From: Mark H Weaver <mhw@netris.org>
To: Maxime Devos <maximedevos@telenet.be>,
Leo Famulari <leo@famulari.name>,
47422@debbugs.gnu.org
Subject: bug#47422: tar is vulnerable to CVE-2021-20193
Date: Sat, 06 Nov 2021 14:12:52 -0400 [thread overview]
Message-ID: <8735o9b1a8.fsf@netris.org> (raw)
In-Reply-To: <8735oauzmx.fsf@netris.org>
[-- Attachment #1: Type: text/plain, Size: 147 bytes --]
Hi,
Here's a proposed fix, which I've tested on my own system.
Are there any objections to pushing this to 'master'?
Thanks,
Mark
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: [PATCH] gnu: tar: Replace with 1.34 [fixes CVE-2021-20193] --]
[-- Type: text/x-patch, Size: 1548 bytes --]
From 5737b91e9979c7df2a76b033f38871c2326ab0f1 Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Sat, 6 Nov 2021 05:52:24 -0400
Subject: [PATCH] gnu: tar: Replace with 1.34 [fixes CVE-2021-20193].
* gnu/packages/base.scm (tar)[replacement]: New field.
(tar-1.34): New variable.
---
gnu/packages/base.scm | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index ea2e102c15..77731d3720 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -180,6 +180,7 @@ implementation offers several extensions over the standard utility.")
(package
(name "tar")
(version "1.32")
+ (replacement tar-1.34)
(source (origin
(method url-fetch)
(uri (string-append "mirror://gnu/tar/tar-"
@@ -234,6 +235,21 @@ standard utility.")
(license gpl3+)
(home-page "https://www.gnu.org/software/tar/")))
+(define-public tar-1.34 ; fixes CVE-2021-20193
+ (package
+ (inherit tar)
+ (version "1.34")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append "mirror://gnu/tar/tar-"
+ version ".tar.xz"))
+ (sha256
+ (base32
+ "0a0x87anh9chbi2cgcyy7pmnm5hzk4yd1w2j8gm1wplwhwkbvgk3"))
+ (patches
+ (search-patches "tar-skip-unreliable-tests.patch"
+ "tar-remove-wholesparse-check.patch"))))))
+
(define-public patch
(package
(name "patch")
--
2.31.1
[-- Attachment #3: Type: text/plain, Size: 154 bytes --]
--
Disinformation flourishes because many people care deeply about injustice
but very few check the facts. Ask me about <https://stallmansupport.org>.
next prev parent reply other threads:[~2021-11-06 18:15 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-26 21:30 bug#47422: tar is vulnerable to CVE-2021-20193 Léo Le Bouter via Bug reports for GNU Guix
2021-03-26 22:40 ` Maxime Devos
2021-11-05 5:14 ` phodina via Bug reports for GNU Guix
2021-11-05 16:23 ` Leo Famulari
2021-11-05 16:50 ` Maxime Devos
2021-11-05 20:15 ` Mark H Weaver
2021-11-06 18:12 ` Mark H Weaver [this message]
2021-11-12 7:54 ` Mark H Weaver
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8735o9b1a8.fsf@netris.org \
--to=mhw@netris.org \
--cc=47422@debbugs.gnu.org \
--cc=leo@famulari.name \
--cc=maximedevos@telenet.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).