From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bug-guix-bounces+larch=yhetil.org@gnu.org>
Received: from mp0 ([2001:41d0:8:6d80::])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	by ms0.migadu.com with LMTPS
	id cEeiN99SXmBnTgAAgWs5BA
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Fri, 26 Mar 2021 22:32:15 +0100
Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp0 with LMTPS
	id oL+HMd9SXmCFFQAA1q6Kng
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Fri, 26 Mar 2021 21:32:15 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 4F7671B1F9
	for <larch@yhetil.org>; Fri, 26 Mar 2021 22:32:15 +0100 (CET)
Received: from localhost ([::1]:37030 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	id 1lPu3y-0001Xe-Gh
	for larch@yhetil.org; Fri, 26 Mar 2021 17:32:14 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:51300)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1lPu3m-0001XE-Md
 for bug-guix@gnu.org; Fri, 26 Mar 2021 17:32:02 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:59378)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1lPu3m-0005m1-F2
 for bug-guix@gnu.org; Fri, 26 Mar 2021 17:32:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1lPu3m-0005gR-9h
 for bug-guix@gnu.org; Fri, 26 Mar 2021 17:32:02 -0400
X-Loop: help-debbugs@gnu.org
Subject: bug#47422: tar is vulnerable to CVE-2021-20193
Resent-From: =?UTF-8?Q?L=C3=A9o?= Le Bouter <lle-bout@zaclys.net>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guix@gnu.org
Resent-Date: Fri, 26 Mar 2021 21:32:02 +0000
Resent-Message-ID: <handler.47422.B.161679426821784@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 47422
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: 47422@debbugs.gnu.org
X-Debbugs-Original-To: bug-guix@gnu.org
Received: via spool by submit@debbugs.gnu.org id=B.161679426821784
 (code B ref -1); Fri, 26 Mar 2021 21:32:02 +0000
Received: (at submit) by debbugs.gnu.org; 26 Mar 2021 21:31:08 +0000
Received: from localhost ([127.0.0.1]:42691 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1lPu2u-0005fI-AW
 for submit@debbugs.gnu.org; Fri, 26 Mar 2021 17:31:08 -0400
Received: from lists.gnu.org ([209.51.188.17]:38598)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lle-bout@zaclys.net>) id 1lPu2t-0005fB-6x
 for submit@debbugs.gnu.org; Fri, 26 Mar 2021 17:31:07 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:51202)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@zaclys.net>)
 id 1lPu2s-0001T0-W9
 for bug-guix@gnu.org; Fri, 26 Mar 2021 17:31:07 -0400
Received: from mail.zaclys.net ([178.33.93.72]:40713)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@zaclys.net>)
 id 1lPu2o-0005MR-5A
 for bug-guix@gnu.org; Fri, 26 Mar 2021 17:31:06 -0400
Received: from [192.168.0.44] (82-64-145-38.subs.proxad.net [82.64.145.38])
 (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12QLUvgM036157
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
 for <bug-guix@gnu.org>; Fri, 26 Mar 2021 22:30:57 +0100
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12QLUvgM036157
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@zaclys.net
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1616794257;
 bh=bXqhcighirSjeOlxOe3oq71ARYgbsiLR6u884l3r2kE=;
 h=Subject:From:To:Date:From;
 b=X5SsX2wdoMhW3MK75+LVMqXrUjuIYTATcBC4JYSrJS4I0Yjq5ZEpEvjEZs80PDRFu
 7YmQwi6rAyfzzWbo+ObDMwN6MQio5RYxKbxahufMeGARVyhYMWRLPRyUFKtgrdQFYr
 ztUgfssYBqpMW5mH3jYjxZSAbzdWBGUw0wqDFLUQ=
Message-ID: <520e2097011aae1bfd9c20278e27e25813517b42.camel@zaclys.net>
Date: Fri, 26 Mar 2021 22:30:57 +0100
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-vcrxFeFFAUdkPoLS4Qjo"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net; 
 helo=mail.zaclys.net
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, 
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-guix@gnu.org
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-guix>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+larch=yhetil.org@gnu.org>
Reply-to:  =?UTF-8?Q?L=C3=A9o?= Le Bouter <lle-bout@zaclys.net>
From:  =?UTF-8?Q?L=C3=A9o?= Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org>
X-Migadu-Flow: FLOW_IN
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1616794335;
	h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:resent-cc:resent-from:resent-sender:
	 resent-message-id:list-id:list-help:list-unsubscribe:list-subscribe:
	 list-post:dkim-signature; bh=bXqhcighirSjeOlxOe3oq71ARYgbsiLR6u884l3r2kE=;
	b=VgZB0p1e2o3CcR7cXfqzcyFNHfRZHAUbefGbyELFpLxay62ERVGnsTq6wUcFhxG3LDWURo
	MktE/p4NMmpMfMWz6yid97TYnELsoT5wv4LhT2YhA37RaILyKvGrUvwvpifREjAOUn7YQq
	X9FUf1lzYMgOSWnx/AvVn3Rp86t77GCgy+bqduPVJoNnjMJR/xTmqFsZqmiUowi26PPxHe
	Zh3UEqs/40MUbnkadGhRz4NGKymoGmhxZsF6bNPPERoS4W9t7V+SLKa8l9fvoL/GLRwIb2
	bHCpiSrkJGBFROA8ympe1FzRCBCE0De0M9hrTxzFwUi1+C5ZeZw5MBqW5VUiOQ==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616794335; a=rsa-sha256; cv=none;
	b=P8aVjpZDBeV9/W/CtMLLupkkrBiptQeJVXFA9hsJApQY/Zswo591i363UpBi8LfYBhZoQp
	XuTt4hy/jYKVenUbqV8wpA4mXAVK4VVs7grbY5lmxAm2iHpc0lzFz45KaD/LHzv+Tsiw/7
	vktIDu8FKIWXft7ZUoeYuCuTJiSQdKFpUN4GJ0QJO8Rw8hlAqKaPs8G85aQhNPFX6Qag3X
	mgx9FGaXrfCVZzivm8tuPgA9QUTS2mJUglHi0djAaVlJkVM8C//cwbKruz8SDIetGMbfmH
	LzxHGI572Yt61Z8fHgb1EBOLT3nVcIADyfo5gBSaBWauWX695ytlrqv2kDGSkA==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=zaclys.net header.s=default header.b=X5SsX2wd;
	spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org
X-Migadu-Spam-Score: -5.02
Authentication-Results: aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=zaclys.net header.s=default header.b=X5SsX2wd;
	dmarc=pass (policy=none) header.from=gnu.org;
	spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org
X-Migadu-Queue-Id: 4F7671B1F9
X-Spam-Score: -5.02
X-Migadu-Scanner: scn0.migadu.com
X-TUID: UjsKRCSUZ3k/


--=-vcrxFeFFAUdkPoLS4Qjo
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

CVE-2021-20193	18:15
A flaw was found in the src/list.c of tar 1.33 and earlier. This flaw
allows an attacker who can submit a crafted input file to tar to cause
uncontrolled consumption of memory. The highest threat from this
vulnerability is to system availability.

Patch available here:=20
https://git.savannah.gnu.org/cgit/tar.git/commit/?id=3Dd9d4435692150fa8ff68=
e1b1a473d187cc3fd777

Unreleased for now.

We can probably apply it in core-updates now, we should fix it in
master also, since grafts don't apply to GNU Guix builds is that OK?

GNU Guix packages don't unpack arbitrary tarballs since we hardcode
hashes for verification, but still.

--=-vcrxFeFFAUdkPoLS4Qjo
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBeUpEACgkQRaix6GvN
EKaWrA//Y2BwKy6QO9/cWqwZRS7BEPianKnio3VqzdGkgCuRi+9GYlyHVeK9wSgC
/TZWz1xB/6pqLJFlH6dKNr9cmEjxVFJRGRNRyfvHgtHwzf/5/mYmcYYHA4d2Ccl4
9+UU1NZCRZSZkjFrVMGZ682HIUe5CQ3MzOVWxbaSdo1jecFnk/pHkDqWr8tJKCFL
vo9OHLmhHVHZcExStWJXDM37iSyHw+XAumzURci/sDZy7lxmh6QhtRPjnKaKDaI6
+ppWjaY8kDHWnbRRm5sdMsKNXXeGEbx10ATfay5v3PWqZoi63nGF1NVgBmM57gE1
L8dwBJtt8apzKOdiulc77Wrc8isdWhp/qE9078gKQdOnBBiG8cdzbnMuxrTBnL12
afDOkfH25IJ+Uv2c4ZQdg/O6J9bqIj/Fw5yIIIbCviHil3mV4A2LczBOD3rOol5F
D5JkrHJ/Nx7lbPviyt/fEye4sqBaiy8PlZxvLmp02WrDXTUEaxCTE1Q8Jga94/Tk
jneMtuXRa1ivj81GP81bs31C36+cz+aCBcsz0Xp2MCPHOv43BwxLwvAMxvq/nQdZ
AZNAYsUCSEaxklhjrl4kGwXteBf/qMgDp5iYBmdGhS+vMggapgXZqfbkJ04kq2ny
JaYZ+i3iPdzRxFYyTG7L3vzkBuY5E519NrNO8rSiYjlUCjCnICs=
=e+Y2
-----END PGP SIGNATURE-----

--=-vcrxFeFFAUdkPoLS4Qjo--