Ludovic Courtès <ludo@HIDDEN>
to control <at> debbugs.gnu.org
.
Full text available.Received: (at 70114) by debbugs.gnu.org; 4 Apr 2024 02:39:19 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Wed Apr 03 22:39:19 2024 Received: from localhost ([127.0.0.1]:60070 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1rsD0Y-0005VD-G1 for submit <at> debbugs.gnu.org; Wed, 03 Apr 2024 22:39:19 -0400 Received: from mail-40131.protonmail.ch ([185.70.40.131]:18565) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <john.kehayias@HIDDEN>) id 1rsD0R-0005Td-8f; Wed, 03 Apr 2024 22:39:14 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1712198340; x=1712457540; bh=YzpKTd6L+i+8jMeCNQm7J2CHgmZ5B/dO5jHZ5CCPU2g=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=UhzthM56H1DZzaF54yjIJimmKqrtv51SV9+l5H7cCLLbfIECrVnW4sHcEO9tVHqzU +oZXVqiD2uJn4Auz7Pay5hLBg4uMt/4vRaMEEYdm4FCV9RbvKXp7gR+rhPGUsL7hwN fxlvqhJr5K2fvfjfCnW+ex/MDCWmOyxCZTABI2gdwfOOnNr2yttgvDZPtRdJCagDhN z3Q70OCSglXhQN6ZWGAwC9mHOqXi2weF4kyGDtlS49u09VFmfnes6XK1o4PUgSGsbO T8s09DLrDJzjA7atoidnm9gyFHD3KQZSp5Fl88fZ7MCoSHcHTzcUPEl5suMkYYRYbw wi3wpd9mdmhdQ== Date: Thu, 04 Apr 2024 02:38:55 +0000 To: "pelzflorian (Florian Pelz)" <pelzflorian@HIDDEN> From: John Kehayias <john.kehayias@HIDDEN> Subject: Re: [bug#70113] [PATCH 1/1] gnu: libarchive: Fix a potential security issue. Message-ID: <8734s1x35x.fsf@HIDDEN> In-Reply-To: <871q7nev3k.fsf@HIDDEN> References: <7a74261a419e9127887bc9ea096294e42156cce1.1711917891.git.leo@HIDDEN> <87il10wipx.fsf@HIDDEN> <871q7nev3k.fsf@HIDDEN> Feedback-ID: 7805494:user:proton MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 70114 Cc: 70114 <at> debbugs.gnu.org, 70113 <at> debbugs.gnu.org, Leo Famulari <leo@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Hello, On Tue, Apr 02, 2024 at 03:45 PM, pelzflorian (Florian Pelz) wrote: > Hello, > > John Kehayias via Guix-patches via <guix-patches@HIDDEN> writes: >>> +(define-public libarchive/fixed >>> + (package >>> + (inherit libarchive) >>> + (version "3.6.1") >>> + (source >>> + (origin >>> + (method url-fetch) >>> + (uri (list (string-append "<https://libarchive.org/downloads/li= barchive>-" >>> + version ".tar.xz") >>> + (string-append "<https://github.com/libarchive/libar= chive>" >>> + "/releases/download/v" version "/liba= rchive-" >>> + version ".tar.xz"))) >> >> In light of the xz backdoor, perhaps we should just do a git checkout of >> the v3.6.1 tag rather than the tarballs? Assuming that works, of course. > > Not having followed the details, I believe the git checkout contained an > incomplete part of the malicious code too, from what Joshua Branson (I > guess the sender is him?) cites from Phoronix > <https://lists.gnu.org/archive/html/guix-devel/2024-04/msg00002.html>: > > jbranso@HIDDEN writes: >> The malicious injection present in the xz versions 5.6.0 and 5.6.1 >> libraries is obfuscated and only included in full in the download packag= e >> - the Git distribution lacks the M4 macro that triggers the build >> of the malicious code. The second-stage artifacts are present in >> the Git repository for the injection during the build time, in >> case the malicious M4 macro is present. > > It doesn=E2=80=99t look like avoiding tarballs gives us more verified cod= e. > Well, it removes one step where something can be added. From what I understand release tarballs don't match a git checkout as often build artifacts (from autotools) are added, so it is just another potential attack vector. Indeed, it was only part of the attack here, but I do believe there is general support for trying to favor git checkouts when we can (there is overhead and I think issues for parts in bootstrapping, to get git). Certainly not perfect, but gets us to "just" the source. One can still do things with access of course. Thanks Leo for the quick work here and pushing the patch, much appreciated! John
guix-patches@HIDDEN
:bug#70114
; Package guix-patches
.
Full text available.Received: (at 70114) by debbugs.gnu.org; 3 Apr 2024 22:08:33 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Wed Apr 03 18:08:33 2024 Received: from localhost ([127.0.0.1]:59841 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1rs8mU-0004AH-Vb for submit <at> debbugs.gnu.org; Wed, 03 Apr 2024 18:08:33 -0400 Received: from wfout6-smtp.messagingengine.com ([64.147.123.149]:49213) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <leo@HIDDEN>) id 1rs8mQ-00049G-Q4; Wed, 03 Apr 2024 18:08:27 -0400 Received: from compute2.internal (compute2.nyi.internal [10.202.2.46]) by mailfout.west.internal (Postfix) with ESMTP id CD0FC1C00101; Wed, 3 Apr 2024 18:08:15 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute2.internal (MEProxy); Wed, 03 Apr 2024 18:08:16 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:cc:content-type:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to; s=mesmtp; t=1712182095; x= 1712268495; bh=ypv4r2WTs3h771ebxpqVhfuBr7DAmFcEtBYqw1tjQaM=; b=K ni00i7dVgfk7s5ItG73ZVZhl2szXbdCXwdCrQI88w3xWDL4maAstAs16P2BachLs DaEk9rxvZ4hnUUJM3m7DSNU53GYntkW6wuEMyfH2AXM2k2gZ7bXWtMmzuQEIhyck uqgiOiWj+QKlWSy1/rlRHMFd5GA2OgXwiBcg9uTNoo= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; t=1712182095; x=1712268495; bh=ypv4r2WTs3h771ebxpqVhfuBr7DA mFcEtBYqw1tjQaM=; b=GMRQc7Q7sKYF4iv3R4TN8cez6nxluhLNHCBhsHkvm4tE Q4e2NecKLulQoiVUrZRUCMbGH9SMxklNGQHFFJeWeIhExLRLFlpKEipiuh+xgEOo zqfeUEtXRJyLUFec96y22sNCNsXtGTn++W12QuEPT1beshGALWB5hf4/RkWps3nE TN8yGlZDp60Bqjmn9AZieA4EV7Ly1VfiGbFibu0zjVGdR4kF/6Kd3+mBk/VIh/D7 O6BPvs8HQZf6Eo+NVcydcO4AX2JD137q6S1Q8qWtPf1eI+3GxQ/IWdfHyZTKYy2C vpmCMB21wcT6zxt8694g40kCiIA+BSGSSCyeVp8zuw== X-ME-Sender: <xms:TtMNZsOGwjeuEyqImsoR0__zrs4nqjEzvCQ65eKVhoeMpocNm57vNg> <xme:TtMNZi-voCDOXM30Gh6gppxQZj4wrZJIJXlixzT56gLG1qAUUd4LRed1a1BUYZpAg T3X4Zsk-uts9BjIWw> X-ME-Received: <xmr:TtMNZjQpg3pn-L4-viqkVAd7k1nvpjl0oS2Io0ItlclYQDvJ7Vc-wy8K0GPMS93f_dqVOGXWFPZXb6pEaRFwmS7K> X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrudefjedgtdejucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvfevuffkfhggtggujgesghdtreertddtvdenucfhrhhomhepnfgvohcu hfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhirdhnrghmvgeqnecuggftrfgrth htvghrnheptedvtdetfefffffffeelfedvkeekfeduveduieejfeeugeelteffvdeuffej leevnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheplh gvohesfhgrmhhulhgrrhhirdhnrghmvg X-ME-Proxy: <xmx:TtMNZkuvsFkPcQqltD22aeUiI7llJKfOQbdVYz7AE3huB7XldjzPFQ> <xmx:TtMNZkfJH83oVKOZbBFynIw9tzGx8F0SL2vrcU2_QdKfhmxSB41U_A> <xmx:TtMNZo0ZuYX6SdowDeZt_EDev-u4raiy0Xv-MIlSU_aSU_tKt1UImQ> <xmx:TtMNZo8gXoMtwXsq2F77lif97X6i4ap-aD3y5YCOqBXxvzt16bCjMg> <xmx:T9MNZj6S9z9Mco29Kdpg26mvIN1ubxHjKfOCb5BUCZ8G8GhNzBR8c_cZ> Feedback-ID: i819c4023:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 3 Apr 2024 18:08:14 -0400 (EDT) Date: Wed, 3 Apr 2024 18:08:12 -0400 From: Leo Famulari <leo@HIDDEN> To: John Kehayias <john.kehayias@HIDDEN> Subject: Re: [bug#70113] [PATCH 1/1] gnu: libarchive: Fix a potential security issue. Message-ID: <Zg3TTEwIZkIObXc0@HIDDEN> References: <87il10wipx.fsf@HIDDEN> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="PTlCHuXfbKDRXpCB" Content-Disposition: inline In-Reply-To: <87il10wipx.fsf@HIDDEN> X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 70114 Cc: 70114 <at> debbugs.gnu.org, 70113-done <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.7 (-) --PTlCHuXfbKDRXpCB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Apr 02, 2024 at 03:23:44AM +0000, John Kehayias wrote: > Overall changes look good, but I have not had a chance to try it locally > (building or dependents). I successfully tested with the file-roller package, which depends directly on libarchive and no other related packages. I think it's a reasonable basic test case. I agree it's a good idea to look into a more comprehensive update to libarchive, but I just wanted to get this patch in ASAP. Pushed as 629614c7a3f9283306939402f1ff46914f327c21 --PTlCHuXfbKDRXpCB Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEaEByLu7k06ZO5T6saqwZY3V/R/8FAmYN00wACgkQaqwZY3V/ R/8IqhAAre19kcT27tbQVcEhFNhsBFRmtAf6FZ+Vnr8Z9yx7X4yYkr10l0Q9yzta aU5p5IMr5QjK8N3g0o2tZbBoTZybDtbhL7ra8C4K6JBnn623yJIbbi46jJoMKz8V H+1IYMPtpr/CU4pxZiK+4LQS9poXlNiFnUxKOs4OQUylZRQvrz/ifnbfCRmHGWoZ xt116HTrxfb70jwtWptzIEJwpSTXWDaOidDygCihH38YbOG20zRDFrEdea3ciAiZ 4rink768fYZSjBeAWcbFA92QAgbrmI4lO8mfLi1y1uwTdkqV9b2zk7Eh2BOalE12 txJCHD5JG01nnooquFZjCaEbwKf4JPZV2Y7kb9UXRa63x/0u0RtDP3AznABjcRD3 vgvdcmwr41FPiSgKI/Cm4U8RBwLRebKNGMoz9rHzr5xXv5ana/54VPugQZNmEqYx ZS5HOtjuB9OdZ/C6t53QIDnwLFts5OVwCq3EPiXebU6hfffVKpCDPFyeDPMPEz0I rgS3i58qM8x3XMJ2teuDZy+YUBQ2aCg7IK9xBp4I/iXj8Fu+AFSHAg08W7bfPO4m qaV0SiJZQRrV61harg7nM7Z02VxIJI0CeQZBQQhmFbG2hNcbIS+21vJk74cqYowg AYWGuD9Kf3f0CFdLtQgWHBR1l4g4h6KAE3Gxdkm354wUtcQijjo= =h8Y8 -----END PGP SIGNATURE----- --PTlCHuXfbKDRXpCB--
guix-patches@HIDDEN
:bug#70114
; Package guix-patches
.
Full text available.Received: (at 70114) by debbugs.gnu.org; 2 Apr 2024 13:46:17 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Apr 02 09:46:17 2024 Received: from localhost ([127.0.0.1]:53138 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1rreSt-0004Hg-MM for submit <at> debbugs.gnu.org; Tue, 02 Apr 2024 09:46:17 -0400 Received: from relay.yourmailgateway.de ([188.68.63.102]:55773) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <pelzflorian@HIDDEN>) id 1rreSk-0004GW-Qc; Tue, 02 Apr 2024 09:46:10 -0400 Received: from mors-relay-2502.netcup.net (localhost [127.0.0.1]) by mors-relay-2502.netcup.net (Postfix) with ESMTPS id 4V88Kj40qwz62dV; Tue, 2 Apr 2024 15:46:01 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=pelzflorian.de; s=key2; t=1712065561; bh=R7tLzbN993hVz4XOtG8st6lW9F5XA3V3H5rLj6alTZk=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=Oy7UUVl5QLntdTntMEa+JZf+1OqlFOqOMQGgNP+zX2fFPUq5eZt2EBoUIbx1yxGip QbBaXBRAUt0SrpUBYYfk2bGPvfNj5Dhp8GAEiotpOKTN5pBdIWtXKs5S3tE/YR6d0O FrfdS+Z4rh0ZJfvFnNxAYEb9B3ErOhQvoiPTAFTzonKOL7m0rgpwhzrgEFztwq+Zkb 8ptck7V7y8ZXIJSTmOe9k617WJy+wh7dN/e7HRhspm4v1OkjXi9Chk9gosm3R3oK5h 9jpNfCCHZSmYV72oH4ZqWR016Dhl5oLjCFN/YoP4pEXkJLutfCCwjyZjUbtvrIGsQM 1d+RtFL5Rwriw== Received: from policy02-mors.netcup.net (unknown [46.38.225.35]) by mors-relay-2502.netcup.net (Postfix) with ESMTPS id 4V88Kj3J81z4yXk; Tue, 2 Apr 2024 15:46:01 +0200 (CEST) Received: from mxe217.netcup.net (unknown [10.243.12.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by policy02-mors.netcup.net (Postfix) with ESMTPS id 4V88Kj01SCz8sbD; Tue, 2 Apr 2024 15:46:00 +0200 (CEST) Received: from florianrock64 (ip92344de0.dynamic.kabel-deutschland.de [146.52.77.224]) by mxe217.netcup.net (Postfix) with ESMTPSA id A90CE83799; Tue, 2 Apr 2024 15:45:52 +0200 (CEST) From: "pelzflorian (Florian Pelz)" <pelzflorian@HIDDEN> To: John Kehayias <john.kehayias@HIDDEN> Subject: Re: [bug#70113] [PATCH 1/1] gnu: libarchive: Fix a potential security issue. In-Reply-To: <87il10wipx.fsf@HIDDEN> (John Kehayias via Guix-patches via's message of "Tue, 02 Apr 2024 03:23:44 +0000") References: <7a74261a419e9127887bc9ea096294e42156cce1.1711917891.git.leo@HIDDEN> <87il10wipx.fsf@HIDDEN> Date: Tue, 02 Apr 2024 15:45:51 +0200 Message-ID: <871q7nev3k.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: A90CE83799 X-Rspamd-Server: rspamd-worker-8404 X-NC-CID: wKS53i7lKiZmblAnJNGyYXm1KXEjtPDAyF0XlTDnfdOxvUMaz7xm4Gdf X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 70114 Cc: 70114 <at> debbugs.gnu.org, 70113 <at> debbugs.gnu.org, Leo Famulari <leo@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Hello, John Kehayias via Guix-patches via <guix-patches@HIDDEN> writes: >> +(define-public libarchive/fixed >> + (package >> + (inherit libarchive) >> + (version "3.6.1") >> + (source >> + (origin >> + (method url-fetch) >> + (uri (list (string-append "https://libarchive.org/downloads/liba= rchive-" >> + version ".tar.xz") >> + (string-append "https://github.com/libarchive/libarch= ive" >> + "/releases/download/v" version "/libar= chive-" >> + version ".tar.xz"))) > > In light of the xz backdoor, perhaps we should just do a git checkout of > the v3.6.1 tag rather than the tarballs? Assuming that works, of course. Not having followed the details, I believe the git checkout contained an incomplete part of the malicious code too, from what Joshua Branson (I guess the sender is him?) cites from Phoronix <https://lists.gnu.org/archive/html/guix-devel/2024-04/msg00002.html>: jbranso@HIDDEN writes: > The malicious injection present in the xz versions 5.6.0 and 5.6.1 > libraries is obfuscated and only included in full in the download package > - the Git distribution lacks the M4 macro that triggers the build=20 > of the malicious code. The second-stage artifacts are present in=20 > the Git repository for the injection during the build time, in=20 > case the malicious M4 macro is present. It doesn=E2=80=99t look like avoiding tarballs gives us more verified code. Regards, Florian
guix-patches@HIDDEN
:bug#70114
; Package guix-patches
.
Full text available.Received: (at 70114) by debbugs.gnu.org; 2 Apr 2024 13:24:23 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Apr 02 09:24:23 2024 Received: from localhost ([127.0.0.1]:53074 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1rre7h-000827-Sn for submit <at> debbugs.gnu.org; Tue, 02 Apr 2024 09:24:23 -0400 Received: from mail-wr1-x42e.google.com ([2a00:1450:4864:20::42e]:52449) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <efraim.flashner@HIDDEN>) id 1rre7d-00081J-2t; Tue, 02 Apr 2024 09:24:20 -0400 Received: by mail-wr1-x42e.google.com with SMTP id ffacd0b85a97d-341b01dbebbso4610890f8f.0; Tue, 02 Apr 2024 06:24:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712064247; x=1712669047; darn=debbugs.gnu.org; h=in-reply-to:content-disposition:mime-version:references :mail-followup-to:message-id:subject:cc:to:from:date:sender:from:to :cc:subject:date:message-id:reply-to; bh=oUFcSpezYgZpqQ0GI5BT4QqXxoObOd2AHyQOT1B92U8=; b=MMXbeGdYxVMgD3xHlGeu4VGakEBOOfufdF8m5BtGzywX3edqqge/qqsGv6ZhCRlduw 1GT1WzaIuO0EQJ5Sho/cRI8GFhVVNrHNbIKXwNnXgRhXoeopsqoOaqc04FO+dtX1qZft YNNQqQlIE5bdPH9lyWIrFZvpno9yuG6mOlCCeg/STq5g1O7vNNx2SyAzA3UwWtMYrpw5 jufjvLd7JF0GHvaDPmavDi+PabNlq+pQSnPK4vJ3xPOx78q47TA80lTAemqcgB4dCNef 4RJXXo8kIMGvWI3LiEroF8p2k8eAugeF0NFL8/pY0RJS7v1JbUJO39o7ag9bzL8y4MBC PnTg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712064247; x=1712669047; h=in-reply-to:content-disposition:mime-version:references :mail-followup-to:message-id:subject:cc:to:from:date:sender :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=oUFcSpezYgZpqQ0GI5BT4QqXxoObOd2AHyQOT1B92U8=; b=MU4jxH92qZz4qoAq2hvmUq9iUZHsC5zsb29CxxQsKWWTC65bmTPNenx3Xwne+h2+JI uDLGAng9z7Eg/BOP4c37CcuTqTLGb4FYcYTa7kwsbyk/TISDE2BW74IKzSB2BxutqqIo hshKDcCcrGJ6rOGt4qF2pjJX7s+n+jgWLy7O5v3AiiKYJvucIvwy0WjXX7OQcHcdF9Uc 7TbHW3p+EbDR6PHyq7F4xlsUbphvC9JqU3tvM2GuKMpPP+IJAWM7w7jdINNfBLh75EwX LsMy359t2XuRVfe2KS/ew7w1D0KRojerzsZek/rrOtLB9UQ26l8YMeeviutQy9vIjoth 7Mzg== X-Forwarded-Encrypted: i=1; AJvYcCXymlFo5zjX6BCkPTKQ7XymIetMMEc8+aoMzaZJAWYAFvnqrQ8XC/u4skP5ZmQUNEfv/IE6MQnzvBMdFX7gRYHMX6ZdGSfKaxRzb6VyGHnxFWAqhpGqRr6mtFppsg== X-Gm-Message-State: AOJu0YxSClAb0O2QH3PsEDpqtBy6Ilpm/oaQtZwaN5K3iWhabeeOF8zf B7uFPdXOyCZld2yCZkFMS+bb5KQ3yn4JwRj8HzGXHspoSzEjfZd5 X-Google-Smtp-Source: AGHT+IGI9r7LBhPA6b6rHTCclQPNcdEcHjzt25wVpaw3pIRQJKBFqQDdORWQ6Ux9YsT+etYLRQzLug== X-Received: by 2002:a5d:4950:0:b0:33d:dcd4:9d8f with SMTP id r16-20020a5d4950000000b0033ddcd49d8fmr1357094wrs.65.1712064246770; Tue, 02 Apr 2024 06:24:06 -0700 (PDT) Received: from localhost ([141.226.12.177]) by smtp.gmail.com with ESMTPSA id di6-20020a0560000ac600b00341c9956dc9sm14206240wrb.68.2024.04.02.06.24.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Apr 2024 06:24:06 -0700 (PDT) Date: Tue, 2 Apr 2024 16:24:04 +0300 From: Efraim Flashner <efraim@HIDDEN> To: John Kehayias <john.kehayias@HIDDEN> Subject: Re: [bug#70113] [PATCH 1/1] gnu: libarchive: Fix a potential security issue. Message-ID: <ZgwG9F56NpS1YGt-@3900XT> Mail-Followup-To: Efraim Flashner <efraim@HIDDEN>, John Kehayias <john.kehayias@HIDDEN>, Leo Famulari <leo@HIDDEN>, 70114 <at> debbugs.gnu.org, 70113 <at> debbugs.gnu.org References: <7a74261a419e9127887bc9ea096294e42156cce1.1711917891.git.leo@HIDDEN> <87il10wipx.fsf@HIDDEN> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="Cm1u5KeWiQn8tqIz" Content-Disposition: inline In-Reply-To: <87il10wipx.fsf@HIDDEN> X-PGP-Key-ID: 0x41AAE7DCCA3D8351 X-PGP-Key: https://flashner.co.il/~efraim/efraim_flashner.asc X-PGP-Fingerprint: A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 X-Spam-Score: 0.3 (/) X-Debbugs-Envelope-To: 70114 Cc: 70114 <at> debbugs.gnu.org, 70113 <at> debbugs.gnu.org, Leo Famulari <leo@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -0.7 (/) --Cm1u5KeWiQn8tqIz Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 02, 2024 at 03:23:44AM +0000, John Kehayias via Guix-patches vi= a wrote: > Hi Leo, >=20 > On Sun, Mar 31, 2024 at 04:44 PM, Leo Famulari wrote: >=20 > > https://github.com/libarchive/libarchive/pull/2101 > > > > * gnu/packages/backup.scm (libarchive)[replacement]: New field. > > (libarchive/fixed): New variable. > > * gnu/packages/patches/libarchive-remove-potential-backdoor.patch: New = file. > > * gnu/local.mk (dist_patch_DATA): Add it. > > >=20 > Overall changes look good, but I have not had a chance to try it locally > (building or dependents). >=20 This looks like what I was going to suggest > [...] >=20 > > +(define-public libarchive/fixed > > + (package > > + (inherit libarchive) > > + (version "3.6.1") > > + (source > > + (origin > > + (method url-fetch) > > + (uri (list (string-append "https://libarchive.org/downloads/lib= archive-" > > + version ".tar.xz") > > + (string-append "https://github.com/libarchive/libarc= hive" > > + "/releases/download/v" version "/liba= rchive-" > > + version ".tar.xz"))) >=20 > In light of the xz backdoor, perhaps we should just do a git checkout of > the v3.6.1 tag rather than the tarballs? Assuming that works, of course. In this case it was just the patch which didn't do (just) what the commit message said. IMO applying this patch will make us safe from this potential JiaT75 backdoor, no bootstrapping from source needed. > I haven't had a chance to look at potential ABI changes, but perhaps at > least v3.6.2 is graftable? That also lists a security update (as well as > later versions). >=20 > Or, if it is easier and this is tested on your end, let's push this and > do an upgrade to the latest on a branch. I would volunteer mesa-updates, > but Cuirass has been stuck all day not building anything, so I don't > know what will end up being quickest (which branch or a new one). If it turns out that we need to move forward a bit to guard against other CVEs then this patch should be forward compatible, considering it was just added to the libarchive repository. > Thanks for the quick work! > John Indeed. Thanks! --=20 Efraim Flashner <efraim@HIDDEN> =D7=A8=D7=A0=D7=A9=D7=9C=D7=A4 = =D7=9D=D7=99=D7=A8=D7=A4=D7=90 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --Cm1u5KeWiQn8tqIz Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAmYMBvQACgkQQarn3Mo9 g1HyLg//TPAkGSR0VWtg1lqvIEuXZ1+mB2S+BKd1LBIAy62S8brhfLVSkC/o23Li 4ogrMWlrLFrLeTIC8U9PX+//FBOpTh8UgNUqcATNGoozhK9nRgkTtddg+ClGkSyb CEaZy4iVyfGHlJ9DwiTR4moz89XxA2Ax1c01MR38rgRi3keprPgHhXWguKBnGXPW 3hyln4Q9xqzKeRbiAUF0a8SJEzJFHF/CjA3556dLuK6pNqvqd1L7fv+efZMDaPVp LHpg3gTKMhl14vl/GwFwzO9EJcMZv4ltjjMLonHHvea8ZnhmRvWZb5Jf72hdG8QZ F2vYUGtVFXN0V/o8sALraI6MFcJff2Plm0BAqm8Kuqo78wBfhN/wAOe43K36uhCO 7hiqSoifrziItHnbHxRNhtHcTLIzh9v9yhjbZBL3atZiwo5MHMsRbw7a+/XwxSZ6 +aVaiP59RDXrampRQEbJMYtE++titfMRDvhQUH3cUYwf47lUDpKNhHGONHFW7V7e cPRsOSqmAShcCSWjlzF95gOwhlt2eUGv5GZq7isLNuHz1f7KZeHpF3LIGAhvmvC7 dwiFBIGXXmx5vkTFHXqbEHH+ZuqzmaDSTLI6pHwZbABAQBBjkLrN9fAr9wtzcbte Gmf0zvCgAJJ7hgCCNGLtVhw2lbofPIGj0eRYcGNDEJDEAJ7R/3c= =+yka -----END PGP SIGNATURE----- --Cm1u5KeWiQn8tqIz--
guix-patches@HIDDEN
:bug#70114
; Package guix-patches
.
Full text available.Received: (at 70114) by debbugs.gnu.org; 2 Apr 2024 03:24:05 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Mon Apr 01 23:24:04 2024 Received: from localhost ([127.0.0.1]:52004 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1rrUkl-0002PC-3W for submit <at> debbugs.gnu.org; Mon, 01 Apr 2024 23:24:04 -0400 Received: from mail-4316.protonmail.ch ([185.70.43.16]:20277) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <john.kehayias@HIDDEN>) id 1rrUkg-0002OO-QF for 70114 <at> debbugs.gnu.org; Mon, 01 Apr 2024 23:24:01 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1712028229; x=1712287429; bh=xnbJU31NJl6bkngyUU+CiXL7cIPKeBApnzH+r0P5vaY=; h=Date:To:From:Cc:Subject:Message-ID:Feedback-ID:From:To:Cc:Date: Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector; b=UDsTUcr1Z+w7m0P5Djbfz1Da3jNsB+0E2RgCNJjx+nM1adWOq3/SdX746TtL1gEnh uVYSXwlUCq5SHsXwjjNwZLJhH5bpKtAczqp9xiTTo21oU6Mu/8ymt+ppW/7VJoAwOg Nx2LfEwxp9OB8+Wz9OI74qGVn3VkycKOLtJVtdRmMxEGL7/j9ekaW1fa74TNaU0D2f dOjyg6A4CFwC9IpJMmSh0seC1yyRdVPzvUhcQwGwP1swe75RNX/nvlID0OvmtpCtEZ j2iJGMAtHIiRoq3nrfRGVOQtYhtE/yp7bb6uIR5oEn+y0bTHoG7gux1oIaz9hkPSYC UaFgcS3Vu4Z2w== Date: Tue, 02 Apr 2024 03:23:44 +0000 To: Leo Famulari <leo@HIDDEN> From: John Kehayias <john.kehayias@HIDDEN> Subject: Re: [bug#70113] [PATCH 1/1] gnu: libarchive: Fix a potential security issue. Message-ID: <87il10wipx.fsf@HIDDEN> Feedback-ID: 7805494:user:proton MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 70114 Cc: 70114 <at> debbugs.gnu.org, 70113 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Hi Leo, On Sun, Mar 31, 2024 at 04:44 PM, Leo Famulari wrote: > https://github.com/libarchive/libarchive/pull/2101 > > * gnu/packages/backup.scm (libarchive)[replacement]: New field. > (libarchive/fixed): New variable. > * gnu/packages/patches/libarchive-remove-potential-backdoor.patch: New fi= le. > * gnu/local.mk (dist_patch_DATA): Add it. > Overall changes look good, but I have not had a chance to try it locally (building or dependents). [...] > +(define-public libarchive/fixed > + (package > + (inherit libarchive) > + (version "3.6.1") > + (source > + (origin > + (method url-fetch) > + (uri (list (string-append "https://libarchive.org/downloads/libar= chive-" > + version ".tar.xz") > + (string-append "https://github.com/libarchive/libarchi= ve" > + "/releases/download/v" version "/libarc= hive-" > + version ".tar.xz"))) In light of the xz backdoor, perhaps we should just do a git checkout of the v3.6.1 tag rather than the tarballs? Assuming that works, of course. I haven't had a chance to look at potential ABI changes, but perhaps at least v3.6.2 is graftable? That also lists a security update (as well as later versions). Or, if it is easier and this is tested on your end, let's push this and do an upgrade to the latest on a branch. I would volunteer mesa-updates, but Cuirass has been stuck all day not building anything, so I don't know what will end up being quickest (which branch or a new one). Thanks for the quick work! John
guix-patches@HIDDEN
:bug#70114
; Package guix-patches
.
Full text available.Leo Famulari <leo@HIDDEN>
to control <at> debbugs.gnu.org
.
Full text available.Received: (at submit) by debbugs.gnu.org; 31 Mar 2024 20:49:09 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sun Mar 31 16:49:09 2024 Received: from localhost ([127.0.0.1]:48602 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1rr272-0000lK-Fi for submit <at> debbugs.gnu.org; Sun, 31 Mar 2024 16:49:09 -0400 Received: from lists.gnu.org ([2001:470:142::17]:41284) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <leo@HIDDEN>) id 1rr26z-0000jp-EY for submit <at> debbugs.gnu.org; Sun, 31 Mar 2024 16:49:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <leo@HIDDEN>) id 1rr26q-0002BL-Nu for guix-patches@HIDDEN; Sun, 31 Mar 2024 16:48:57 -0400 Received: from fhigh5-smtp.messagingengine.com ([103.168.172.156]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <leo@HIDDEN>) id 1rr26n-0008Ff-Q2 for guix-patches@HIDDEN; Sun, 31 Mar 2024 16:48:56 -0400 Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailfhigh.nyi.internal (Postfix) with ESMTP id DC47B11400E5; Sun, 31 Mar 2024 16:48:49 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Sun, 31 Mar 2024 16:48:49 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-transfer-encoding:content-type:date:date:from:from :in-reply-to:message-id:mime-version:reply-to:subject:subject:to :to; s=mesmtp; t=1711918129; x=1712004529; bh=DnYXIjCGsfYZc6O3Ha Og72mNV0oVf/gFyoA8E9cNzuo=; b=2E0s57XoUh+j0viRcdGN7TtzF4ky2Czt3z mROnlxmGa/cYI53A+u1v+0skJbU1/OB0EIZHe7kpI+t059Hema3sKmKe+TGm8IxG DYUeip/n5AMplIVFk39mIuvBnb1x5Gw6o3L4B42EWLHdpL1GxsQUDodqPrHoFQJm N8uyNW9qo= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:date:feedback-id:feedback-id:from:from:in-reply-to :message-id:mime-version:reply-to:subject:subject:to:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; t=1711918129; x=1712004529; bh=DnYXIjCGsfYZc6O3HaOg72mNV0oV f/gFyoA8E9cNzuo=; b=UmvEuFu99kILG+NgnvBFwt6JzPqD7Zu4D5n2dfHLMGHi PDVzHafqXVE2T46ahSD4FGTDBjastrjjrT2Fy3+3vZp+vh6v40WAgt4bToUSONz0 wU3qHWCn1GTOFk8j2kDvCBYb+W24R3QrjCIZKENKcwnwoT3n8zvKWOe4LNtpxg7D YHs66FW7GJSrcRHxtEK1YK0KGZX+nbzMYXWBPt0EM1afz/x/S1bLPxj0CSruJvY9 MYVbKkdW4psMVIc2u+t2zgIFOIGPoKnc+TuE/o6tSHq3Umb14N4/mb0HjgTJ9TmF dTc98RWjM+44l819rPxDJR0XmRJljz6kHs0xCcLtvw== X-ME-Sender: <xms:McwJZprk82nt-EQTZb9WdV71A-qnlfLGfkNmiqTXFGRBhfsniNQyzw> <xme:McwJZrrNKM44ttxmYb0SF36Q_opKte58ebvoYqk9G7aoLDHo8P7wn1EQpAv_hXVRV oitck2l-IaV0_STXw> X-ME-Received: <xmr:McwJZmMMDVszlf5bxpYHjt0tBvOXRkt6nexgdbeASnc9VPwGgzKJdFJ0ZWfVW0SEubbxRZZ405-cX4u5l_9d-lyuFvA> X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledruddvkedgudefvdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhephffvufffkffoggfgsedtkeertd ertddtnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghr ihdrnhgrmhgvqeenucggtffrrghtthgvrhhnpeegveeftdeggfevgefghfefudelgfduie dtkefhgeegveehfeejheeuffefheevieenucffohhmrghinhepghhithhhuhgsrdgtohhm necuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheplhgvoh esfhgrmhhulhgrrhhirdhnrghmvg X-ME-Proxy: <xmx:McwJZk6k1gdsSF7feP1RObEkZgMfm6lApPjmHTuBvjkmsDvPjPqnrg> <xmx:McwJZo7NLYa747wHQmqhi16PUlOte5mYFIUzKA9nkxJ84CJZybpdCg> <xmx:McwJZsi1_GtDuj41an0n4ZXPTmeSCp3_mlDowHunbcVYNyQJ8YgrVw> <xmx:McwJZq6n6HyCdx8frff7AMOJLFgho85O42ZIbYTSXbGQCecSIMYs3A> <xmx:McwJZoG-42J2GQ15oCF6KwpY8NCSSCtl-ji5wpXgicG8Ho4SBrwVHA> Feedback-ID: i819c4023:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA for <guix-patches@HIDDEN>; Sun, 31 Mar 2024 16:48:49 -0400 (EDT) From: Leo Famulari <leo@HIDDEN> To: guix-patches@HIDDEN Subject: [PATCH 0/1] Xz backdoor / JiaT75 cleanup for libarchive Date: Sun, 31 Mar 2024 16:44:50 -0400 Message-ID: <cover.1711917891.git.leo@HIDDEN> X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=103.168.172.156; envelope-from=leo@HIDDEN; helo=fhigh5-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 0.9 (/) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -0.1 (/) The malicious actor that attacked Xz was also active in the libarchive codebase: https://github.com/libarchive/libarchive/issues/2103 This patch cherry-picks a fix for a potential vulnerability added by this entity. The patch file includes annotations. Please test with packages that directly use libarchive! For example: ------ $ ./pre-inst-env guix package -s . | recsel -e '(dependencies ~ "libarchive")' -p name,synopsis,location name: dwarfs synopsis: Fast high compression read-only file system location: gnu/packages/file-systems.scm:2106:2 name: patool synopsis: Portable archive file manager location: gnu/packages/patool.scm:37:2 name: gnome-boxes synopsis: View, access, and manage remote and virtual systems location: gnu/packages/gnome.scm:12554:2 name: proot synopsis: Unprivileged chroot, bind mount, and binfmt_misc location: gnu/packages/linux.scm:8449:2 name: geary synopsis: GNOME email application built around conversations location: gnu/packages/gnome.scm:12630:2 name: tesseract-ocr synopsis: Optical character recognition engine location: gnu/packages/ocr.scm:104:2 name: tesseract-ocr synopsis: Optical character recognition engine location: gnu/packages/ocr.scm:192:2 name: reprepro synopsis: Debian package repository producer location: gnu/packages/debian.scm:610:2 name: libjami synopsis: Jami core library and daemon location: gnu/packages/jami.scm:85:2 name: diffoscope synopsis: Compare files, archives, and directories in depth location: gnu/packages/diffoscope.scm:75:2 name: geeqie synopsis: Lightweight GTK+ based image viewer location: gnu/packages/image-viewers.scm:235:2 name: samba synopsis: The standard Windows interoperability suite of programs for GNU and Unix location: gnu/packages/samba.scm:296:2 name: gpaste synopsis: Clipboard management system for GNOME Shell location: gnu/packages/gnome-xyz.scm:1012:2 name: libextractor synopsis: Library to extract meta-data from media files location: gnu/packages/gnunet.scm:87:2 name: unrar-free synopsis: Extract files from RAR archives location: gnu/packages/compression.scm:2813:2 name: archivemount synopsis: Tool for mounting archive files with FUSE location: gnu/packages/linux.scm:4034:2 name: rpm synopsis: The RPM Package Manager location: gnu/packages/package-management.scm:934:2 name: nix synopsis: The Nix package manager location: gnu/packages/package-management.scm:804:2 name: gvfs synopsis: Userspace virtual file system for GIO location: gnu/packages/gnome.scm:7000:2 name: claws-mail synopsis: GTK-based Email client location: gnu/packages/mail.scm:1753:2 name: kbackup synopsis: Backup program with an easy-to-use interface location: gnu/packages/kde-utils.scm:438:2 name: cmake-minimal-cross synopsis: Cross-platform build system location: gnu/packages/cmake.scm:411:2 name: scilab synopsis: Software for engineers and scientists location: gnu/packages/maths.scm:9708:2 name: pixz synopsis: Parallel indexing implementation of LZMA location: gnu/packages/compression.scm:1037:2 name: cmake-minimal synopsis: Cross-platform build system location: gnu/packages/cmake.scm:263:2 name: python-fsspec synopsis: File-system specification location: gnu/packages/python-xyz.scm:27706:2 name: libostree synopsis: Operating system and container binary deployment and upgrades location: gnu/packages/package-management.scm:1958:2 name: cmake synopsis: Cross-platform build system location: gnu/packages/cmake.scm:346:2 name: meandmyshadow synopsis: Puzzle/platform game location: gnu/packages/games.scm:1788:2 name: reprotest synopsis: Build software and check it for reproducibility location: gnu/packages/diffoscope.scm:247:2 name: gimp-next synopsis: GNU Image Manipulation Program location: gnu/packages/gimp.scm:415:2 name: rdup synopsis: Provide a list of files to backup location: /home/leo/work/guix/gnu/packages/backup.scm:370:2 name: irods-client-icommands synopsis: Data management software location: gnu/packages/irods.scm:170:2 name: nestopia-ue synopsis: Nintendo Entertainment System (NES/Famicom) emulator location: gnu/packages/emulators.scm:1363:2 name: avogadrolibs synopsis: Libraries for chemistry, bioinformatics, and related areas location: gnu/packages/chemistry.scm:74:2 name: swi-prolog synopsis: ISO/Edinburgh-style Prolog interpreter location: gnu/packages/prolog.scm:88:2 name: evince synopsis: GNOME's document viewer location: gnu/packages/gnome.scm:2669:2 name: singularity synopsis: Container platform location: gnu/packages/linux.scm:5245:2 name: pqiv synopsis: Powerful image viewer with minimal UI location: gnu/packages/image-viewers.scm:896:2 name: python-libarchive-c synopsis: Python interface to libarchive location: gnu/packages/python-xyz.scm:16283:2 name: python-conda-package-handling synopsis: Create and extract conda packages of various formats location: gnu/packages/package-management.scm:1105:2 name: opencpn synopsis: Chart plotter and marine GPS navigation software location: gnu/packages/geo.scm:2473:2 name: midori synopsis: Lightweight graphical web browser location: gnu/packages/web-browsers.scm:106:2 name: appstream-glib synopsis: Library for reading and writing AppStream metadata location: gnu/packages/glib.scm:1346:2 name: libgxps synopsis: GObject-based library for handling and rendering XPS documents location: gnu/packages/gnome.scm:2069:2 name: libticalcs2 synopsis: Support library for TI calculators location: gnu/packages/emulators.scm:1747:2 name: irods synopsis: Data management software location: gnu/packages/irods.scm:48:2 name: ardour synopsis: Digital audio workstation location: gnu/packages/audio.scm:775:2 name: libtifiles2 synopsis: File functions library for TI calculators location: gnu/packages/emulators.scm:1712:2 name: flatpak synopsis: System for building, distributing, and running sandboxed desktop applications location: gnu/packages/package-management.scm:2011:2 name: epic5 synopsis: Epic5 IRC Client location: gnu/packages/irc.scm:669:2 name: file-roller synopsis: Graphical archive manager for GNOME location: gnu/packages/gnome.scm:7628:2 name: rpi-imager synopsis: Raspberry Pi Imaging Utility location: gnu/packages/raspberry-pi.scm:467:2 name: fwupd synopsis: Daemon to allow session software to update firmware location: gnu/packages/firmware.scm:211:2 name: totem-pl-parser synopsis: Library to parse and save media playlists for GNOME location: gnu/packages/gnome.scm:6075:1 name: osinfo-db-tools synopsis: Tools for managing the osinfo database location: gnu/packages/virtualization.scm:2691:2 name: ark synopsis: Graphical archiving tool location: gnu/packages/kde-utils.scm:54:2 name: vlc synopsis: Audio and video framework location: gnu/packages/video.scm:2365:2 name: fpm synopsis: Package building and mangling tool location: gnu/packages/package-management.scm:2118:2 name: hydrogen synopsis: Drum machine location: gnu/packages/music.scm:869:2 name: gnome-autoar synopsis: Archives integration support for GNOME location: gnu/packages/gnome.scm:9531:2 name: python-py7zr synopsis: 7-zip in Python location: gnu/packages/python-compression.scm:444:2 name: zathura-cb synopsis: Comic book support for zathura (libarchive backend) location: gnu/packages/pdf.scm:516:2 name: python-rarfile synopsis: RAR archive reader for Python location: gnu/packages/python-xyz.scm:19616:2 name: epiphany synopsis: GNOME web browser location: gnu/packages/gnome.scm:7160:2 name: gnome-arcade synopsis: Minimal MAME frontend location: gnu/packages/emulators.scm:1962:2 name: zeal synopsis: Offline documentation browser inspired by Dash location: gnu/packages/documentation.scm:412:4 name: pcsxr synopsis: PlayStation emulator location: gnu/packages/emulators.scm:2057:4 name: atril synopsis: Document viewer for Mate location: gnu/packages/mate.scm:683:2 ------ Leo Famulari (1): gnu: libarchive: Fix a potential security issue. gnu/local.mk | 1 + gnu/packages/backup.scm | 19 ++++++++ ...libarchive-remove-potential-backdoor.patch | 47 +++++++++++++++++++ 3 files changed, 67 insertions(+) create mode 100644 gnu/packages/patches/libarchive-remove-potential-backdoor.patch base-commit: 4d79a9cd6b5f0d8c5afbab0c6b70ae42740d5470 -- 2.41.0
Leo Famulari <leo@HIDDEN>
:guix-patches@HIDDEN
.
Full text available.guix-patches@HIDDEN
:bug#70114
; Package guix-patches
.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.