From 3abaca2aaed87927b18d80381fe64897ac889f8c Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Sun, 13 Jun 2021 20:03:29 -0400
Subject: gnu: nettle-3.5: Add replacement to fix CVE-2021-3580 et al.

* gnu/packages/patches/nettle-3.5-check-_pkcs1_sec_decrypt-msg-len.patch,
gnu/packages/patches/nettle-3.5-CVE-2021-3580-pt1.patch,
gnu/packages/patches/nettle-3.5-CVE-2021-3580-pt2.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/nettle.scm (nettle)[replacement]: New field.
(nettle-3.5/fixed): New variable.
---
 gnu/packages/nettle.scm | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

(limited to 'gnu/packages/nettle.scm')

diff --git a/gnu/packages/nettle.scm b/gnu/packages/nettle.scm
index 753e2d6e7e..3d394dc746 100644
--- a/gnu/packages/nettle.scm
+++ b/gnu/packages/nettle.scm
@@ -1,6 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2012, 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
-;;; Copyright © 2016 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2016, 2021 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
 ;;;
@@ -25,6 +25,7 @@
   #:use-module (guix packages)
   #:use-module (guix download)
   #:use-module (guix build-system gnu)
+  #:use-module (gnu packages)
   #:use-module (gnu packages multiprecision)
   #:use-module (gnu packages m4))
 
@@ -77,6 +78,7 @@ themselves.")
   ;; cannot use it yet.  So keep it separate.
   (package (inherit nettle-2)
     (version "3.5.1")
+    (replacement nettle-3.5/fixed)
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnu/nettle/nettle-"
@@ -91,6 +93,13 @@ themselves.")
         ;; at run time based on CPU features (starting from 3.1.)
         `(cons "--enable-fat" ,flags))))))
 
+(define nettle-3.5/fixed
+  (package-with-extra-patches
+   nettle-3.5
+   (search-patches "nettle-3.5-check-_pkcs1_sec_decrypt-msg-len.patch"
+                   "nettle-3.5-CVE-2021-3580-pt1.patch"
+                   "nettle-3.5-CVE-2021-3580-pt2.patch")))
+
 (define-public nettle-3.7
   (package (inherit nettle-3.5)
     (version "3.7.2")
-- 
cgit v1.2.3


From 26ac7d024636bd495a2039d5cfd9777eebd4214e Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Sun, 13 Jun 2021 20:21:01 -0400
Subject: gnu: nettle-3.7: Update to 3.7.3 [fixes CVE-2021-3580].

* gnu/packages/nettle.scm (nettle-3.7): Update to 3.7.3.
---
 gnu/packages/nettle.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'gnu/packages/nettle.scm')

diff --git a/gnu/packages/nettle.scm b/gnu/packages/nettle.scm
index 3d394dc746..7f85f54fbf 100644
--- a/gnu/packages/nettle.scm
+++ b/gnu/packages/nettle.scm
@@ -102,14 +102,14 @@ themselves.")
 
 (define-public nettle-3.7
   (package (inherit nettle-3.5)
-    (version "3.7.2")
+    (version "3.7.3")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnu/nettle/nettle-"
                                   version ".tar.gz"))
               (sha256
                (base32
-                "0qpi1qp3bcvqdsaxy2pzg530db95x8qjahkynxgwvr6dy5760ald"))))))
+                "1w5wwc3q0r97d2ifhx77cw7y8s20bm8x52is9j93p2h47yq5w7v6"))))))
 
 ;;; Upgrading Nettle on master would cause 10000+ packages to be rebuilt.
 (define-public nettle nettle-3.5)
-- 
cgit v1.2.3