From: Leo Famulari <leo@famulari.name>
To: 47422@debbugs.gnu.org
Subject: bug#47422: tar is vulnerable to CVE-2021-20193
Date: Fri, 5 Nov 2021 12:23:44 -0400 [thread overview]
Message-ID: <YYVakIUhmYGjGLvW@jasmine.lan> (raw)
In-Reply-To: <ysdJZxCdgMKsc9Tq-LKYLg_OgwwdXBljXBYTzfupOKMOshTTI34ijmXx0D8acxWF7OYW9NFXOLFLOVuV-NT-T3IyIjxCU0RboaItON_XjFY=@protonmail.com>
On Fri, Nov 05, 2021 at 05:14:13AM +0000, phodina via Bug reports for GNU Guix wrote:
> here's patch for the master branch as I'm not sure what is the roadmap for merging core-updates into master.
>
> The obvious downside is that the update triggers large rebuild of core packages :-/
Right, it's not feasible to apply this patch on the master branch, for
that reason. And, it would not only require rebuilding core packages,
but every single package, if I understand correctly.
For Guix's internal use of tar, it seems that CVE-2021-20193 [0] is not
a problem:
"This flaw allows an attacker who can submit a crafted input file to tar
to cause uncontrolled consumption of memory. The highest threat from
this vulnerability is to system availability."
When tar is used by Guix to unpack an upstream tarball, a Guix developer
has already tested that it's possible to unpack the tarball without
making the system unavailable. And Guix checks the source hash before
unpacking the tarball. Does this evaluation seem correct?
For use of tar by Guix users, we could add a new package 'tar-1.34' and
arrange so that `guix install tar` selects it instead of tar@1.32, and
so that whatever tar is provided by default on Guix System [1] is
tar-1.34. And we would also take care to properly undo this workaround
on the core-updates branch.
[0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20193
[1] I *think* that is handled by ((gnu system) %base-packages-utils)
next prev parent reply other threads:[~2021-11-05 16:24 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-26 21:30 bug#47422: tar is vulnerable to CVE-2021-20193 Léo Le Bouter via Bug reports for GNU Guix
2021-03-26 22:40 ` Maxime Devos
2021-11-05 5:14 ` phodina via Bug reports for GNU Guix
2021-11-05 16:23 ` Leo Famulari [this message]
2021-11-05 16:50 ` Maxime Devos
2021-11-05 20:15 ` Mark H Weaver
2021-11-06 18:12 ` Mark H Weaver
2021-11-12 7:54 ` Mark H Weaver
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YYVakIUhmYGjGLvW@jasmine.lan \
--to=leo@famulari.name \
--cc=47422@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).