GNU bug report logs - #70113
[PATCH 1/1] gnu: libarchive: Fix a potential security issue.

Message received at 70113 <at> debbugs.gnu.org:

Received: (at 70113) by debbugs.gnu.org; 4 Apr 2024 02:39:18 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Apr 03 22:39:18 2024
Received: from localhost ([127.0.0.1]:60068 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1rsD0W-0005Uq-Q4
	for submit <at> debbugs.gnu.org; Wed, 03 Apr 2024 22:39:18 -0400
Received: from mail-40131.protonmail.ch ([185.70.40.131]:18565)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <john.kehayias@HIDDEN>)
 id 1rsD0R-0005Td-8f; Wed, 03 Apr 2024 22:39:14 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
 s=protonmail3; t=1712198340; x=1712457540;
 bh=YzpKTd6L+i+8jMeCNQm7J2CHgmZ5B/dO5jHZ5CCPU2g=;
 h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References:
 Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID:
 Message-ID:BIMI-Selector;
 b=UhzthM56H1DZzaF54yjIJimmKqrtv51SV9+l5H7cCLLbfIECrVnW4sHcEO9tVHqzU
 +oZXVqiD2uJn4Auz7Pay5hLBg4uMt/4vRaMEEYdm4FCV9RbvKXp7gR+rhPGUsL7hwN
 fxlvqhJr5K2fvfjfCnW+ex/MDCWmOyxCZTABI2gdwfOOnNr2yttgvDZPtRdJCagDhN
 z3Q70OCSglXhQN6ZWGAwC9mHOqXi2weF4kyGDtlS49u09VFmfnes6XK1o4PUgSGsbO
 T8s09DLrDJzjA7atoidnm9gyFHD3KQZSp5Fl88fZ7MCoSHcHTzcUPEl5suMkYYRYbw
 wi3wpd9mdmhdQ==
Date: Thu, 04 Apr 2024 02:38:55 +0000
To: "pelzflorian (Florian Pelz)" <pelzflorian@HIDDEN>
From: John Kehayias <john.kehayias@HIDDEN>
Subject: Re: [bug#70113] [PATCH 1/1] gnu: libarchive: Fix a potential security
 issue.
Message-ID: <8734s1x35x.fsf@HIDDEN>
In-Reply-To: <871q7nev3k.fsf@HIDDEN>
References: <7a74261a419e9127887bc9ea096294e42156cce1.1711917891.git.leo@HIDDEN>
 <87il10wipx.fsf@HIDDEN> <871q7nev3k.fsf@HIDDEN>
Feedback-ID: 7805494:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 70113
Cc: 70114 <at> debbugs.gnu.org, 70113 <at> debbugs.gnu.org,
 Leo Famulari <leo@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hello,

On Tue, Apr 02, 2024 at 03:45 PM, pelzflorian (Florian Pelz) wrote:

> Hello,
>
> John Kehayias via Guix-patches via <guix-patches@HIDDEN> writes:
>>> +(define-public libarchive/fixed
>>> +  (package
>>> +    (inherit libarchive)
>>> +    (version "3.6.1")
>>> +    (source
>>> +     (origin
>>> +       (method url-fetch)
>>> +       (uri (list (string-append "<https://libarchive.org/downloads/li=
barchive>-"
>>> +                                 version ".tar.xz")
>>> +                  (string-append "<https://github.com/libarchive/libar=
chive>"
>>> +                                 "/releases/download/v" version "/liba=
rchive-"
>>> +                                 version ".tar.xz")))
>>
>> In light of the xz backdoor, perhaps we should just do a git checkout of
>> the v3.6.1 tag rather than the tarballs? Assuming that works, of course.
>
> Not having followed the details, I believe the git checkout contained an
> incomplete part of the malicious code too, from what Joshua Branson (I
> guess the sender is him?) cites from Phoronix
> <https://lists.gnu.org/archive/html/guix-devel/2024-04/msg00002.html>:
>
> jbranso@HIDDEN writes:
>> The malicious injection present in the xz versions 5.6.0 and 5.6.1
>> libraries is obfuscated and only included in full in the download packag=
e
>> - the Git distribution lacks the M4 macro that triggers the build
>> of the malicious code. The second-stage artifacts are present in
>> the Git repository for the injection during the build time, in
>> case the malicious M4 macro is present.
>
> It doesn=E2=80=99t look like avoiding tarballs gives us more verified cod=
e.
>

Well, it removes one step where something can be added. From what I
understand release tarballs don't match a git checkout as often build
artifacts (from autotools) are added, so it is just another potential
attack vector. Indeed, it was only part of the attack here, but I do
believe there is general support for trying to favor git checkouts
when we can (there is overhead and I think issues for parts in
bootstrapping, to get git). Certainly not perfect, but gets us to
"just" the source. One can still do things with access of course.

Thanks Leo for the quick work here and pushing the patch, much
appreciated!

John

Message received at 70113-done <at> debbugs.gnu.org:

Received: (at 70113-done) by debbugs.gnu.org; 3 Apr 2024 22:08:31 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Apr 03 18:08:30 2024
Received: from localhost ([127.0.0.1]:59839 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1rs8mU-0004A4-4o
	for submit <at> debbugs.gnu.org; Wed, 03 Apr 2024 18:08:30 -0400
Received: from wfout6-smtp.messagingengine.com ([64.147.123.149]:49213)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@HIDDEN>)
 id 1rs8mQ-00049G-Q4; Wed, 03 Apr 2024 18:08:27 -0400
Received: from compute2.internal (compute2.nyi.internal [10.202.2.46])
 by mailfout.west.internal (Postfix) with ESMTP id CD0FC1C00101;
 Wed,  3 Apr 2024 18:08:15 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
 by compute2.internal (MEProxy); Wed, 03 Apr 2024 18:08:16 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=cc:cc:content-type:content-type:date:date:from:from
 :in-reply-to:in-reply-to:message-id:mime-version:references
 :reply-to:subject:subject:to:to; s=mesmtp; t=1712182095; x=
 1712268495; bh=ypv4r2WTs3h771ebxpqVhfuBr7DAmFcEtBYqw1tjQaM=; b=K
 ni00i7dVgfk7s5ItG73ZVZhl2szXbdCXwdCrQI88w3xWDL4maAstAs16P2BachLs
 DaEk9rxvZ4hnUUJM3m7DSNU53GYntkW6wuEMyfH2AXM2k2gZ7bXWtMmzuQEIhyck
 uqgiOiWj+QKlWSy1/rlRHMFd5GA2OgXwiBcg9uTNoo=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:cc:content-type:content-type:date:date
 :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to
 :message-id:mime-version:references:reply-to:subject:subject:to
 :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=
 fm2; t=1712182095; x=1712268495; bh=ypv4r2WTs3h771ebxpqVhfuBr7DA
 mFcEtBYqw1tjQaM=; b=GMRQc7Q7sKYF4iv3R4TN8cez6nxluhLNHCBhsHkvm4tE
 Q4e2NecKLulQoiVUrZRUCMbGH9SMxklNGQHFFJeWeIhExLRLFlpKEipiuh+xgEOo
 zqfeUEtXRJyLUFec96y22sNCNsXtGTn++W12QuEPT1beshGALWB5hf4/RkWps3nE
 TN8yGlZDp60Bqjmn9AZieA4EV7Ly1VfiGbFibu0zjVGdR4kF/6Kd3+mBk/VIh/D7
 O6BPvs8HQZf6Eo+NVcydcO4AX2JD137q6S1Q8qWtPf1eI+3GxQ/IWdfHyZTKYy2C
 vpmCMB21wcT6zxt8694g40kCiIA+BSGSSCyeVp8zuw==
X-ME-Sender: <xms:TtMNZsOGwjeuEyqImsoR0__zrs4nqjEzvCQ65eKVhoeMpocNm57vNg>
 <xme:TtMNZi-voCDOXM30Gh6gppxQZj4wrZJIJXlixzT56gLG1qAUUd4LRed1a1BUYZpAg
 T3X4Zsk-uts9BjIWw>
X-ME-Received: <xmr:TtMNZjQpg3pn-L4-viqkVAd7k1nvpjl0oS2Io0ItlclYQDvJ7Vc-wy8K0GPMS93f_dqVOGXWFPZXb6pEaRFwmS7K>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrudefjedgtdejucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
 cujfgurhepfffhvfevuffkfhggtggujgesghdtreertddtvdenucfhrhhomhepnfgvohcu
 hfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhirdhnrghmvgeqnecuggftrfgrth
 htvghrnheptedvtdetfefffffffeelfedvkeekfeduveduieejfeeugeelteffvdeuffej
 leevnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheplh
 gvohesfhgrmhhulhgrrhhirdhnrghmvg
X-ME-Proxy: <xmx:TtMNZkuvsFkPcQqltD22aeUiI7llJKfOQbdVYz7AE3huB7XldjzPFQ>
 <xmx:TtMNZkfJH83oVKOZbBFynIw9tzGx8F0SL2vrcU2_QdKfhmxSB41U_A>
 <xmx:TtMNZo0ZuYX6SdowDeZt_EDev-u4raiy0Xv-MIlSU_aSU_tKt1UImQ>
 <xmx:TtMNZo8gXoMtwXsq2F77lif97X6i4ap-aD3y5YCOqBXxvzt16bCjMg>
 <xmx:T9MNZj6S9z9Mco29Kdpg26mvIN1ubxHjKfOCb5BUCZ8G8GhNzBR8c_cZ>
Feedback-ID: i819c4023:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed,
 3 Apr 2024 18:08:14 -0400 (EDT)
Date: Wed, 3 Apr 2024 18:08:12 -0400
From: Leo Famulari <leo@HIDDEN>
To: John Kehayias <john.kehayias@HIDDEN>
Subject: Re: [bug#70113] [PATCH 1/1] gnu: libarchive: Fix a potential
 security issue.
Message-ID: <Zg3TTEwIZkIObXc0@HIDDEN>
References: <87il10wipx.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="PTlCHuXfbKDRXpCB"
Content-Disposition: inline
In-Reply-To: <87il10wipx.fsf@HIDDEN>
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 70113-done
Cc: 70114 <at> debbugs.gnu.org, 70113-done <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)


--PTlCHuXfbKDRXpCB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Tue, Apr 02, 2024 at 03:23:44AM +0000, John Kehayias wrote:
> Overall changes look good, but I have not had a chance to try it locally
> (building or dependents).

I successfully tested with the file-roller package, which depends
directly on libarchive and no other related packages. I think it's a
reasonable basic test case.

I agree it's a good idea to look into a more comprehensive update to
libarchive, but I just wanted to get this patch in ASAP.

Pushed as 629614c7a3f9283306939402f1ff46914f327c21

--PTlCHuXfbKDRXpCB
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEaEByLu7k06ZO5T6saqwZY3V/R/8FAmYN00wACgkQaqwZY3V/
R/8IqhAAre19kcT27tbQVcEhFNhsBFRmtAf6FZ+Vnr8Z9yx7X4yYkr10l0Q9yzta
aU5p5IMr5QjK8N3g0o2tZbBoTZybDtbhL7ra8C4K6JBnn623yJIbbi46jJoMKz8V
H+1IYMPtpr/CU4pxZiK+4LQS9poXlNiFnUxKOs4OQUylZRQvrz/ifnbfCRmHGWoZ
xt116HTrxfb70jwtWptzIEJwpSTXWDaOidDygCihH38YbOG20zRDFrEdea3ciAiZ
4rink768fYZSjBeAWcbFA92QAgbrmI4lO8mfLi1y1uwTdkqV9b2zk7Eh2BOalE12
txJCHD5JG01nnooquFZjCaEbwKf4JPZV2Y7kb9UXRa63x/0u0RtDP3AznABjcRD3
vgvdcmwr41FPiSgKI/Cm4U8RBwLRebKNGMoz9rHzr5xXv5ana/54VPugQZNmEqYx
ZS5HOtjuB9OdZ/C6t53QIDnwLFts5OVwCq3EPiXebU6hfffVKpCDPFyeDPMPEz0I
rgS3i58qM8x3XMJ2teuDZy+YUBQ2aCg7IK9xBp4I/iXj8Fu+AFSHAg08W7bfPO4m
qaV0SiJZQRrV61harg7nM7Z02VxIJI0CeQZBQQhmFbG2hNcbIS+21vJk74cqYowg
AYWGuD9Kf3f0CFdLtQgWHBR1l4g4h6KAE3Gxdkm354wUtcQijjo=
=h8Y8
-----END PGP SIGNATURE-----

--PTlCHuXfbKDRXpCB--

Message received at 70113-done <at> debbugs.gnu.org:

Received: (at 70113-done) by debbugs.gnu.org; 3 Apr 2024 22:08:31 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Apr 03 18:08:30 2024
Received: from localhost ([127.0.0.1]:59839 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1rs8mU-0004A4-4o
	for submit <at> debbugs.gnu.org; Wed, 03 Apr 2024 18:08:30 -0400
Received: from wfout6-smtp.messagingengine.com ([64.147.123.149]:49213)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@HIDDEN>)
 id 1rs8mQ-00049G-Q4; Wed, 03 Apr 2024 18:08:27 -0400
Received: from compute2.internal (compute2.nyi.internal [10.202.2.46])
 by mailfout.west.internal (Postfix) with ESMTP id CD0FC1C00101;
 Wed,  3 Apr 2024 18:08:15 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
 by compute2.internal (MEProxy); Wed, 03 Apr 2024 18:08:16 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=cc:cc:content-type:content-type:date:date:from:from
 :in-reply-to:in-reply-to:message-id:mime-version:references
 :reply-to:subject:subject:to:to; s=mesmtp; t=1712182095; x=
 1712268495; bh=ypv4r2WTs3h771ebxpqVhfuBr7DAmFcEtBYqw1tjQaM=; b=K
 ni00i7dVgfk7s5ItG73ZVZhl2szXbdCXwdCrQI88w3xWDL4maAstAs16P2BachLs
 DaEk9rxvZ4hnUUJM3m7DSNU53GYntkW6wuEMyfH2AXM2k2gZ7bXWtMmzuQEIhyck
 uqgiOiWj+QKlWSy1/rlRHMFd5GA2OgXwiBcg9uTNoo=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:cc:content-type:content-type:date:date
 :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to
 :message-id:mime-version:references:reply-to:subject:subject:to
 :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=
 fm2; t=1712182095; x=1712268495; bh=ypv4r2WTs3h771ebxpqVhfuBr7DA
 mFcEtBYqw1tjQaM=; b=GMRQc7Q7sKYF4iv3R4TN8cez6nxluhLNHCBhsHkvm4tE
 Q4e2NecKLulQoiVUrZRUCMbGH9SMxklNGQHFFJeWeIhExLRLFlpKEipiuh+xgEOo
 zqfeUEtXRJyLUFec96y22sNCNsXtGTn++W12QuEPT1beshGALWB5hf4/RkWps3nE
 TN8yGlZDp60Bqjmn9AZieA4EV7Ly1VfiGbFibu0zjVGdR4kF/6Kd3+mBk/VIh/D7
 O6BPvs8HQZf6Eo+NVcydcO4AX2JD137q6S1Q8qWtPf1eI+3GxQ/IWdfHyZTKYy2C
 vpmCMB21wcT6zxt8694g40kCiIA+BSGSSCyeVp8zuw==
X-ME-Sender: <xms:TtMNZsOGwjeuEyqImsoR0__zrs4nqjEzvCQ65eKVhoeMpocNm57vNg>
 <xme:TtMNZi-voCDOXM30Gh6gppxQZj4wrZJIJXlixzT56gLG1qAUUd4LRed1a1BUYZpAg
 T3X4Zsk-uts9BjIWw>
X-ME-Received: <xmr:TtMNZjQpg3pn-L4-viqkVAd7k1nvpjl0oS2Io0ItlclYQDvJ7Vc-wy8K0GPMS93f_dqVOGXWFPZXb6pEaRFwmS7K>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrudefjedgtdejucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
 cujfgurhepfffhvfevuffkfhggtggujgesghdtreertddtvdenucfhrhhomhepnfgvohcu
 hfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhirdhnrghmvgeqnecuggftrfgrth
 htvghrnheptedvtdetfefffffffeelfedvkeekfeduveduieejfeeugeelteffvdeuffej
 leevnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheplh
 gvohesfhgrmhhulhgrrhhirdhnrghmvg
X-ME-Proxy: <xmx:TtMNZkuvsFkPcQqltD22aeUiI7llJKfOQbdVYz7AE3huB7XldjzPFQ>
 <xmx:TtMNZkfJH83oVKOZbBFynIw9tzGx8F0SL2vrcU2_QdKfhmxSB41U_A>
 <xmx:TtMNZo0ZuYX6SdowDeZt_EDev-u4raiy0Xv-MIlSU_aSU_tKt1UImQ>
 <xmx:TtMNZo8gXoMtwXsq2F77lif97X6i4ap-aD3y5YCOqBXxvzt16bCjMg>
 <xmx:T9MNZj6S9z9Mco29Kdpg26mvIN1ubxHjKfOCb5BUCZ8G8GhNzBR8c_cZ>
Feedback-ID: i819c4023:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed,
 3 Apr 2024 18:08:14 -0400 (EDT)
Date: Wed, 3 Apr 2024 18:08:12 -0400
From: Leo Famulari <leo@HIDDEN>
To: John Kehayias <john.kehayias@HIDDEN>
Subject: Re: [bug#70113] [PATCH 1/1] gnu: libarchive: Fix a potential
 security issue.
Message-ID: <Zg3TTEwIZkIObXc0@HIDDEN>
References: <87il10wipx.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="PTlCHuXfbKDRXpCB"
Content-Disposition: inline
In-Reply-To: <87il10wipx.fsf@HIDDEN>
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 70113-done
Cc: 70114 <at> debbugs.gnu.org, 70113-done <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)


--PTlCHuXfbKDRXpCB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Tue, Apr 02, 2024 at 03:23:44AM +0000, John Kehayias wrote:
> Overall changes look good, but I have not had a chance to try it locally
> (building or dependents).

I successfully tested with the file-roller package, which depends
directly on libarchive and no other related packages. I think it's a
reasonable basic test case.

I agree it's a good idea to look into a more comprehensive update to
libarchive, but I just wanted to get this patch in ASAP.

Pushed as 629614c7a3f9283306939402f1ff46914f327c21

--PTlCHuXfbKDRXpCB
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEaEByLu7k06ZO5T6saqwZY3V/R/8FAmYN00wACgkQaqwZY3V/
R/8IqhAAre19kcT27tbQVcEhFNhsBFRmtAf6FZ+Vnr8Z9yx7X4yYkr10l0Q9yzta
aU5p5IMr5QjK8N3g0o2tZbBoTZybDtbhL7ra8C4K6JBnn623yJIbbi46jJoMKz8V
H+1IYMPtpr/CU4pxZiK+4LQS9poXlNiFnUxKOs4OQUylZRQvrz/ifnbfCRmHGWoZ
xt116HTrxfb70jwtWptzIEJwpSTXWDaOidDygCihH38YbOG20zRDFrEdea3ciAiZ
4rink768fYZSjBeAWcbFA92QAgbrmI4lO8mfLi1y1uwTdkqV9b2zk7Eh2BOalE12
txJCHD5JG01nnooquFZjCaEbwKf4JPZV2Y7kb9UXRa63x/0u0RtDP3AznABjcRD3
vgvdcmwr41FPiSgKI/Cm4U8RBwLRebKNGMoz9rHzr5xXv5ana/54VPugQZNmEqYx
ZS5HOtjuB9OdZ/C6t53QIDnwLFts5OVwCq3EPiXebU6hfffVKpCDPFyeDPMPEz0I
rgS3i58qM8x3XMJ2teuDZy+YUBQ2aCg7IK9xBp4I/iXj8Fu+AFSHAg08W7bfPO4m
qaV0SiJZQRrV61harg7nM7Z02VxIJI0CeQZBQQhmFbG2hNcbIS+21vJk74cqYowg
AYWGuD9Kf3f0CFdLtQgWHBR1l4g4h6KAE3Gxdkm354wUtcQijjo=
=h8Y8
-----END PGP SIGNATURE-----

--PTlCHuXfbKDRXpCB--

Message received at 70113 <at> debbugs.gnu.org:

Received: (at 70113) by debbugs.gnu.org; 2 Apr 2024 13:46:16 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Apr 02 09:46:15 2024
Received: from localhost ([127.0.0.1]:53136 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1rreSq-0004Ha-6E
	for submit <at> debbugs.gnu.org; Tue, 02 Apr 2024 09:46:15 -0400
Received: from relay.yourmailgateway.de ([188.68.63.102]:55773)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <pelzflorian@HIDDEN>)
 id 1rreSk-0004GW-Qc; Tue, 02 Apr 2024 09:46:10 -0400
Received: from mors-relay-2502.netcup.net (localhost [127.0.0.1])
 by mors-relay-2502.netcup.net (Postfix) with ESMTPS id 4V88Kj40qwz62dV;
 Tue,  2 Apr 2024 15:46:01 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=pelzflorian.de;
 s=key2; t=1712065561;
 bh=R7tLzbN993hVz4XOtG8st6lW9F5XA3V3H5rLj6alTZk=;
 h=From:To:Cc:Subject:In-Reply-To:References:Date:From;
 b=Oy7UUVl5QLntdTntMEa+JZf+1OqlFOqOMQGgNP+zX2fFPUq5eZt2EBoUIbx1yxGip
 QbBaXBRAUt0SrpUBYYfk2bGPvfNj5Dhp8GAEiotpOKTN5pBdIWtXKs5S3tE/YR6d0O
 FrfdS+Z4rh0ZJfvFnNxAYEb9B3ErOhQvoiPTAFTzonKOL7m0rgpwhzrgEFztwq+Zkb
 8ptck7V7y8ZXIJSTmOe9k617WJy+wh7dN/e7HRhspm4v1OkjXi9Chk9gosm3R3oK5h
 9jpNfCCHZSmYV72oH4ZqWR016Dhl5oLjCFN/YoP4pEXkJLutfCCwjyZjUbtvrIGsQM
 1d+RtFL5Rwriw==
Received: from policy02-mors.netcup.net (unknown [46.38.225.35])
 by mors-relay-2502.netcup.net (Postfix) with ESMTPS id 4V88Kj3J81z4yXk;
 Tue,  2 Apr 2024 15:46:01 +0200 (CEST)
Received: from mxe217.netcup.net (unknown [10.243.12.53])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by policy02-mors.netcup.net (Postfix) with ESMTPS id 4V88Kj01SCz8sbD;
 Tue,  2 Apr 2024 15:46:00 +0200 (CEST)
Received: from florianrock64 (ip92344de0.dynamic.kabel-deutschland.de
 [146.52.77.224])
 by mxe217.netcup.net (Postfix) with ESMTPSA id A90CE83799;
 Tue,  2 Apr 2024 15:45:52 +0200 (CEST)
From: "pelzflorian (Florian Pelz)" <pelzflorian@HIDDEN>
To: John Kehayias <john.kehayias@HIDDEN>
Subject: Re: [bug#70113] [PATCH 1/1] gnu: libarchive: Fix a potential
 security issue.
In-Reply-To: <87il10wipx.fsf@HIDDEN> (John Kehayias via Guix-patches
 via's message of "Tue, 02 Apr 2024 03:23:44 +0000")
References: <7a74261a419e9127887bc9ea096294e42156cce1.1711917891.git.leo@HIDDEN>
 <87il10wipx.fsf@HIDDEN>
Date: Tue, 02 Apr 2024 15:45:51 +0200
Message-ID: <871q7nev3k.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Rspamd-Queue-Id: A90CE83799
X-Rspamd-Server: rspamd-worker-8404
X-NC-CID: wKS53i7lKiZmblAnJNGyYXm1KXEjtPDAyF0XlTDnfdOxvUMaz7xm4Gdf
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 70113
Cc: 70114 <at> debbugs.gnu.org, 70113 <at> debbugs.gnu.org,
 Leo Famulari <leo@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hello,

John Kehayias via Guix-patches via <guix-patches@HIDDEN> writes:
>> +(define-public libarchive/fixed
>> +  (package
>> +    (inherit libarchive)
>> +    (version "3.6.1")
>> +    (source
>> +     (origin
>> +       (method url-fetch)
>> +       (uri (list (string-append "https://libarchive.org/downloads/liba=
rchive-"
>> +                                 version ".tar.xz")
>> +                  (string-append "https://github.com/libarchive/libarch=
ive"
>> +                                 "/releases/download/v" version "/libar=
chive-"
>> +                                 version ".tar.xz")))
>
> In light of the xz backdoor, perhaps we should just do a git checkout of
> the v3.6.1 tag rather than the tarballs? Assuming that works, of course.

Not having followed the details, I believe the git checkout contained an
incomplete part of the malicious code too, from what Joshua Branson (I
guess the sender is him?) cites from Phoronix
<https://lists.gnu.org/archive/html/guix-devel/2024-04/msg00002.html>:

jbranso@HIDDEN writes:
> The malicious injection present in the xz versions 5.6.0 and 5.6.1
> libraries is obfuscated and only included in full in the download package
> - the Git distribution lacks the M4 macro that triggers the build=20
> of the malicious code. The second-stage artifacts are present in=20
> the Git repository for the injection during the build time, in=20
> case the malicious M4 macro is present.

It doesn=E2=80=99t look like avoiding tarballs gives us more verified code.

Regards,
Florian

Message received at 70113 <at> debbugs.gnu.org:

Received: (at 70113) by debbugs.gnu.org; 2 Apr 2024 13:24:26 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Apr 02 09:24:25 2024
Received: from localhost ([127.0.0.1]:53076 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1rre7l-00082S-Eh
	for submit <at> debbugs.gnu.org; Tue, 02 Apr 2024 09:24:25 -0400
Received: from mail-wr1-x42e.google.com ([2a00:1450:4864:20::42e]:52449)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <efraim.flashner@HIDDEN>)
 id 1rre7d-00081J-2t; Tue, 02 Apr 2024 09:24:20 -0400
Received: by mail-wr1-x42e.google.com with SMTP id
 ffacd0b85a97d-341b01dbebbso4610890f8f.0; 
 Tue, 02 Apr 2024 06:24:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1712064247; x=1712669047; darn=debbugs.gnu.org;
 h=in-reply-to:content-disposition:mime-version:references
 :mail-followup-to:message-id:subject:cc:to:from:date:sender:from:to
 :cc:subject:date:message-id:reply-to;
 bh=oUFcSpezYgZpqQ0GI5BT4QqXxoObOd2AHyQOT1B92U8=;
 b=MMXbeGdYxVMgD3xHlGeu4VGakEBOOfufdF8m5BtGzywX3edqqge/qqsGv6ZhCRlduw
 1GT1WzaIuO0EQJ5Sho/cRI8GFhVVNrHNbIKXwNnXgRhXoeopsqoOaqc04FO+dtX1qZft
 YNNQqQlIE5bdPH9lyWIrFZvpno9yuG6mOlCCeg/STq5g1O7vNNx2SyAzA3UwWtMYrpw5
 jufjvLd7JF0GHvaDPmavDi+PabNlq+pQSnPK4vJ3xPOx78q47TA80lTAemqcgB4dCNef
 4RJXXo8kIMGvWI3LiEroF8p2k8eAugeF0NFL8/pY0RJS7v1JbUJO39o7ag9bzL8y4MBC
 PnTg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1712064247; x=1712669047;
 h=in-reply-to:content-disposition:mime-version:references
 :mail-followup-to:message-id:subject:cc:to:from:date:sender
 :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=oUFcSpezYgZpqQ0GI5BT4QqXxoObOd2AHyQOT1B92U8=;
 b=MU4jxH92qZz4qoAq2hvmUq9iUZHsC5zsb29CxxQsKWWTC65bmTPNenx3Xwne+h2+JI
 uDLGAng9z7Eg/BOP4c37CcuTqTLGb4FYcYTa7kwsbyk/TISDE2BW74IKzSB2BxutqqIo
 hshKDcCcrGJ6rOGt4qF2pjJX7s+n+jgWLy7O5v3AiiKYJvucIvwy0WjXX7OQcHcdF9Uc
 7TbHW3p+EbDR6PHyq7F4xlsUbphvC9JqU3tvM2GuKMpPP+IJAWM7w7jdINNfBLh75EwX
 LsMy359t2XuRVfe2KS/ew7w1D0KRojerzsZek/rrOtLB9UQ26l8YMeeviutQy9vIjoth
 7Mzg==
X-Forwarded-Encrypted: i=1;
 AJvYcCXymlFo5zjX6BCkPTKQ7XymIetMMEc8+aoMzaZJAWYAFvnqrQ8XC/u4skP5ZmQUNEfv/IE6MQnzvBMdFX7gRYHMX6ZdGSfKaxRzb6VyGHnxFWAqhpGqRr6mtFppsg==
X-Gm-Message-State: AOJu0YxSClAb0O2QH3PsEDpqtBy6Ilpm/oaQtZwaN5K3iWhabeeOF8zf
 B7uFPdXOyCZld2yCZkFMS+bb5KQ3yn4JwRj8HzGXHspoSzEjfZd5
X-Google-Smtp-Source: AGHT+IGI9r7LBhPA6b6rHTCclQPNcdEcHjzt25wVpaw3pIRQJKBFqQDdORWQ6Ux9YsT+etYLRQzLug==
X-Received: by 2002:a5d:4950:0:b0:33d:dcd4:9d8f with SMTP id
 r16-20020a5d4950000000b0033ddcd49d8fmr1357094wrs.65.1712064246770; 
 Tue, 02 Apr 2024 06:24:06 -0700 (PDT)
Received: from localhost ([141.226.12.177]) by smtp.gmail.com with ESMTPSA id
 di6-20020a0560000ac600b00341c9956dc9sm14206240wrb.68.2024.04.02.06.24.05
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 02 Apr 2024 06:24:06 -0700 (PDT)
Date: Tue, 2 Apr 2024 16:24:04 +0300
From: Efraim Flashner <efraim@HIDDEN>
To: John Kehayias <john.kehayias@HIDDEN>
Subject: Re: [bug#70113] [PATCH 1/1] gnu: libarchive: Fix a potential
 security issue.
Message-ID: <ZgwG9F56NpS1YGt-@3900XT>
Mail-Followup-To: Efraim Flashner <efraim@HIDDEN>,
 John Kehayias <john.kehayias@HIDDEN>,
 Leo Famulari <leo@HIDDEN>, 70114 <at> debbugs.gnu.org,
 70113 <at> debbugs.gnu.org
References: <7a74261a419e9127887bc9ea096294e42156cce1.1711917891.git.leo@HIDDEN>
 <87il10wipx.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="Cm1u5KeWiQn8tqIz"
Content-Disposition: inline
In-Reply-To: <87il10wipx.fsf@HIDDEN>
X-PGP-Key-ID: 0x41AAE7DCCA3D8351
X-PGP-Key: https://flashner.co.il/~efraim/efraim_flashner.asc
X-PGP-Fingerprint: A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
X-Spam-Score: 0.3 (/)
X-Debbugs-Envelope-To: 70113
Cc: 70114 <at> debbugs.gnu.org, 70113 <at> debbugs.gnu.org,
 Leo Famulari <leo@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)


--Cm1u5KeWiQn8tqIz
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Apr 02, 2024 at 03:23:44AM +0000, John Kehayias via Guix-patches vi=
a wrote:
> Hi Leo,
>=20
> On Sun, Mar 31, 2024 at 04:44 PM, Leo Famulari wrote:
>=20
> > https://github.com/libarchive/libarchive/pull/2101
> >
> > * gnu/packages/backup.scm (libarchive)[replacement]: New field.
> > (libarchive/fixed): New variable.
> > * gnu/packages/patches/libarchive-remove-potential-backdoor.patch: New =
file.
> > * gnu/local.mk (dist_patch_DATA): Add it.
> >
>=20
> Overall changes look good, but I have not had a chance to try it locally
> (building or dependents).
>=20

This looks like what I was going to suggest

> [...]
>=20
> > +(define-public libarchive/fixed
> > +  (package
> > +    (inherit libarchive)
> > +    (version "3.6.1")
> > +    (source
> > +     (origin
> > +       (method url-fetch)
> > +       (uri (list (string-append "https://libarchive.org/downloads/lib=
archive-"
> > +                                 version ".tar.xz")
> > +                  (string-append "https://github.com/libarchive/libarc=
hive"
> > +                                 "/releases/download/v" version "/liba=
rchive-"
> > +                                 version ".tar.xz")))
>=20
> In light of the xz backdoor, perhaps we should just do a git checkout of
> the v3.6.1 tag rather than the tarballs? Assuming that works, of course.

In this case it was just the patch which didn't do (just) what the
commit message said. IMO applying this patch will make us safe from this
potential JiaT75 backdoor, no bootstrapping from source needed.

> I haven't had a chance to look at potential ABI changes, but perhaps at
> least v3.6.2 is graftable? That also lists a security update (as well as
> later versions).
>=20
> Or, if it is easier and this is tested on your end, let's push this and
> do an upgrade to the latest on a branch. I would volunteer mesa-updates,
> but Cuirass has been stuck all day not building anything, so I don't
> know what will end up being quickest (which branch or a new one).

If it turns out that we need to move forward a bit to guard against
other CVEs then this patch should be forward compatible, considering it
was just added to the libarchive repository.

> Thanks for the quick work!
> John

Indeed. Thanks!

--=20
Efraim Flashner   <efraim@HIDDEN>   =D7=A8=D7=A0=D7=A9=D7=9C=D7=A4 =
=D7=9D=D7=99=D7=A8=D7=A4=D7=90
GPG key =3D A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

--Cm1u5KeWiQn8tqIz
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAmYMBvQACgkQQarn3Mo9
g1HyLg//TPAkGSR0VWtg1lqvIEuXZ1+mB2S+BKd1LBIAy62S8brhfLVSkC/o23Li
4ogrMWlrLFrLeTIC8U9PX+//FBOpTh8UgNUqcATNGoozhK9nRgkTtddg+ClGkSyb
CEaZy4iVyfGHlJ9DwiTR4moz89XxA2Ax1c01MR38rgRi3keprPgHhXWguKBnGXPW
3hyln4Q9xqzKeRbiAUF0a8SJEzJFHF/CjA3556dLuK6pNqvqd1L7fv+efZMDaPVp
LHpg3gTKMhl14vl/GwFwzO9EJcMZv4ltjjMLonHHvea8ZnhmRvWZb5Jf72hdG8QZ
F2vYUGtVFXN0V/o8sALraI6MFcJff2Plm0BAqm8Kuqo78wBfhN/wAOe43K36uhCO
7hiqSoifrziItHnbHxRNhtHcTLIzh9v9yhjbZBL3atZiwo5MHMsRbw7a+/XwxSZ6
+aVaiP59RDXrampRQEbJMYtE++titfMRDvhQUH3cUYwf47lUDpKNhHGONHFW7V7e
cPRsOSqmAShcCSWjlzF95gOwhlt2eUGv5GZq7isLNuHz1f7KZeHpF3LIGAhvmvC7
dwiFBIGXXmx5vkTFHXqbEHH+ZuqzmaDSTLI6pHwZbABAQBBjkLrN9fAr9wtzcbte
Gmf0zvCgAJJ7hgCCNGLtVhw2lbofPIGj0eRYcGNDEJDEAJ7R/3c=
=+yka
-----END PGP SIGNATURE-----

--Cm1u5KeWiQn8tqIz--

Message received at 70113 <at> debbugs.gnu.org:

Received: (at 70113) by debbugs.gnu.org; 2 Apr 2024 03:24:06 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Apr 01 23:24:06 2024
Received: from localhost ([127.0.0.1]:52006 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1rrUkm-0002PY-NF
	for submit <at> debbugs.gnu.org; Mon, 01 Apr 2024 23:24:06 -0400
Received: from mail-4322.protonmail.ch ([185.70.43.22]:17977)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <john.kehayias@HIDDEN>) id 1rrUkg-0002ON-QQ
 for 70113 <at> debbugs.gnu.org; Mon, 01 Apr 2024 23:24:01 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
 s=protonmail3; t=1712028229; x=1712287429;
 bh=xnbJU31NJl6bkngyUU+CiXL7cIPKeBApnzH+r0P5vaY=;
 h=Date:To:From:Cc:Subject:Message-ID:Feedback-ID:From:To:Cc:Date:
 Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector;
 b=UDsTUcr1Z+w7m0P5Djbfz1Da3jNsB+0E2RgCNJjx+nM1adWOq3/SdX746TtL1gEnh
 uVYSXwlUCq5SHsXwjjNwZLJhH5bpKtAczqp9xiTTo21oU6Mu/8ymt+ppW/7VJoAwOg
 Nx2LfEwxp9OB8+Wz9OI74qGVn3VkycKOLtJVtdRmMxEGL7/j9ekaW1fa74TNaU0D2f
 dOjyg6A4CFwC9IpJMmSh0seC1yyRdVPzvUhcQwGwP1swe75RNX/nvlID0OvmtpCtEZ
 j2iJGMAtHIiRoq3nrfRGVOQtYhtE/yp7bb6uIR5oEn+y0bTHoG7gux1oIaz9hkPSYC
 UaFgcS3Vu4Z2w==
Date: Tue, 02 Apr 2024 03:23:44 +0000
To: Leo Famulari <leo@HIDDEN>
From: John Kehayias <john.kehayias@HIDDEN>
Subject: Re: [bug#70113] [PATCH 1/1] gnu: libarchive: Fix a potential security
 issue.
Message-ID: <87il10wipx.fsf@HIDDEN>
Feedback-ID: 7805494:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 70113
Cc: 70114 <at> debbugs.gnu.org, 70113 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi Leo,

On Sun, Mar 31, 2024 at 04:44 PM, Leo Famulari wrote:

> https://github.com/libarchive/libarchive/pull/2101
>
> * gnu/packages/backup.scm (libarchive)[replacement]: New field.
> (libarchive/fixed): New variable.
> * gnu/packages/patches/libarchive-remove-potential-backdoor.patch: New fi=
le.
> * gnu/local.mk (dist_patch_DATA): Add it.
>

Overall changes look good, but I have not had a chance to try it locally
(building or dependents).

[...]

> +(define-public libarchive/fixed
> +  (package
> +    (inherit libarchive)
> +    (version "3.6.1")
> +    (source
> +     (origin
> +       (method url-fetch)
> +       (uri (list (string-append "https://libarchive.org/downloads/libar=
chive-"
> +                                 version ".tar.xz")
> +                  (string-append "https://github.com/libarchive/libarchi=
ve"
> +                                 "/releases/download/v" version "/libarc=
hive-"
> +                                 version ".tar.xz")))

In light of the xz backdoor, perhaps we should just do a git checkout of
the v3.6.1 tag rather than the tarballs? Assuming that works, of course.

I haven't had a chance to look at potential ABI changes, but perhaps at
least v3.6.2 is graftable? That also lists a security update (as well as
later versions).

Or, if it is easier and this is tested on your end, let's push this and
do an upgrade to the latest on a branch. I would volunteer mesa-updates,
but Cuirass has been stuck all day not building anything, so I don't
know what will end up being quickest (which branch or a new one).

Thanks for the quick work!
John

Message received at 70113 <at> debbugs.gnu.org:

Received: (at 70113) by debbugs.gnu.org; 31 Mar 2024 20:51:28 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Mar 31 16:51:28 2024
Received: from localhost ([127.0.0.1]:48619 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1rr29H-0000uW-Od
	for submit <at> debbugs.gnu.org; Sun, 31 Mar 2024 16:51:28 -0400
Received: from fhigh5-smtp.messagingengine.com ([103.168.172.156]:49541)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@HIDDEN>) id 1rr29G-0000uF-5G
 for 70113 <at> debbugs.gnu.org; Sun, 31 Mar 2024 16:51:26 -0400
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45])
 by mailfhigh.nyi.internal (Postfix) with ESMTP id 3E42E11400E8;
 Sun, 31 Mar 2024 16:51:18 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
 by compute5.internal (MEProxy); Sun, 31 Mar 2024 16:51:18 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=cc:content-type:content-type:date:date:from:from:in-reply-to
 :message-id:mime-version:reply-to:subject:subject:to:to; s=
 mesmtp; t=1711918278; x=1712004678; bh=9DwvR2HV133xw0mk0v/jDEcj3
 rHH3uSfyAFk+1qwBE4=; b=xo+sQ6wgR1G1uIInFyNZ09DKvlBSwHq+YgLPyaGeK
 Bcs59nSqAtCO3PITjyjupfBUFrfxWa59pkDm2peCOGJ5wK3bbK+BznxiYuZwmoBw
 q2Aty/gp3hfaFDYpss0Ul5aWs7/CW2fTe8GQOsffmyFuxgEKXfI99h+mQsWT6rEV
 Ms=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:content-type:date:date
 :feedback-id:feedback-id:from:from:in-reply-to:message-id
 :mime-version:reply-to:subject:subject:to:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=
 1711918278; x=1712004678; bh=9DwvR2HV133xw0mk0v/jDEcj3rHH3uSfyAF
 k+1qwBE4=; b=A8A6hfE3fmdNKvrHeLUnf0ssP4Sztr06J4grvpGuByE+OV8NUAT
 Tsx9b3nynpD6eukQ8rTOjzE2Q2M09nxwc63n2S2wvMY3M51Ee9URkD4dfElwXLTV
 YMf0nAOtBMu2B7hZ4a9PIfvEMIQYpb18Ui1iWrwRVBwFnfEStXZPXQSyXs9oG3D4
 3gYORf9Q8yFe6ooUMHcIDAwGnnSmBeJ5p32iHs7SRKJ/KY1EcPmhfsX4+2viHnKU
 xxCH4shNjkT1SM2SQmqbW00I+BxU4dhnlp/7E9TA4dzmEy5Eb/ifer5dZ0sCDl25
 UrFsSdKiH+DccWa/b9u6NjnZdc5B8nsP27w==
X-ME-Sender: <xms:xswJZoz8kPRd67VjPFK30J09rd8mkjWDKnKlbXIeN6uG_OXsUqQZPw>
 <xme:xswJZsRrp-WbJYlr4I5PqNoLXKSmInzBShInXTr09OyQ9jMcs5j7DC56nvJHM5OGi
 _NZqcxRUNg-Qv3VpQ>
X-ME-Received: <xmr:xswJZqVSK3ulO73yWH0QdpNEz7ZdBbwToTPQ687j1gFZdI0GtSSXpAMqAgebc0TrlRICIpGjEx8BLlnj-umrqGJK>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledruddvkedgudeffecutefuodetggdotefrod
 ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh
 necuuegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfggtggusehgtderre
 dttddvnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghr
 ihdrnhgrmhgvqeenucggtffrrghtthgvrhhnpeeiieefleekgfdvkeelvdevudffgeelte
 fftedvvdelvddufefgudfhveduvdegveenucffohhmrghinhepghhithhhuhgsrdgtohhm
 necuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheplhgvoh
 esfhgrmhhulhgrrhhirdhnrghmvg
X-ME-Proxy: <xmx:xswJZmjaseiVSHRfN3zYT1m2zw3L8-65tzOGnFtBU1tvq_jDwGRqqQ>
 <xmx:xswJZqAyF6K0j-_0FXVhAIiHsXLDuvTV_dWEcsaVbkk2dJ6Gc6c6Rw>
 <xmx:xswJZnLqwsfR-uLN8Wzwf99EqIeTeooV2nrgq6BLT4Z_bF2M7X7-2A>
 <xmx:xswJZhDQVZzOGlvoOPAe6Sl_U9ML4yjB9Nh7Hn9lVMv6M2Uel8AhmA>
 <xmx:xswJZtPzWbu7ad4fjUdvpvX1a8SNS4dN9SHPBamfd2L4PIqjKL3wmA>
Feedback-ID: i819c4023:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA for
 <70113 <at> debbugs.gnu.org>; Sun, 31 Mar 2024 16:51:17 -0400 (EDT)
Date: Sun, 31 Mar 2024 16:51:16 -0400
From: Leo Famulari <leo@HIDDEN>
To: 70113 <at> debbugs.gnu.org
Subject: SECURITY: Xz backdoor / JiaT75 cleanup for libarchive
Message-ID: <ZgnMxDxsDkjr-mEa@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="AH2PtxUB8NLoEAvi"
Content-Disposition: inline
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 70113
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)


--AH2PtxUB8NLoEAvi
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

The malicious actor that attacked Xz was also active in the libarchive
codebase:

https://github.com/libarchive/libarchive/issues/2103

This patch cherry-picks a fix for a potential vulnerability added by
this entity. The patch file includes annotations.

Please test with packages that directly use libarchive! For example:

------
$ ./pre-inst-env guix package -s . | recsel -e '(dependencies ~ "libarchive=
")' -p name,synopsis,location=20
name: dwarfs
synopsis: Fast high compression read-only file system =20
location: gnu/packages/file-systems.scm:2106:2

name: patool
synopsis: Portable archive file manager =20
location: gnu/packages/patool.scm:37:2

name: gnome-boxes
synopsis: View, access, and manage remote and virtual systems =20
location: gnu/packages/gnome.scm:12554:2

name: proot
synopsis: Unprivileged chroot, bind mount, and binfmt_misc =20
location: gnu/packages/linux.scm:8449:2

name: geary
synopsis: GNOME email application built around conversations =20
location: gnu/packages/gnome.scm:12630:2

name: tesseract-ocr
synopsis: Optical character recognition engine =20
location: gnu/packages/ocr.scm:104:2

name: tesseract-ocr
synopsis: Optical character recognition engine =20
location: gnu/packages/ocr.scm:192:2

name: reprepro
synopsis: Debian package repository producer =20
location: gnu/packages/debian.scm:610:2

name: libjami
synopsis: Jami core library and daemon =20
location: gnu/packages/jami.scm:85:2

name: diffoscope
synopsis: Compare files, archives, and directories in depth =20
location: gnu/packages/diffoscope.scm:75:2

name: geeqie
synopsis: Lightweight GTK+ based image viewer =20
location: gnu/packages/image-viewers.scm:235:2

name: samba
synopsis: The standard Windows interoperability suite of programs for GNU a=
nd Unix =20
location: gnu/packages/samba.scm:296:2

name: gpaste
synopsis: Clipboard management system for GNOME Shell =20
location: gnu/packages/gnome-xyz.scm:1012:2

name: libextractor
synopsis: Library to extract meta-data from media files =20
location: gnu/packages/gnunet.scm:87:2

name: unrar-free
synopsis: Extract files from RAR archives =20
location: gnu/packages/compression.scm:2813:2

name: archivemount
synopsis: Tool for mounting archive files with FUSE =20
location: gnu/packages/linux.scm:4034:2

name: rpm
synopsis: The RPM Package Manager =20
location: gnu/packages/package-management.scm:934:2

name: nix
synopsis: The Nix package manager =20
location: gnu/packages/package-management.scm:804:2

name: gvfs
synopsis: Userspace virtual file system for GIO =20
location: gnu/packages/gnome.scm:7000:2

name: claws-mail
synopsis: GTK-based Email client =20
location: gnu/packages/mail.scm:1753:2

name: kbackup
synopsis: Backup program with an easy-to-use interface =20
location: gnu/packages/kde-utils.scm:438:2

name: cmake-minimal-cross
synopsis: Cross-platform build system =20
location: gnu/packages/cmake.scm:411:2

name: scilab
synopsis: Software for engineers and scientists =20
location: gnu/packages/maths.scm:9708:2

name: pixz
synopsis: Parallel indexing implementation of LZMA =20
location: gnu/packages/compression.scm:1037:2

name: cmake-minimal
synopsis: Cross-platform build system =20
location: gnu/packages/cmake.scm:263:2

name: python-fsspec
synopsis: File-system specification =20
location: gnu/packages/python-xyz.scm:27706:2

name: libostree
synopsis: Operating system and container binary deployment and upgrades =20
location: gnu/packages/package-management.scm:1958:2

name: cmake
synopsis: Cross-platform build system =20
location: gnu/packages/cmake.scm:346:2

name: meandmyshadow
synopsis: Puzzle/platform game =20
location: gnu/packages/games.scm:1788:2

name: reprotest
synopsis: Build software and check it for reproducibility =20
location: gnu/packages/diffoscope.scm:247:2

name: gimp-next
synopsis: GNU Image Manipulation Program =20
location: gnu/packages/gimp.scm:415:2

name: rdup
synopsis: Provide a list of files to backup =20
location: /home/leo/work/guix/gnu/packages/backup.scm:370:2

name: irods-client-icommands
synopsis: Data management software =20
location: gnu/packages/irods.scm:170:2

name: nestopia-ue
synopsis: Nintendo Entertainment System (NES/Famicom) emulator =20
location: gnu/packages/emulators.scm:1363:2

name: avogadrolibs
synopsis: Libraries for chemistry, bioinformatics, and related areas =20
location: gnu/packages/chemistry.scm:74:2

name: swi-prolog
synopsis: ISO/Edinburgh-style Prolog interpreter =20
location: gnu/packages/prolog.scm:88:2

name: evince
synopsis: GNOME's document viewer =20
location: gnu/packages/gnome.scm:2669:2

name: singularity
synopsis: Container platform =20
location: gnu/packages/linux.scm:5245:2

name: pqiv
synopsis: Powerful image viewer with minimal UI =20
location: gnu/packages/image-viewers.scm:896:2

name: python-libarchive-c
synopsis: Python interface to libarchive =20
location: gnu/packages/python-xyz.scm:16283:2

name: python-conda-package-handling
synopsis: Create and extract conda packages of various formats =20
location: gnu/packages/package-management.scm:1105:2

name: opencpn
synopsis: Chart plotter and marine GPS navigation software =20
location: gnu/packages/geo.scm:2473:2

name: midori
synopsis: Lightweight graphical web browser =20
location: gnu/packages/web-browsers.scm:106:2

name: appstream-glib
synopsis: Library for reading and writing AppStream metadata =20
location: gnu/packages/glib.scm:1346:2

name: libgxps
synopsis: GObject-based library for handling and rendering XPS documents =
=20
location: gnu/packages/gnome.scm:2069:2

name: libticalcs2
synopsis: Support library for TI calculators =20
location: gnu/packages/emulators.scm:1747:2

name: irods
synopsis: Data management software =20
location: gnu/packages/irods.scm:48:2

name: ardour
synopsis: Digital audio workstation =20
location: gnu/packages/audio.scm:775:2

name: libtifiles2
synopsis: File functions library for TI calculators =20
location: gnu/packages/emulators.scm:1712:2

name: flatpak
synopsis: System for building, distributing, and running sandboxed desktop =
applications =20
location: gnu/packages/package-management.scm:2011:2

name: epic5
synopsis: Epic5 IRC Client =20
location: gnu/packages/irc.scm:669:2

name: file-roller
synopsis: Graphical archive manager for GNOME =20
location: gnu/packages/gnome.scm:7628:2

name: rpi-imager
synopsis: Raspberry Pi Imaging Utility =20
location: gnu/packages/raspberry-pi.scm:467:2

name: fwupd
synopsis: Daemon to allow session software to update firmware =20
location: gnu/packages/firmware.scm:211:2

name: totem-pl-parser
synopsis: Library to parse and save media playlists for GNOME =20
location: gnu/packages/gnome.scm:6075:1

name: osinfo-db-tools
synopsis: Tools for managing the osinfo database =20
location: gnu/packages/virtualization.scm:2691:2

name: ark
synopsis: Graphical archiving tool =20
location: gnu/packages/kde-utils.scm:54:2

name: vlc
synopsis: Audio and video framework =20
location: gnu/packages/video.scm:2365:2

name: fpm
synopsis: Package building and mangling tool =20
location: gnu/packages/package-management.scm:2118:2

name: hydrogen
synopsis: Drum machine =20
location: gnu/packages/music.scm:869:2

name: gnome-autoar
synopsis: Archives integration support for GNOME =20
location: gnu/packages/gnome.scm:9531:2

name: python-py7zr
synopsis: 7-zip in Python =20
location: gnu/packages/python-compression.scm:444:2

name: zathura-cb
synopsis: Comic book support for zathura (libarchive backend) =20
location: gnu/packages/pdf.scm:516:2

name: python-rarfile
synopsis: RAR archive reader for Python =20
location: gnu/packages/python-xyz.scm:19616:2

name: epiphany
synopsis: GNOME web browser =20
location: gnu/packages/gnome.scm:7160:2

name: gnome-arcade
synopsis: Minimal MAME frontend =20
location: gnu/packages/emulators.scm:1962:2

name: zeal
synopsis: Offline documentation browser inspired by Dash =20
location: gnu/packages/documentation.scm:412:4

name: pcsxr
synopsis: PlayStation emulator =20
location: gnu/packages/emulators.scm:2057:4

name: atril
synopsis: Document viewer for Mate =20
location: gnu/packages/mate.scm:683:2
------

--AH2PtxUB8NLoEAvi
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEaEByLu7k06ZO5T6saqwZY3V/R/8FAmYJzL0ACgkQaqwZY3V/
R//QwxAAh/AdfB1HpLEpq/ZLOqO/SJVPfEfpyDyvNF8uMUOz34Yt1KBNGQ8XLgJO
0UlhFil1WXxt3+goK85W7fjba1lYI8VZsNKX0K6FpYf3ql7+SywxH9GiWNEBw/Zz
ZuIHa6NKM+lEnDJ9nxWjZ/wOjNiwYFHUcqSWLtUWlHSK8uzwBlT5/G3Y6dCN6uFS
erLH8Eq6aZ0c+F+C86MEjEhN/mYan9+eKMV/d7j//QIhm8oCHVygJYaf7iexus1m
XN3khCuFAsQMmYwCTwpCEgd+iX/d0TyHVHzcS1LLwTu3ZD7Yut1DnLOewKGOoeSg
yBexVfgIYcrxZDYLgNwp8OxvPF/sa3jgsBSQQVuMliwfOysGZrHedPElqQ2TslYy
JvhQ2O4DK++RqT/n/j6tarv4XUhKsvZ+Hfeu690tHEAYdGC77Fv+hIjauEgzVNv3
lPZjMLCfv2ihwdUavhZWpHVt86Mftu7Aez3XwmsPLEU2lrCpFA6vsuhouiUmXxzU
AP6Yx/Qbf195ENgIfOq3d+ZQtA8No1VOSU/wOke21ZhR5AJZN1VXxgzkL3+ese//
pqx0rh4xO/7fdFOdhv4c49bBq5F3LisXMkeZXy2DaB+j8i8Fcfw4ZSC2m9TcfPd9
XFEdk8JMvuBfh4y1SW7CYU2mg9V108aAMJOG1pzD1uDOE4LIRes=
=nxqY
-----END PGP SIGNATURE-----

--AH2PtxUB8NLoEAvi--

Message received at submit <at> debbugs.gnu.org:

Received: (at submit) by debbugs.gnu.org; 31 Mar 2024 20:49:08 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Mar 31 16:49:08 2024
Received: from localhost ([127.0.0.1]:48600 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1rr271-0000lH-V5
	for submit <at> debbugs.gnu.org; Sun, 31 Mar 2024 16:49:08 -0400
Received: from lists.gnu.org ([2001:470:142::17]:41282)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@HIDDEN>) id 1rr26z-0000jo-Dc
 for submit <at> debbugs.gnu.org; Sun, 31 Mar 2024 16:49:06 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <leo@HIDDEN>) id 1rr26q-0002BJ-Ki
 for guix-patches@HIDDEN; Sun, 31 Mar 2024 16:48:57 -0400
Received: from fout1-smtp.messagingengine.com ([103.168.172.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <leo@HIDDEN>) id 1rr26n-0008GD-6i
 for guix-patches@HIDDEN; Sun, 31 Mar 2024 16:48:55 -0400
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41])
 by mailfout.nyi.internal (Postfix) with ESMTP id C625113800A5;
 Sun, 31 Mar 2024 16:48:50 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
 by compute1.internal (MEProxy); Sun, 31 Mar 2024 16:48:50 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=cc:content-transfer-encoding:content-type:date:date:from:from
 :in-reply-to:in-reply-to:message-id:mime-version:references
 :reply-to:subject:subject:to:to; s=mesmtp; t=1711918130; x=
 1712004530; bh=FXWCFvnmiw7wSKuHJciaNEzTM2bLjIyyUlfdkUFbleQ=; b=Q
 vOqIfvBtWaPqjKoOb/fRsVLcYyWubWWe2exfYUVzGQwT4SxhjEsx/P1NBT4aG3MD
 ddBHn0T4VnV9AuX1HkRbINch5oqR4yoDKXMBT7rPH6G8LPBqizizwHZ8pnXRF51S
 mMhtNlC+WXv/M6lIs5XTD8Y9BeqCNlv+6e8NgF0dMw=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-transfer-encoding:content-type
 :date:date:feedback-id:feedback-id:from:from:in-reply-to
 :in-reply-to:message-id:mime-version:references:reply-to:subject
 :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender
 :x-sasl-enc; s=fm2; t=1711918130; x=1712004530; bh=FXWCFvnmiw7wS
 KuHJciaNEzTM2bLjIyyUlfdkUFbleQ=; b=lyIhZrbfD4RAfpfHCyY42bBzQriv6
 4bRPr1Sj7iOinka89Uz4xZxp0J8vxSSt0gooWa45BZqe3yfjDEZXkzwiQS57jBLT
 ovkT1y8UtI+0NRNr4a5JnMQSnI5O+WgJgHnsti0iYAK5atM98zNEEe8wjfK6v6Jb
 bDZse7lW8udoU5yUYKw+FcnFvg0VMtclHEGrU/qRsCCtEgbLVoTgnJmDafqTPMPU
 PYvIf1AXnj/CH4f/Ovzfx5kYAJMqEcg5Ue1ajmBspWZhNopCVel8SIvDI/Htswpe
 RPJORTwusvRRI80YpzymBwAHav7hcSJ2cN2atsiuso5SSf4+J3H9PhcMw==
X-ME-Sender: <xms:MswJZoqqpeyMeXahAumdd-trbP2CVGhGDUfHnmhcE_6P7n1g5_BMhg>
 <xme:MswJZuq078QJg_El1ojlhsHHRMP3zTdT6q_Szo2XaYbZ63WqxgH0zlr9_nZgn_iWN
 u6cCbzEQxtv4sa8Kg>
X-ME-Received: <xmr:MswJZtObsuFQ-9nF6E-MdUvG_2M851EqbpnT-KlXjDfFTgWpxK0blJbW000stETfe6kjRK-0XCFcRBXJx1FhoekpP_8>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledruddvkedgudefvdcutefuodetggdotefrod
 ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh
 necuuegrihhlohhuthemuceftddtnecunecujfgurhephffvufffkffojghfggfgsedtke
 ertdertddtnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhl
 rghrihdrnhgrmhgvqeenucggtffrrghtthgvrhhnpedvtdekgfejgfdvjefgueeuieefge
 ffteetieeihfdttdfgvdfgteevuddtieffgfenucffohhmrghinhepghhithhhuhgsrdgt
 ohhmpdhlihgsrghrtghhihhvvgdrohhrghdpshgvtghlihhsthhsrdhorhhgnecuvehluh
 hsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhu
 lhgrrhhirdhnrghmvg
X-ME-Proxy: <xmx:MswJZv5Wc3b__mYQvVDXrSsKKHHyo1oZ7HFyICWmdGRVeYcwHMJM3w>
 <xmx:MswJZn4CsME2Z7Wvv_h33QwGbZXzwrXpfqacmvC5ph4kbKyJM_0_Yg>
 <xmx:MswJZvjfPKvcHT-bgn3ArLZPACvHjB2hmL3R4jR8NtmSZs1qpquMCA>
 <xmx:MswJZh6-YZWaA7r1H9GCoZb1jkdF86Gtlqwyu2rBAZX-dx2YVG1BiA>
 <xmx:MswJZnGhPaR5XZZ8dClRvrTyKgWgpMAG3b0v2S7wOTzq36UezhTfbA>
Feedback-ID: i819c4023:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA for
 <guix-patches@HIDDEN>; Sun, 31 Mar 2024 16:48:50 -0400 (EDT)
From: Leo Famulari <leo@HIDDEN>
To: guix-patches@HIDDEN
Subject: [PATCH 1/1] gnu: libarchive: Fix a potential security issue.
Date: Sun, 31 Mar 2024 16:44:51 -0400
Message-ID: <7a74261a419e9127887bc9ea096294e42156cce1.1711917891.git.leo@HIDDEN>
X-Mailer: git-send-email 2.41.0
In-Reply-To: <cover.1711917891.git.leo@HIDDEN>
References: <cover.1711917891.git.leo@HIDDEN>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=103.168.172.144; envelope-from=leo@HIDDEN;
 helo=fout1-smtp.messagingengine.com
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 0.9 (/)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.1 (/)

https://github.com/libarchive/libarchive/pull/2101

* gnu/packages/backup.scm (libarchive)[replacement]: New field.
(libarchive/fixed): New variable.
* gnu/packages/patches/libarchive-remove-potential-backdoor.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.

Change-Id: I939e9b842b10d1a78125da4a4599c38d9c037079
---
 gnu/local.mk                                  |  1 +
 gnu/packages/backup.scm                       | 19 ++++++++
 ...libarchive-remove-potential-backdoor.patch | 47 +++++++++++++++++++
 3 files changed, 67 insertions(+)
 create mode 100644 gnu/packages/patches/libarchive-remove-potential-backdoor.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index f2b480bded..68c6851402 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1575,6 +1575,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/liba52-use-mtune-not-mcpu.patch		\
   %D%/packages/patches/libaio-32bit-test.patch                  \
   %D%/packages/patches/libaio-riscv-test5.patch			\
+  %D%/packages/patches/libarchive-remove-potential-backdoor.patch	\
   %D%/packages/patches/libbase-fix-includes.patch		\
   %D%/packages/patches/libbase-use-own-logging.patch		\
   %D%/packages/patches/libbonobo-activation-test-race.patch	\
diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm
index 604102bc7b..5dfdfe7dd4 100644
--- a/gnu/packages/backup.scm
+++ b/gnu/packages/backup.scm
@@ -259,6 +259,7 @@ (define-public hdup
 (define-public libarchive
   (package
     (name "libarchive")
+    (replacement libarchive/fixed)
     (version "3.6.1")
     (source
      (origin
@@ -347,6 +348,24 @@ (define-public libarchive
 @command{bsdcat}, @command{bsdcpio} and @command{bsdtar} commands.")
     (license license:bsd-2)))
 
+(define-public libarchive/fixed
+  (package
+    (inherit libarchive)
+    (version "3.6.1")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (list (string-append "https://libarchive.org/downloads/libarchive-"
+                                 version ".tar.xz")
+                  (string-append "https://github.com/libarchive/libarchive"
+                                 "/releases/download/v" version "/libarchive-"
+                                 version ".tar.xz")))
+       (patches (search-patches "libarchive-remove-potential-backdoor.patch"))
+       (sha256
+        (base32
+         "1rj8q5v26lxxr8x4b4nqbrj7p06qvl91hb8cdxi3xx3qp771lhas"))))))
+
+
 (define-public rdup
   (package
     (name "rdup")
diff --git a/gnu/packages/patches/libarchive-remove-potential-backdoor.patch b/gnu/packages/patches/libarchive-remove-potential-backdoor.patch
new file mode 100644
index 0000000000..2b9a9e2ffe
--- /dev/null
+++ b/gnu/packages/patches/libarchive-remove-potential-backdoor.patch
@@ -0,0 +1,47 @@
+Remove code added by 'JiaT75', the malicious actor that backdoored `xz`:
+
+https://github.com/libarchive/libarchive/pull/2101
+
+At libarchive, they are reviewing all code contributed by this actor:
+
+https://github.com/libarchive/libarchive/issues/2103
+
+See the original disclosure and subsequent discussion for more
+information about this incident:
+
+https://seclists.org/oss-sec/2024/q1/268
+
+Patch copied from upstream source repository:
+
+https://github.com/libarchive/libarchive/pull/2101/commits/e200fd8abfb4cf895a1cab4d89b67e6eefe83942
+
+From 6110e9c82d8ba830c3440f36b990483ceaaea52c Mon Sep 17 00:00:00 2001
+From: Ed Maste <emaste@HIDDEN>
+Date: Fri, 29 Mar 2024 18:02:06 -0400
+Subject: [PATCH] tar: make error reporting more robust and use correct errno
+ (#2101)
+
+As discussed in #1609.
+---
+ tar/read.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/tar/read.c b/tar/read.c
+index af3d3f42..a7f14a07 100644
+--- a/tar/read.c
++++ b/tar/read.c
+@@ -371,8 +371,9 @@ read_archive(struct bsdtar *bsdtar, char mode, struct archive *writer)
+ 			if (r != ARCHIVE_OK) {
+ 				if (!bsdtar->verbose)
+ 					safe_fprintf(stderr, "%s", archive_entry_pathname(entry));
+-				fprintf(stderr, ": %s: ", archive_error_string(a));
+-				fprintf(stderr, "%s", strerror(errno));
++				safe_fprintf(stderr, ": %s: %s",
++				    archive_error_string(a),
++				    strerror(archive_errno(a)));
+ 				if (!bsdtar->verbose)
+ 					fprintf(stderr, "\n");
+ 				bsdtar->return_value = 1;
+-- 
+2.41.0
+
-- 
2.41.0