From: Maxime Devos <maximedevos@telenet.be>
To: Leo Famulari <leo@famulari.name>, 47422@debbugs.gnu.org
Subject: bug#47422: tar is vulnerable to CVE-2021-20193
Date: Fri, 05 Nov 2021 16:50:42 +0000 [thread overview]
Message-ID: <82db7b68b4e9cc3037122cc45678f04eac97d810.camel@telenet.be> (raw)
In-Reply-To: <YYVakIUhmYGjGLvW@jasmine.lan>
Leo Famulari schreef op vr 05-11-2021 om 12:23 [-0400]:
> On Fri, Nov 05, 2021 at 05:14:13AM +0000, phodina via Bug reports for
> GNU Guix wrote:
> > here's patch for the master branch as I'm not sure what is the
> > roadmap for merging core-updates into master.
> >
> > The obvious downside is that the update triggers large rebuild of
> > core packages :-/
>
> [...]
>
> "This flaw allows an attacker who can submit a crafted input file to
> tar
> to cause uncontrolled consumption of memory. The highest threat from
> this vulnerability is to system availability."
>
> [...]
>
> For use of tar by Guix users, we could add a new package 'tar-1.34'
> and
> arrange so that `guix install tar` selects it instead of tar@1.32,
> and
> so that whatever tar is provided by default on Guix System [1] is
> tar-1.34.
I don't think this is sufficient, because some packages keep
references to 'tar', e.g. 'hdup'. A solution would be registering
the updated tar as a replacement of the somewhat vulnerable tar:
(define-public tar
(package
(name "tar")
(version "1.32")
(replacement tar/fixed)
...))
(define-public tar/fixed
(package
(inherit tar)
(version "1.34")
(source ...)))
Greetings,
Maxime.
--
not hacking on guix for a while, only occassionally looking at IRC logs
and bug reports. E-mails are unsigned until backup is located.
next prev parent reply other threads:[~2021-11-05 16:51 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-26 21:30 bug#47422: tar is vulnerable to CVE-2021-20193 Léo Le Bouter via Bug reports for GNU Guix
2021-03-26 22:40 ` Maxime Devos
2021-11-05 5:14 ` phodina via Bug reports for GNU Guix
2021-11-05 16:23 ` Leo Famulari
2021-11-05 16:50 ` Maxime Devos [this message]
2021-11-05 20:15 ` Mark H Weaver
2021-11-06 18:12 ` Mark H Weaver
2021-11-12 7:54 ` Mark H Weaver
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=82db7b68b4e9cc3037122cc45678f04eac97d810.camel@telenet.be \
--to=maximedevos@telenet.be \
--cc=47422@debbugs.gnu.org \
--cc=leo@famulari.name \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).