GNU logs - #47422, boring messages


Message sent to bug-guix@HIDDEN:


X-Loop: help-debbugs@HIDDEN
Subject: bug#47422: tar is vulnerable to CVE-2021-20193
Resent-From: =?UTF-8?Q?L=C3=A9o?= Le Bouter <lle-bout@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-guix@HIDDEN
Resent-Date: Fri, 26 Mar 2021 21:32:02 +0000
Resent-Message-ID: <handler.47422.B.161679426821784 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: report 47422
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: 47422 <at> debbugs.gnu.org
X-Debbugs-Original-To: bug-guix@HIDDEN
Received: via spool by submit <at> debbugs.gnu.org id=B.161679426821784
          (code B ref -1); Fri, 26 Mar 2021 21:32:02 +0000
Received: (at submit) by debbugs.gnu.org; 26 Mar 2021 21:31:08 +0000
Received: from localhost ([127.0.0.1]:42691 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lPu2u-0005fI-AW
	for submit <at> debbugs.gnu.org; Fri, 26 Mar 2021 17:31:08 -0400
Received: from lists.gnu.org ([209.51.188.17]:38598)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lle-bout@HIDDEN>) id 1lPu2t-0005fB-6x
 for submit <at> debbugs.gnu.org; Fri, 26 Mar 2021 17:31:07 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:51202)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@HIDDEN>)
 id 1lPu2s-0001T0-W9
 for bug-guix@HIDDEN; Fri, 26 Mar 2021 17:31:07 -0400
Received: from mail.zaclys.net ([178.33.93.72]:40713)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@HIDDEN>)
 id 1lPu2o-0005MR-5A
 for bug-guix@HIDDEN; Fri, 26 Mar 2021 17:31:06 -0400
Received: from [192.168.0.44] (82-64-145-38.subs.proxad.net [82.64.145.38])
 (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12QLUvgM036157
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
 for <bug-guix@HIDDEN>; Fri, 26 Mar 2021 22:30:57 +0100
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12QLUvgM036157
Authentication-Results: mail.zaclys.net;
 dmarc=fail (p=reject dis=none) header.from=zaclys.net
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@HIDDEN
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1616794257;
 bh=bXqhcighirSjeOlxOe3oq71ARYgbsiLR6u884l3r2kE=;
 h=Subject:From:To:Date:From;
 b=X5SsX2wdoMhW3MK75+LVMqXrUjuIYTATcBC4JYSrJS4I0Yjq5ZEpEvjEZs80PDRFu
 7YmQwi6rAyfzzWbo+ObDMwN6MQio5RYxKbxahufMeGARVyhYMWRLPRyUFKtgrdQFYr
 ztUgfssYBqpMW5mH3jYjxZSAbzdWBGUw0wqDFLUQ=
Message-ID: <520e2097011aae1bfd9c20278e27e25813517b42.camel@HIDDEN>
From: =?UTF-8?Q?L=C3=A9o?= Le Bouter <lle-bout@HIDDEN>
Date: Fri, 26 Mar 2021 22:30:57 +0100
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-vcrxFeFFAUdkPoLS4Qjo"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@HIDDEN;
 helo=mail.zaclys.net
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)


--=-vcrxFeFFAUdkPoLS4Qjo
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

CVE-2021-20193	18:15
A flaw was found in the src/list.c of tar 1.33 and earlier. This flaw
allows an attacker who can submit a crafted input file to tar to cause
uncontrolled consumption of memory. The highest threat from this
vulnerability is to system availability.

Patch available here:=20
https://git.savannah.gnu.org/cgit/tar.git/commit/?id=3Dd9d4435692150fa8ff68=
e1b1a473d187cc3fd777

Unreleased for now.

We can probably apply it in core-updates now, we should fix it in
master also, since grafts don't apply to GNU Guix builds is that OK?

GNU Guix packages don't unpack arbitrary tarballs since we hardcode
hashes for verification, but still.

--=-vcrxFeFFAUdkPoLS4Qjo
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBeUpEACgkQRaix6GvN
EKaWrA//Y2BwKy6QO9/cWqwZRS7BEPianKnio3VqzdGkgCuRi+9GYlyHVeK9wSgC
/TZWz1xB/6pqLJFlH6dKNr9cmEjxVFJRGRNRyfvHgtHwzf/5/mYmcYYHA4d2Ccl4
9+UU1NZCRZSZkjFrVMGZ682HIUe5CQ3MzOVWxbaSdo1jecFnk/pHkDqWr8tJKCFL
vo9OHLmhHVHZcExStWJXDM37iSyHw+XAumzURci/sDZy7lxmh6QhtRPjnKaKDaI6
+ppWjaY8kDHWnbRRm5sdMsKNXXeGEbx10ATfay5v3PWqZoi63nGF1NVgBmM57gE1
L8dwBJtt8apzKOdiulc77Wrc8isdWhp/qE9078gKQdOnBBiG8cdzbnMuxrTBnL12
afDOkfH25IJ+Uv2c4ZQdg/O6J9bqIj/Fw5yIIIbCviHil3mV4A2LczBOD3rOol5F
D5JkrHJ/Nx7lbPviyt/fEye4sqBaiy8PlZxvLmp02WrDXTUEaxCTE1Q8Jga94/Tk
jneMtuXRa1ivj81GP81bs31C36+cz+aCBcsz0Xp2MCPHOv43BwxLwvAMxvq/nQdZ
AZNAYsUCSEaxklhjrl4kGwXteBf/qMgDp5iYBmdGhS+vMggapgXZqfbkJ04kq2ny
JaYZ+i3iPdzRxFYyTG7L3vzkBuY5E519NrNO8rSiYjlUCjCnICs=
=e+Y2
-----END PGP SIGNATURE-----

--=-vcrxFeFFAUdkPoLS4Qjo--





Message sent:


Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
Content-Type: text/plain; charset=utf-8
X-Loop: help-debbugs@HIDDEN
From: help-debbugs@HIDDEN (GNU bug Tracking System)
To: =?UTF-8?Q?L=C3=A9o?= Le Bouter <lle-bout@HIDDEN>
Subject: bug#47422: Acknowledgement (tar is vulnerable to CVE-2021-20193)
Message-ID: <handler.47422.B.161679426821784.ack <at> debbugs.gnu.org>
References: <520e2097011aae1bfd9c20278e27e25813517b42.camel@HIDDEN>
X-Gnu-PR-Message: ack 47422
X-Gnu-PR-Package: guix
Reply-To: 47422 <at> debbugs.gnu.org
Date: Fri, 26 Mar 2021 21:32:02 +0000

Thank you for filing a new bug report with debbugs.gnu.org.

This is an automatically generated reply to let you know your message
has been received.

Your message is being forwarded to the package maintainers and other
interested parties for their attention; they will reply in due course.

Your message has been sent to the package maintainer(s):
 bug-guix@HIDDEN

If you wish to submit further information on this problem, please
send it to 47422 <at> debbugs.gnu.org.

Please do not send mail to help-debbugs@HIDDEN unless you wish
to report a problem with the Bug-tracking system.

--=20
47422: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D47422
GNU Bug Tracking System
Contact help-debbugs@HIDDEN with problems


Message received at control <at> debbugs.gnu.org:


Received: (at control) by debbugs.gnu.org; 26 Mar 2021 21:35:17 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Mar 26 17:35:17 2021
Received: from localhost ([127.0.0.1]:42696 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lPu6u-0005lK-U9
	for submit <at> debbugs.gnu.org; Fri, 26 Mar 2021 17:35:17 -0400
Received: from mail.zaclys.net ([178.33.93.72]:36899)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lle-bout@HIDDEN>) id 1lPu6q-0005l0-4H
 for control <at> debbugs.gnu.org; Fri, 26 Mar 2021 17:35:15 -0400
Received: from [192.168.0.44] (82-64-145-38.subs.proxad.net [82.64.145.38])
 (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12QLZ5x8036378
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
 for <control <at> debbugs.gnu.org>; Fri, 26 Mar 2021 22:35:05 +0100
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12QLZ5x8036378
Authentication-Results: mail.zaclys.net;
 dmarc=fail (p=reject dis=none) header.from=zaclys.net
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@HIDDEN
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1616794505;
 bh=feSo2I8gT0BiFNMU3T0q2TvyY5BC6EYGo6mFVwGf2Bo=;
 h=Subject:From:To:Date:From;
 b=jS9hKl7apy/e5QwknnG67OzGnE3kxuZBt8QqXNrTwVxFrlgr8+DYHhLwPSwmoX6LB
 H0x8YlBzq4QkK+CHi1O7K9U9v9n2CmWPWe07Q/H0YHTQ6zlK1mj+g6/S1uIwOEIx9I
 Wt4xdwIcE+f4SyG0Wx1Rq4BSoub5mJYKwseirZ2o=
Message-ID: <2559cf953da6495f033378d37af686c1d23b43b5.camel@HIDDEN>
Subject: 
From: =?ISO-8859-1?Q?L=E9o?= Le Bouter <lle-bout@HIDDEN>
To: control <at> debbugs.gnu.org
Date: Fri, 26 Mar 2021 22:35:05 +0100
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-Q61NcZgFErkV+fh88EpW"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
X-Spam-Score: 2.6 (++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  tags 47422 + security quit 
 Content analysis details:   (2.6 points, 10.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 0.0 T_SPF_HELO_TEMPERROR   SPF: test of HELO record failed (temperror)
 -0.0 SPF_PASS               SPF: sender matches SPF record
 2.0 BLANK_SUBJECT          Subject is present but empty
 0.6 BODY_EMPTY             No body text in message
X-Debbugs-Envelope-To: control
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 1.6 (+)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  tags 47422 + security quit 
 
 Content analysis details:   (1.6 points, 10.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.0 SPF_PASS               SPF: sender matches SPF record
 -1.0 MAILING_LIST_MULTI     Multiple indicators imply a widely-seen list
                             manager
  2.0 BLANK_SUBJECT          Subject is present but empty
  0.6 BODY_EMPTY             No body text in message


--=-Q61NcZgFErkV+fh88EpW
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

tags 47422 + security
quit



--=-Q61NcZgFErkV+fh88EpW
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBeU4kACgkQRaix6GvN
EKb1Dw/+MbT5YX4nxe3fa6/q9raZyCDdTbTGsdeqFq7qVPreVgZ3cp/0ABjyRHWy
wWhsRoJbdd05ggoT+xwVrUN1t7UZ1KOrq6/fmfY7ARTiWvjWeIQj4w9iCIUeLid4
jj8QMn6AVkQE2xVbNZGp7OszNAhroG4RhHW/IJ+IXrBCq2Abo+QT+F92JJWQzyp7
sUS/EG0+ZtdL2gsBDZDlTdPcKK5qulTdJPv3ye+AU0l3oQPoA9FUGrANudCNp+Rf
4jvS17J+Vb6QOr/Aa6MnDA3AVVHpvXbnymJHrwshhqQ81lsR8ol4zq/tqArCWU/V
6bb1G7+Ze8dQtacdtX0F84k1GmxgWn0LtX0oPaEBboPfyzY30FRD8XawuZmcvOKu
UO6NAQIviwtnyI6Pdm3Fx0e4U1HSNjHswJ94NPXmKa0lzkOyv+SVFvTJDqeqkp/s
BUTqDZvm9tvw7kg/8vskvutcIvRdMDOkF3qZRsv6nTaxc63LSa0fGFJ7nV0o8Dg7
piLcD2MjAV3BZ6iF1dpqpMdOI5x0POTPWD67IAV7s5SrDSmGugyCZ8H5fn5VRVV1
1sbMbEgiPbnQGuQjPgPuAN32bN3Y+SpAe65KT2C2LKetyuV/sR2fHfO+dtXc2NBj
U4G/LEoyd001AmMbPEbDiq57S9HpbzLNeIDYPUz6L7QimHPX02E=
=NG29
-----END PGP SIGNATURE-----

--=-Q61NcZgFErkV+fh88EpW--






Last modified: Fri, 26 Mar 2021 21:45:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.