# GNUTLS Security Alert.

## CrankyPenguin

 *Quote:*   

> EDIT: Per Kh's post below this has been patched into the main trunk via the stable net-libs/gnutls-2.12.23-r4

 

According to recent news and a security alert GNUTLS, one of the basic SSL libraries, has a flaw similar to the Apple hole which allows for attacks against machines via malformed security certificates. 

http://readwrite.com/2014/03/05/gnutls-bug-linux-security-flaw-leaves-users-vulnerable-hacks

 Users are recommended to update to version 3.2.12 or higher.  While a bug has been found for version 3.2.12 (https://bugs.gentoo.org/show_bug.cgi?id=503460) version 3.2.12.1 passes tests at least on my system.  

For the present the updated form is not in portage but it is possible to modify the 3.2.11 ebuild by name to 3.2.12.1.ebuild and install it in /usr/local/portage/ and build.  The file is in source below.  For those who have not installed a local ebuild it is necessary to create a directory in /usr/local/portage/ called /usr/local/portage/net-libs/gnutls/ and then to copy the file below as gnutls-3.2.12.1.ebuild.  Then call:

```
ebuild digest
```

to build the necessary digest code.  

```

# Copyright 1999-2014 Gentoo Foundation

# Distributed under the terms of the GNU General Public License v2

# Header: /var/cvsroot/gentoo-x86/net-libs/gnutls/gnutls-3.2.12.1.ebuild,v 1.4 2014/02/17 09:35:44 alonbl Exp $

EAPI=5

inherit autotools libtool eutils versionator

DESCRIPTION="A TLS 1.2 and SSL 3.0 implementation for the GNU project"

HOMEPAGE="http://www.gnutls.org/"

SRC_URI="ftp://ftp.gnutls.org/gcrypt/gnutls/v$(get_version_component_range 1-2)/${P}.tar.xz"

# LGPL-3 for libgnutls library and GPL-3 for libgnutls-extra library.

# soon to be relicensed as LGPL-2.1 unless heartbeat extension enabled.

LICENSE="GPL-3 LGPL-3"

SLOT="0"

KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~x86-solaris"

IUSE_LINGUAS=" en cs de fi fr it ms nl pl sv uk vi zh_CN"

IUSE="+cxx +crywrap dane doc examples guile nls pkcs11 static-libs test zlib ${IUSE_LINGUAS// / linguas_}"

# heartbeat support is not disabled until re-licensing happens fullyf

# NOTICE: sys-devel/autogen is required at runtime as we

# use system libopts

RDEPEND=">=dev-libs/libtasn1-2.14

   >=dev-libs/nettle-2.7[gmp]

   dev-libs/gmp

   sys-devel/autogen

   crywrap? ( net-dns/libidn )

   dane? ( net-dns/unbound )

   guile? ( >=dev-scheme/guile-1.8[networking] )

   nls? ( virtual/libintl )

   pkcs11? ( >=app-crypt/p11-kit-0.19.2 )

   zlib? ( >=sys-libs/zlib-1.2.3.1 )"

DEPEND="${RDEPEND}

   >=sys-devel/automake-1.11.6

   virtual/pkgconfig

   doc? ( dev-util/gtk-doc )

   nls? ( sys-devel/gettext )

   test? ( app-misc/datefudge )"

DOCS=( AUTHORS ChangeLog NEWS README THANKS doc/TODO )

src_prepare() {

   # tests/suite directory is not distributed

   sed -i \

      -e ':AC_CONFIG_FILES(\[tests/suite/Makefile\]):d' \

      -e '/^AM_INIT_AUTOMAKE/s/-Werror//' \

      configure.ac || die

   sed -i \

      -e 's/imagesdir = $(infodir)/imagesdir = $(htmldir)/' \

      doc/Makefile.am || die

   # force regeneration of autogen-ed files

   local file

   for file in $(grep -l AutoGen-ed src/*.c) ; do

      rm src/$(basename ${file} .c).{c,h} || die

   done

   # support user patches

   epatch_user

   eautoreconf

   # Use sane .so versioning on FreeBSD.

   elibtoolize

   # bug 497472

   use cxx || epunt_cxx

}

src_configure() {

   LINGUAS="${LINGUAS//en/en@boldquot en@quot}"

   # TPM needs to be tested before being enabled

   # hardware-accell is disabled on OSX because the asm files force

   #   GNU-stack (as doesn't support that) and when that's removed ld

   #   complains about duplicate symbols

   econf \

      --htmldir="${EPREFIX}/usr/share/doc/${PF}/html" \

      --disable-valgrind-tests \

      --enable-heartbeat-support \

      $(use_enable cxx) \

      $(use_enable dane libdane) \

      $(use_enable doc gtk-doc) \

      $(use_enable doc gtk-doc-pdf) \

      $(use_enable guile) \

      $(use_enable crywrap) \

      $(use_enable nls) \

      $(use_enable static-libs static) \

      $(use_with pkcs11 p11-kit) \

      $(use_with zlib) \

      --without-tpm \

      $([[ ${CHOST} == *-darwin* ]] && echo --disable-hardware-acceleration)

}

src_test() {

   # parallel testing often fails

   emake -j1 check

}

src_install() {

   default

   find "${ED}" -name '*.la' -delete

   dodoc doc/certtool.cfg

   if use doc; then

      dodoc doc/gnutls.pdf

      dohtml doc/gnutls.html

   fi

   if use examples; then

      docinto examples

      dodoc doc/examples/*.c

   fi

}

```

EDIT: The GNUtls site appears to be down (www.gnutls.org) appears to be offline for the moment.

----------

## khayyam

 *CrankyPenguin wrote:*   

> For the present the updated form is not in portage but it is possible to modify the 3.2.11 ebuild by name to 3.2.12.1.ebuild and install it in /usr/local/portage/ and build.

 

CrankyPenguin ... this isn't correct, gnutls-3* isn't being stabilised, its =net-libs/gnutls-2.12.23-r4 ... see bugs #503394 and #501282.

```
# equery c net-libs/gnutls

*gnutls-2.12.23-r4 (04 Mar 2014)

  04 Mar 2014; Alon Bar-Lev <alonbl@gentoo.org>

  +files/gnutls-2.12.23-CVE-2014-1959.patch, +gnutls-2.12.23-r4.ebuild,

  -gnutls-2.12.23-r2.ebuild, -gnutls-2.12.23-r3.ebuild:

  Fix CVE-2014-1959, bug#501282
```

So, though not stablised as yet for all arches one could do so with package.accept_keywords ...

```
=net-libs/gnutls-2.12.23-r4
```

best ... khay

----------

## mrbassie

 *khayyam wrote:*   

>  *CrankyPenguin wrote:*   For the present the updated form is not in portage but it is possible to modify the 3.2.11 ebuild by name to 3.2.12.1.ebuild and install it in /usr/local/portage/ and build. 
> 
> CrankyPenguin ... this isn't correct, gnutls-3* isn't being stabilised, its =net-libs/gnutls-2.12.23-r4 ... see bugs #503394 and #501282.
> 
> ```
> ...

 

So is this fixed already?

=net-libs/gnutls-2.12.23-r4 came through on my two comps x86 and x86_64 respectively today.

----------

## CrankyPenguin

Didn't find those notices in my search.  Thanks K.

----------

