnupg-announce/2016q1/000384.html

  PR:		207107
  Approved by:	junovitch (mentor)

  Security: 	CVE-2015-7511
  Security: 	https://vuxml.FreeBSD.org/freebsd/95b92e3b-d451-11e5-9794-e8e0b747a45a.html
  Approved by:	ports-secteam (eadler)

Changes:
_U  branches/2016Q1/
  branches/2016Q1/security/libgcrypt/Makefile
  branches/2016Q1/security/libgcrypt/distinfo
  branches/2016Q1/security/libgcrypt/files/patch-cipher-Makefile.in
  branches/2016Q1/security/libgcrypt/files/patch-cipher_salsa20.c
  branches/2016Q1/security/libgcrypt/pkg-plist