[PATCH] gnu: gnutls: Replace with 3.5.13.

  • Done
  • quality assurance status badge
Details
3 participants
  • Leo Famulari
  • Ludovic Courtès
  • Marius Bakke
Owner
unassigned
Submitted by
Marius Bakke
Severity
normal
M
M
Marius Bakke wrote on 10 Jun 2017 15:58
(address . guix-patches@gnu.org)(name . Marius Bakke)(address . mbakke@fastmail.com)
20170610135851.6341-1-mbakke@fastmail.com
This update addresses the following security advisories:

GNUTLS-SA-2017-3 (aka CVE-2017-7869) and GNUTLS-SA-2017-4.

These links contain more information about the vulnerabilities and releases:


* gnu/packages/patches/gnutls-skip-pkgconfig-test.patch,
gnu/packages/patches/gnutls-skip-trust-store-test.patch: New files.
* gnu/local.mk (dist_patch_DATA): Register patches.
* gnu/packages/tls.scm (gnutls)[replacement]: New field.
(gnutls-3.5.13): New variable.
---
gnu/local.mk | 2 ++
.../patches/gnutls-skip-pkgconfig-test.patch | 24 ++++++++++++++++++++++
.../patches/gnutls-skip-trust-store-test.patch | 15 ++++++++++++++
gnu/packages/tls.scm | 20 ++++++++++++++++++
4 files changed, 61 insertions(+)
create mode 100644 gnu/packages/patches/gnutls-skip-pkgconfig-test.patch
create mode 100644 gnu/packages/patches/gnutls-skip-trust-store-test.patch

Toggle diff (111 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index 686c3c639..70b4a44a1 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -640,6 +640,8 @@ dist_patch_DATA = \
%D%/packages/patches/gmp-faulty-test.patch \
%D%/packages/patches/gnome-tweak-tool-search-paths.patch \
%D%/packages/patches/gnucash-price-quotes-perl.patch \
+ %D%/packages/patches/gnutls-skip-trust-store-test.patch \
+ %D%/packages/patches/gnutls-skip-pkgconfig-test.patch \
%D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \
%D%/packages/patches/gobject-introspection-cc.patch \
%D%/packages/patches/gobject-introspection-girepository.patch \
diff --git a/gnu/packages/patches/gnutls-skip-pkgconfig-test.patch b/gnu/packages/patches/gnutls-skip-pkgconfig-test.patch
new file mode 100644
index 000000000..1fad7c14e
--- /dev/null
+++ b/gnu/packages/patches/gnutls-skip-pkgconfig-test.patch
@@ -0,0 +1,24 @@
+FIXME: The static test fails with an error such as:
+
+/tmp/guix-build-gnutls-3.5.13.drv-0/ccOnGPmc.o: In function `main':
+c.29617.tmp.c:(.text+0x5): undefined reference to `gnutls_global_init'
+collect2: error: ld returned 1 exit status
+FAIL pkgconfig.sh (exit status: 1)
+
+diff --git a/tests/pkgconfig.sh b/tests/pkgconfig.sh
+index 6bd4e62f9..05aab8278 100755
+--- a/tests/pkgconfig.sh
++++ b/tests/pkgconfig.sh
+@@ -57,11 +57,7 @@ echo "Trying dynamic linking with:"
+ echo " * flags: $(${PKGCONFIG} --libs gnutls)"
+ echo " * common: ${COMMON}"
+ echo " * lib: ${CFLAGS}"
+-cc ${TMPFILE} -o ${TMPFILE_O} $(${PKGCONFIG} --libs gnutls) $(${PKGCONFIG} --cflags gnutls) ${COMMON}
+-
+-echo ""
+-echo "Trying static linking with $(${PKGCONFIG} --libs --static gnutls)"
+-cc ${TMPFILE} -o ${TMPFILE_O} $(${PKGCONFIG} --static --libs gnutls) $(${PKGCONFIG} --cflags gnutls) ${COMMON}
++gcc ${TMPFILE} -o ${TMPFILE_O} $(${PKGCONFIG} --libs gnutls) $(${PKGCONFIG} --cflags gnutls) ${COMMON}
+
+ rm -f ${TMPFILE} ${TMPFILE_O}
+
diff --git a/gnu/packages/patches/gnutls-skip-trust-store-test.patch b/gnu/packages/patches/gnutls-skip-trust-store-test.patch
new file mode 100644
index 000000000..e0536712a
--- /dev/null
+++ b/gnu/packages/patches/gnutls-skip-trust-store-test.patch
@@ -0,0 +1,15 @@
+Version 3.5.11 added a test to check that the default trust store is readable.
+It does not exist in the build environment, so pretend everything is fine.
+
+diff a/tests/trust-store.c b/tests/trust-store.c
+--- a/tests/trust-store.c
++++ b/tests/trust-store.c
+@@ -61,7 +61,7 @@
+ } else if (ret < 0) {
+ fail("error loading system trust store: %s\n", gnutls_strerror(ret));
+ } else if (ret == 0) {
+- fail("no certificates were found in system trust store!\n");
++ success("no trust store in the Guix build environment!\n");
+ }
+
+ gnutls_certificate_free_credentials(x509_cred);
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 8964abb2f..69dcb015b 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -8,6 +8,7 @@
;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2016, 2017 ng0 <contact.ng0@cryptolab.net>
;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
+;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -142,6 +143,7 @@ living in the same process.")
(define-public gnutls
(package
(name "gnutls")
+ (replacement gnutls-3.5.13)
(version "3.5.9")
(source (origin
(method url-fetch)
@@ -214,6 +216,24 @@ required structures.")
(properties '((ftp-server . "ftp.gnutls.org")
(ftp-directory . "/gcrypt/gnutls")))))
+(define gnutls-3.5.13
+ (package
+ (inherit gnutls)
+ (version "3.5.13")
+ (replacement #f)
+ (source (origin
+ (method url-fetch)
+ (uri
+ (string-append "mirror://gnupg/gnutls/v"
+ (version-major+minor version)
+ "/gnutls-" version ".tar.xz"))
+ (patches
+ (search-patches "gnutls-skip-trust-store-test.patch"
+ "gnutls-skip-pkgconfig-test.patch"))
+ (sha256
+ (base32
+ "15ihq6p0hnnhs8cnjrkj40dmlcaa1jjg8xg0g2ydbnlqs454ixbr"))))))
+
(define-public gnutls/guile-2.2
;; GnuTLS for Guile 2.2. This is supported by GnuTLS >= 3.5.5.
(package
--
2.13.1
L
L
Ludovic Courtès wrote on 10 Jun 2017 16:29
(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 27308@debbugs.gnu.org)
87bmpvykyv.fsf@gnu.org
Hi Marius,

Marius Bakke <mbakke@fastmail.com> skribis:

Toggle quote (15 lines)
> This update addresses the following security advisories:
>
> GNUTLS-SA-2017-3 (aka CVE-2017-7869) and GNUTLS-SA-2017-4.
>
> These links contain more information about the vulnerabilities and releases:
>
> https://gnutls.org/security.html
> https://gnutls.org/news.html
>
> * gnu/packages/patches/gnutls-skip-pkgconfig-test.patch,
> gnu/packages/patches/gnutls-skip-trust-store-test.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Register patches.
> * gnu/packages/tls.scm (gnutls)[replacement]: New field.
> (gnutls-3.5.13): New variable.

Assuming binary compatibility, that looks good to me.

While you’re at it, could you update GnuTLS in ‘core-updates’?

For the trust-store.c test, we could ask upstream to arrange so that the
test is skipped when the trust store doesn’t exist; would the test still
make sense?

Thanks,
Ludo’.
M
M
Marius Bakke wrote on 10 Jun 2017 18:16
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 27308@debbugs.gnu.org)
87poeblsxk.fsf@fastmail.com
Ludovic Courtès <ludo@gnu.org> writes:

Toggle quote (21 lines)
> Hi Marius,
>
> Marius Bakke <mbakke@fastmail.com> skribis:
>
>> This update addresses the following security advisories:
>>
>> GNUTLS-SA-2017-3 (aka CVE-2017-7869) and GNUTLS-SA-2017-4.
>>
>> These links contain more information about the vulnerabilities and releases:
>>
>> https://gnutls.org/security.html
>> https://gnutls.org/news.html
>>
>> * gnu/packages/patches/gnutls-skip-pkgconfig-test.patch,
>> gnu/packages/patches/gnutls-skip-trust-store-test.patch: New files.
>> * gnu/local.mk (dist_patch_DATA): Register patches.
>> * gnu/packages/tls.scm (gnutls)[replacement]: New field.
>> (gnutls-3.5.13): New variable.
>
> Assuming binary compatibility, that looks good to me.

The release notes since version 3.5.9 explicitly mention no API or ABI
changes.

Toggle quote (2 lines)
> While you’re at it, could you update GnuTLS in ‘core-updates’?

Indeed; that was the intention. Will merge-and-ungraft after committing.

Toggle quote (4 lines)
> For the trust-store.c test, we could ask upstream to arrange so that the
> test is skipped when the trust store doesn’t exist; would the test still
> make sense?

The test *only* checks that the --default-trust-store exists. However,
the current solution is rather hacky, will check for proper skipping
mechanisms.

I tested this graft on my profile, but apparently the grafting code
checks the store item length and refuses since the .13 is one byte
longer than .9:

Backtrace:
In ice-9/boot-9.scm:
160: 14 [catch #t #<catch-closure 8c5dc0> ...]
In unknown file:
?: 13 [apply-smob/1 #<catch-closure 8c5dc0>]
In ice-9/boot-9.scm:
66: 12 [call-with-prompt prompt0 ...]
In ice-9/eval.scm:
432: 11 [eval # #]
In ice-9/boot-9.scm:
2412: 10 [save-module-excursion #<procedure 8e6840 at ice-9/boot-9.scm:4084:3 ()>]
4089: 9 [#<procedure 8e6840 at ice-9/boot-9.scm:4084:3 ()>]
1734: 8 [%start-stack load-stack #<procedure 8f6e20 at ice-9/boot-9.scm:4080:10 ()>]
1739: 7 [#<procedure 8f8960 ()>]
In unknown file:
?: 6 [primitive-load "/gnu/store/aaxbysgk1j098i8i6ag24jslnizwmdlw-ffmpeg-3.3.2-guile-builder"]
In ice-9/eval.scm:
387: 5 [eval # ()]
In ice-9/boot-9.scm:
797: 4 [for-each #<procedure d0cd20 at ice-9/eval.scm:416:20 (a b)> # #]
In /gnu/store/9a54ididkvfkgkv7rgjw07vmdc16k9cv-module-import/guix/build/graft.scm:
262: 3 [rewrite-directory "/gnu/store/kx3gc2swra9f2clkrgxall1bb5mcxhpc-ffmpeg-3.3.2" ...]
In srfi/srfi-1.scm:
575: 2 [map #<procedure ae0860 at /gnu/store/9a54ididkvfkgkv7rgjw07vmdc16k9cv-module-import/guix/build/graft.scm:262:11 (expr)> ...]
In /gnu/store/9a54ididkvfkgkv7rgjw07vmdc16k9cv-module-import/guix/build/graft.scm:
268: 1 [#<procedure ae0860 at /gnu/store/9a54ididkvfkgkv7rgjw07vmdc16k9cv-module-import/guix/build/graft.scm:262:11 (expr)> #]
In unknown file:
?: 0 [scm-error misc-error #f ...]

ERROR: In procedure scm-error:
ERROR: replacement length differs from the original length "56dbd2gw33g3wdxmq78lr39lamg8gxnq-gnutls-3.5.9" "78kvf0ma45z3h14850wzkcvz3zqg59xy-gnutls-3.5.13"
builder for `/gnu/store/hjzqpxdirqv5hmlyc2cg1pisnchnfisi-ffmpeg-3.3.2.drv' failed with exit code 1
cannot build derivation `/gnu/store/dn6qzxbp9xk659ypldnpgdb07fvx4343-profile.drv': 1 dependencies couldn't be built
guix package: error: build failed: build of `/gnu/store/dn6qzxbp9xk659ypldnpgdb07fvx4343-profile.drv' failed

Not sure what to do about it. Ideas?
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlk8G0cACgkQoqBt8qM6
VPrjMgf/RIkLPCPnDkKGHlEwRA9wCJ5ADPFHgsgPcnjQkNBWg2iSqhGiSPztBLBO
5Ms8iVUfHhE3p1ZPWqgXr/BMUMNXYZ84DnYtcQ/EN/9XyxAR3tY3qqLrsfBstHGh
GvfSHbQ2jEVF+FacaD1/QjJC5oMZpRz/uW30AxFpruUafvW59ewAYwSo512TOUos
j1EMUmticNBeTgUBG8pRHMqRuLcd9231BS/U6U5nb8iqJGJnIB4xL1C3F+Jhs8fy
8uV2TLSOZGFN/XsCQ9EZuZZ2yS3IToCaOs56nW83ZxDkhr0HW3XuV4VtdOvNtJ9C
XQeGYSW5c3MuNR5PJ5aw9vXeqBfPfg==
=RUd+
-----END PGP SIGNATURE-----

M
M
Marius Bakke wrote on 10 Jun 2017 18:37
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 27308@debbugs.gnu.org)
87mv9flry8.fsf@fastmail.com
Marius Bakke <mbakke@fastmail.com> writes:

Toggle quote (4 lines)
> I tested this graft on my profile, but apparently the grafting code
> checks the store item length and refuses since the .13 is one byte
> longer than .9:

[...]

Toggle quote (3 lines)
> ERROR: In procedure scm-error:
> ERROR: replacement length differs from the original length "56dbd2gw33g3wdxmq78lr39lamg8gxnq-gnutls-3.5.9" "78kvf0ma45z3h14850wzkcvz3zqg59xy-gnutls-3.5.13"

The attached patch allows the graft to proceed, but I'm not sure about
the sanity of it all. Thoughts?
From 5f122f6e1b73fb7a664142a20ac70890cb6956f9 Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Sat, 10 Jun 2017 18:31:03 +0200
Subject: [PATCH] build: graft: Allow longer replacement store names.

* guix/build/graft.scm (rewrite-directory): Only fail if replacement name is shorter.
---
guix/build/graft.scm | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

Toggle diff (19 lines)
diff --git a/guix/build/graft.scm b/guix/build/graft.scm
index 16df169ec..2b3b99cb1 100644
--- a/guix/build/graft.scm
+++ b/guix/build/graft.scm
@@ -263,9 +263,9 @@ file name pairs."
(((= hash+rest (origin-hash origin-string))
.
(= hash+rest (replacement-hash replacement-string)))
- (unless (= (string-length origin-string)
- (string-length replacement-string))
- (error "replacement length differs from the original length"
+ (unless (<= (string-length origin-string)
+ (string-length replacement-string))
+ (error "replacement length is shorter than the original length"
origin-string replacement-string))
(cons origin-hash (string->utf8 replacement-string)))
((origin . replacement)
--
2.13.1
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlk8ID8ACgkQoqBt8qM6
VPpZywf/WmooWOcauuE080e2xREfgj1IZ90r3Iy9OKUbsXnCsWv3kqh79lQX7y0R
2RBOAnWuevF73mmL0M7HBE8e8wDyry6HiqZJ+Fk1dFpBpsBsW8aUBLo6qMpkpsQP
KboENh5vrRUbxFMB3LAv3KqKw4aaYaFaMEmF/MYzS8SIlZv6ojb+exH3lBVG2GE8
fuUCu+znXZOj2z4Sy1c948NGRx3NPaGJYXh0kn3kI+eL2kxVaIpNR929RlIpEbwn
fX/cNzZVBUMYtWNsHuxo3+HKS060AsiAmgZzqMD+nXXxSVqLL1Dgu3D/YGr7quTz
AK21gse2KpQol5BeL9VXsulAX5561Q==
=bisz
-----END PGP SIGNATURE-----

M
M
Marius Bakke wrote on 10 Jun 2017 20:07
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 27308@debbugs.gnu.org)
87ink3lnr6.fsf@fastmail.com
Marius Bakke <mbakke@fastmail.com> writes:

Toggle quote (14 lines)
> Marius Bakke <mbakke@fastmail.com> writes:
>
>> I tested this graft on my profile, but apparently the grafting code
>> checks the store item length and refuses since the .13 is one byte
>> longer than .9:
>
> [...]
>
>> ERROR: In procedure scm-error:
>> ERROR: replacement length differs from the original length "56dbd2gw33g3wdxmq78lr39lamg8gxnq-gnutls-3.5.9" "78kvf0ma45z3h14850wzkcvz3zqg59xy-gnutls-3.5.13"
>
> The attached patch allows the graft to proceed, but I'm not sure about
> the sanity of it all. Thoughts?

[...]

Toggle quote (2 lines)
> Subject: [PATCH] build: graft: Allow longer replacement store names.

Thinking further about this, replacing a string of a fixed length with
that of another sounds highly unsafe. So I'm not sure what the best
approach here is. Maybe some dummy version number like 3.5.a? Or simply
keep 3.5.9?
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlk8NX0ACgkQoqBt8qM6
VPoc3AgAh6TfQYb/1CYDtP4MpgxFDAgDOnL+6sWqkfEQEdvsWPEjfCiY/9f/lSDK
Qam3Y9YmJEOZ6Lx0qCQFYg2daYol7KrVVNqBdjmzRRWLZAO3jtCVLdXm7fR4qQ+Q
CYbMIWDi429RoAnd7s3SHLgqvNVk8HzcA9QiYa7oGTldwM3Cnj2V0p5VjmHItv8V
bg7Qws7LIW8HOliFgo9yDONOF2xJjcZBmbaOxkwpjHtu7EmEDpSvovoPIC1C7N+i
R/jHxophqVsdtreNSY4N8tEnyDMGZbIFR4CgAbEzb5Hk7cBW+ssRtgOvZon6CQyl
SYsGU00Q9JEPUrKch91ExsQtmFu9qw==
=K2B6
-----END PGP SIGNATURE-----

L
L
Leo Famulari wrote on 11 Jun 2017 01:05
(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 27308@debbugs.gnu.org)
20170610230537.GA14865@jasmine
On Sat, Jun 10, 2017 at 08:07:57PM +0200, Marius Bakke wrote:
Toggle quote (5 lines)
> Thinking further about this, replacing a string of a fixed length with
> that of another sounds highly unsafe. So I'm not sure what the best
> approach here is. Maybe some dummy version number like 3.5.a? Or simply
> keep 3.5.9?

We did something similar when grafting bash [0], changing 4.4.0 to
4.4.A. It's not great, but it worked.

[0] commit 50b8a527efe375ac5377670ff0f159fbbce45312 (gnu: bash: Add
graft for patch #7 [fixes CVE-2017-5932].).

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlk8ez0ACgkQJkb6MLrK
fwgwCA/8DG6sbMD6vJl9bvGDNVE27EnMl5CspCWcr1MISuzqC15MjeoF0kMdD+Bu
1Z3Bm1tHebjE+glAz61JomK3lTCHR8UHDOLOxA1gDii4Q/Sxs65vp0E5lRASGC4A
Met83CR9NsFBqHbyumdtPGrJi13R4AlQzs08G2rJSKMVHQDemhjOLpY72z21eKlY
24dQEo2VEpfzV7OU8B/XBDI6GRB4Fm0LCEpupx9/YxF3YkcuFFkEbMnIfV7wmr9O
ZFTyhoR0xiPVlrHS2Oz1lD4xm3MGVTg9dJmwBwnEHwG1EJFZ+7m8jyDJERHAThoE
J9pDnHpwQSubAK+a4ahe2IKeLPWIQJQFWItKjhFsSxGKR3/7Bm+TyOXH+YxH+fQP
kyRCqTjIHOzJZG2eM4eLWMjhjs2CQ6r+2F4C8qpQfwwiDRmXEesU6kexCf3FcYFp
7WfirFvQDFtaiwek8ezAFVvDqgeql+7Gh2ZJ0pQ0QqE//kubR8ZZ76TwobCRXzSe
qOJYVtKqC/No0PHW011HVlK2dALfSB26DAZiys+vjKf0+x2UzqUAFc+mn9sSPVdS
EyVYgD7IMin+0H2vXYcGPh5Kwe358eXiPHZxdV4MpYgSjF8e5NEsjXq2P1aF7vci
OTDfdJlpa+mzISgQCcWS32imxfVOfKjGlT6HwuwfKunxsfn6m1M=
=3QBP
-----END PGP SIGNATURE-----


M
M
Marius Bakke wrote on 11 Jun 2017 01:25
(name . Leo Famulari)(address . leo@famulari.name)(address . 27308-done@debbugs.gnu.org)
87efurl91p.fsf@fastmail.com
Leo Famulari <leo@famulari.name> writes:

Toggle quote (9 lines)
> On Sat, Jun 10, 2017 at 08:07:57PM +0200, Marius Bakke wrote:
>> Thinking further about this, replacing a string of a fixed length with
>> that of another sounds highly unsafe. So I'm not sure what the best
>> approach here is. Maybe some dummy version number like 3.5.a? Or simply
>> keep 3.5.9?
>
> We did something similar when grafting bash [0], changing 4.4.0 to
> 4.4.A. It's not great, but it worked.

Ha, I already settled on 'D'. Works until version .16 ;-)

I realized 'guile2.2-gnutls' needed (replacement #f) and inheriting the
fixed sources as well. Pushed!
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlk8f/MACgkQoqBt8qM6
VPp2PQf+Km1psLjnvfBFFtk1Hy09fh2O4ZMrc0S4kVlsypps4PcJxvrX5JOrnr7p
4IHBzePURlMqBmFqByQ1B+j81UobayrcWjumUBRWRSdnogkYH7PquoWyAmM40XTW
bo775F+AT7Hn3jse+ejZMDmz1sHezBxPE05Qm8zWzn0pkS8lMd4CToBsWhI+d3MK
Z0DgmO6ahHPKarQ5r+xeVDcfnRCm5y5BLRtH+rsMztwgiVX0BsfnE+sMc24Hm1UJ
lDFPehepteRE7ptL2ZAUFo5mx3q1wE+bMlstpz5snH24ObMcjBXuSRW2jLY1BaG0
1KxrvIjPGGb7Qu/oYa8RROFWbaPvBA==
=ggxu
-----END PGP SIGNATURE-----

Closed
L
L
Ludovic Courtès wrote on 11 Jun 2017 15:57
(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 27308@debbugs.gnu.org)
87zidesk2i.fsf@gnu.org
Marius Bakke <mbakke@fastmail.com> skribis:

Toggle quote (6 lines)
> Marius Bakke <mbakke@fastmail.com> writes:
>
>> I tested this graft on my profile, but apparently the grafting code
>> checks the store item length and refuses since the .13 is one byte
>> longer than .9:

[...]

Toggle quote (14 lines)
> index 16df169ec..2b3b99cb1 100644
> --- a/guix/build/graft.scm
> +++ b/guix/build/graft.scm
> @@ -263,9 +263,9 @@ file name pairs."
> (((= hash+rest (origin-hash origin-string))
> .
> (= hash+rest (replacement-hash replacement-string)))
> - (unless (= (string-length origin-string)
> - (string-length replacement-string))
> - (error "replacement length differs from the original length"
> + (unless (<= (string-length origin-string)
> + (string-length replacement-string))
> + (error "replacement length is shorter than the original length"

That won’t work.

The workaround is to use a version string with the right length, say
“3.5.A”. It’s enough to allow users to distinguish it from the affected
version, so that’s okay IMO.

Ludo’.
?