From 738a5321bcd89452f65df19057367ce004402693 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Tue, 4 Mar 2014 22:31:02 +0100
Subject: [PATCH] gnutls: Update to 3.2.12, 3.1.22

CVE-2014-0092

Unfortunately, 3.2.12 doesn't pass the tests with Guile bindings
enabled, so I've turned them off in the default build.
---
 pkgs/development/libraries/gnutls/2.12.nix    |  1 +
 pkgs/development/libraries/gnutls/3.2.nix     | 45 +++++++------------
 pkgs/development/libraries/gnutls/default.nix | 30 +++++--------
 pkgs/top-level/all-packages.nix               | 15 ++++---
 4 files changed, 38 insertions(+), 53 deletions(-)

diff --git a/pkgs/development/libraries/gnutls/2.12.nix b/pkgs/development/libraries/gnutls/2.12.nix
index 59f0131b9d4d..4a1332a7f155 100644
--- a/pkgs/development/libraries/gnutls/2.12.nix
+++ b/pkgs/development/libraries/gnutls/2.12.nix
@@ -59,5 +59,6 @@ stdenv.mkDerivation rec {
     license = "LGPLv2.1+";
 
     maintainers = [ ];
+    broken = true; # CVE-2014-0092
   };
 }
diff --git a/pkgs/development/libraries/gnutls/3.2.nix b/pkgs/development/libraries/gnutls/3.2.nix
index ad873b3eae85..e950e463a9b5 100644
--- a/pkgs/development/libraries/gnutls/3.2.nix
+++ b/pkgs/development/libraries/gnutls/3.2.nix
@@ -3,15 +3,22 @@
 
 assert guileBindings -> guile != null;
 
-stdenv.mkDerivation (rec {
-
-  name = "gnutls-3.2.10";
+stdenv.mkDerivation rec {
+  name = "gnutls-3.2.12";
 
   src = fetchurl {
     url = "ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/${name}.tar.lz";
-    sha256 = "1g1w93d66sz51977zbqd56641r501a1djcwhykbjm8alhyz1564h";
+    sha256 = "1zwk9qkxn3190nssyamd7jsb3ag6mnnln3jwbgmjs1w306dzwafi";
   };
 
+  patches =
+    # FreeBSD doesn't have <alloca.h>, and Gnulib's `alloca' module isn't used.
+    stdenv.lib.optional stdenv.isFreeBSD ./guile-gnulib-includes.patch
+    # multiple definitions of '_gnutls_x86_cpuid_s' cause linker to fail.
+    # the patch is: https://www.gitorious.org/gnutls/gnutls/commit/54768ca1cd9049bbd1c695696ef3c8595c6052db
+    # discussion: http://osdir.com/ml/gnutls-devel-gnu/2014-02/msg00012.html
+    ++ stdenv.lib.optional stdenv.isDarwin ./fix_gnutls_x86_cpuid_s_multi_definitions.patch;
+
   # Note: GMP is a dependency of Nettle, whose public headers include
   # GMP headers, hence the hack.
   configurePhase = ''
@@ -21,15 +28,14 @@ stdenv.mkDerivation (rec {
       --with-lzo --with-libtasn1-prefix="${libtasn1}"           \
       --with-libnettle-prefix="${nettle}"                       \
       CPPFLAGS="-I${gmp}/include"                               \
-      ${if guileBindings
-        then "--enable-guile --with-guile-site-dir=\"$out/share/guile/site\""
-        else ""}
+      ${stdenv.lib.optionalString guileBindings
+          "--enable-guile --with-guile-site-dir=\"$out/share/guile/site\""}
   '';
 
   # Build of the Guile bindings is not parallel-safe.  See
   # <http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=330995a920037b6030ec0282b51dde3f8b493cad>
   # for the actual fix.
-  enableParallelBuilding = false;
+  enableParallelBuilding = !guileBindings;
 
   buildInputs = [ zlib lzo lzip ]
     ++ stdenv.lib.optional guileBindings guile;
@@ -42,7 +48,7 @@ stdenv.mkDerivation (rec {
   # http://hydra.nixos.org/build/2962084/nixlog/1/raw .
   doCheck = (!stdenv.isFreeBSD && !stdenv.isDarwin);
 
-  meta = with stdenv.lib; {
+  meta = {
     description = "The GNU Transport Layer Security Library";
 
     longDescription = ''
@@ -61,25 +67,8 @@ stdenv.mkDerivation (rec {
 
     homepage = http://www.gnu.org/software/gnutls/;
     license = "LGPLv2.1+";
-    maintainers = [ ];
-    platforms = platforms.all;
+    maintainers = [ stdenv.lib.maintainers.eelco ];
+    platforms = stdenv.lib.platforms.all;
   };
 }
 
-//
-
-(stdenv.lib.optionalAttrs stdenv.isFreeBSD {
-  # FreeBSD doesn't have <alloca.h>, and Gnulib's `alloca' module isn't used.
-  patches = [ ./guile-gnulib-includes.patch ];
-})
-
-//
-
-(stdenv.lib.optionalAttrs stdenv.isDarwin {
-  # multiple definitions of '_gnutls_x86_cpuid_s' cause linker to fail.
-  # the patch is: https://www.gitorious.org/gnutls/gnutls/commit/54768ca1cd9049bbd1c695696ef3c8595c6052db
-  # discussion: http://osdir.com/ml/gnutls-devel-gnu/2014-02/msg00012.html
-  patches = [ ./fix_gnutls_x86_cpuid_s_multi_definitions.patch ];
-})
-
-)
diff --git a/pkgs/development/libraries/gnutls/default.nix b/pkgs/development/libraries/gnutls/default.nix
index 8750dd568f75..1046310946a4 100644
--- a/pkgs/development/libraries/gnutls/default.nix
+++ b/pkgs/development/libraries/gnutls/default.nix
@@ -3,15 +3,17 @@
 
 assert guileBindings -> guile != null;
 
-stdenv.mkDerivation (rec {
-
-  name = "gnutls-3.1.20";
+stdenv.mkDerivation rec {
+  name = "gnutls-3.1.22";
 
   src = fetchurl {
     url = "ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/${name}.tar.lz";
-    sha256 = "1a8pzc29sn1kmbqvldljf4kmbz60pdk931dirk5jdd0qpf8fzd5x";
+    sha256 = "177kmq4jn67s7mmb249722nwxmbjwjpphmib7bhzfk43z02j3pvh";
   };
 
+  # FreeBSD doesn't have <alloca.h>, and Gnulib's `alloca' module isn't used.
+  patches = stdenv.lib.optional stdenv.isFreeBSD ./guile-gnulib-includes.patch;
+
   # Note: GMP is a dependency of Nettle, whose public headers include
   # GMP headers, hence the hack.
   configurePhase = ''
@@ -21,15 +23,14 @@ stdenv.mkDerivation (rec {
       --with-lzo --with-libtasn1-prefix="${libtasn1}"           \
       --with-libnettle-prefix="${nettle}"                       \
       CPPFLAGS="-I${gmp}/include"                               \
-      ${if guileBindings
-        then "--enable-guile --with-guile-site-dir=\"$out/share/guile/site\""
-        else ""}
+      ${stdenv.lib.optionalString guileBindings
+          "--enable-guile --with-guile-site-dir=\"$out/share/guile/site\""}
   '';
 
   # Build of the Guile bindings is not parallel-safe.  See
   # <http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=330995a920037b6030ec0282b51dde3f8b493cad>
   # for the actual fix.
-  enableParallelBuilding = false;
+  enableParallelBuilding = !guileBindings;
 
   buildInputs = [ zlib lzo lzip ]
     ++ stdenv.lib.optional guileBindings guile;
@@ -42,7 +43,7 @@ stdenv.mkDerivation (rec {
   # http://hydra.nixos.org/build/2962084/nixlog/1/raw .
   doCheck = (!stdenv.isFreeBSD && !stdenv.isDarwin);
 
-  meta = with stdenv.lib; {
+  meta = {
     description = "The GNU Transport Layer Security Library";
 
     longDescription = ''
@@ -61,13 +62,6 @@ stdenv.mkDerivation (rec {
 
     homepage = http://www.gnu.org/software/gnutls/;
     license = "LGPLv2.1+";
-    maintainers = [ ];
+    maintainers = [ stdenv.lib.maintainers.eelco ];
   };
-}
-
-//
-
-(stdenv.lib.optionalAttrs stdenv.isFreeBSD {
-  # FreeBSD doesn't have <alloca.h>, and Gnulib's `alloca' module isn't used.
-  patches = [ ./guile-gnulib-includes.patch ];
-}))
+}
\ No newline at end of file
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 6cd584e6f1f8..08bb9de91680 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -4361,20 +4361,21 @@ let
   gnu-efi = callPackage ../development/libraries/gnu-efi { };
 
   gnutls = gnutls32;
-  gnutls31 = callPackage ../development/libraries/gnutls {
-    guileBindings = config.gnutls.guile or true;
-  };
 
   gnutls2 = callPackage ../development/libraries/gnutls/2.12.nix {
-    guileBindings = config.gnutls.guile or true;
+    guileBindings = config.gnutls.guile or false;
+  };
+
+  gnutls31 = callPackage ../development/libraries/gnutls {
+    guileBindings = config.gnutls.guile or false;
   };
 
   gnutls32 = callPackage ../development/libraries/gnutls/3.2.nix {
-    guileBindings = config.gnutls.guile or true;
+    guileBindings = config.gnutls.guile or false;
   };
 
-  gnutls_without_guile = lowPrio (gnutls.override { guileBindings = false; });
-  gnutls2_without_guile = lowPrio (gnutls2.override { guileBindings = false; });
+  gnutls_with_guile = lowPrio (gnutls.override { guileBindings = true; });
+  gnutls2_with_guile = lowPrio (gnutls2.override { guileBindings = true; });
 
   gpac = callPackage ../applications/video/gpac { };