From: Mark H Weaver <mhw@netris.org>
To: Maxime Devos <maximedevos@telenet.be>,
Leo Famulari <leo@famulari.name>,
47422@debbugs.gnu.org
Subject: bug#47422: tar is vulnerable to CVE-2021-20193
Date: Fri, 05 Nov 2021 16:15:55 -0400 [thread overview]
Message-ID: <8735oauzmx.fsf@netris.org> (raw)
In-Reply-To: <82db7b68b4e9cc3037122cc45678f04eac97d810.camel@telenet.be>
Hi Maxime,
Maxime Devos <maximedevos@telenet.be> writes:
> Leo Famulari schreef op vr 05-11-2021 om 12:23 [-0400]:
>> For use of tar by Guix users, we could add a new package 'tar-1.34'
>> and arrange so that `guix install tar` selects it instead of
>> tar@1.32, and so that whatever tar is provided by default on Guix
>> System [1] is tar-1.34.
>
> I don't think this is sufficient, because some packages keep
> references to 'tar', e.g. 'hdup'. A solution would be registering
> the updated tar as a replacement of the somewhat vulnerable tar:
I think this is the better approach. Leo's analysis is correct, but
there are a few problems:
(1) I guess that most Guix users don't install 'tar' manually, but
rather depend on the fact that 'tar' is included in %base-packages,
which references 'tar' by its variable name.
(2) Even for users who explicitly ask for 'tar', if they reference it by
its variable name, they would still get the vulnerable version.
That includes users (such as myself) who manage their profiles
declaratively, i.e. using "guix package --manifest".
(3) As Maxime pointed out, it's possible that some packages might retain
a reference to 'tar' to be used at runtime.
However, someone would need to test to make sure that after grafting
'tar', they can successfully rebuild their system and boot into it.
Hopefully the code in 'commencement' deals properly with a grafted
'tar', but that should be checked.
I won't be able to work on this today, so hopefully someone else can
take care of it. Otherwise, I'll do it tomorrow.
Thanks!
Mark
--
Disinformation flourishes because many people care deeply about injustice
but very few check the facts. Ask me about <https://stallmansupport.org>.
next prev parent reply other threads:[~2021-11-05 20:19 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-26 21:30 bug#47422: tar is vulnerable to CVE-2021-20193 Léo Le Bouter via Bug reports for GNU Guix
2021-03-26 22:40 ` Maxime Devos
2021-11-05 5:14 ` phodina via Bug reports for GNU Guix
2021-11-05 16:23 ` Leo Famulari
2021-11-05 16:50 ` Maxime Devos
2021-11-05 20:15 ` Mark H Weaver [this message]
2021-11-06 18:12 ` Mark H Weaver
2021-11-12 7:54 ` Mark H Weaver
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8735oauzmx.fsf@netris.org \
--to=mhw@netris.org \
--cc=47422@debbugs.gnu.org \
--cc=leo@famulari.name \
--cc=maximedevos@telenet.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).