From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id gNJeCLpahWEUiAAAgWs5BA (envelope-from ) for ; Fri, 05 Nov 2021 17:24:26 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id eLUFBLpahWHlCQAAB5/wlQ (envelope-from ) for ; Fri, 05 Nov 2021 16:24:26 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 9E9F45B75 for ; Fri, 5 Nov 2021 17:24:25 +0100 (CET) Received: from localhost ([::1]:48494 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mj20u-0004rA-9s for larch@yhetil.org; Fri, 05 Nov 2021 12:24:24 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:59666) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mj20Y-0004pT-PS for bug-guix@gnu.org; Fri, 05 Nov 2021 12:24:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:35353) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mj20Y-0000vr-9j for bug-guix@gnu.org; Fri, 05 Nov 2021 12:24:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1mj20Y-0004jh-6t for bug-guix@gnu.org; Fri, 05 Nov 2021 12:24:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#47422: tar is vulnerable to CVE-2021-20193 Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 05 Nov 2021 16:24:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47422 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: 47422@debbugs.gnu.org X-Debbugs-Original-To: phodina via Bug reports for GNU Guix X-Debbugs-Original-Cc: "47422@debbugs.gnu.org" <47422@debbugs.gnu.org> Received: via spool by 47422-submit@debbugs.gnu.org id=B47422.163612943118165 (code B ref 47422); Fri, 05 Nov 2021 16:24:02 +0000 Received: (at 47422) by debbugs.gnu.org; 5 Nov 2021 16:23:51 +0000 Received: from localhost ([127.0.0.1]:46894 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mj20M-0004is-TD for submit@debbugs.gnu.org; Fri, 05 Nov 2021 12:23:51 -0400 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:57827) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mj20K-0004ih-AA for 47422@debbugs.gnu.org; Fri, 05 Nov 2021 12:23:49 -0400 Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id B19C85C017F; Fri, 5 Nov 2021 12:23:46 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute6.internal (MEProxy); Fri, 05 Nov 2021 12:23:46 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=8612R0upZa2i/BMkL070JalT IV/CZWvmBIXOrxC6Wv4=; b=MyfW1P9liRG9RHV71VLpzUKHJbXpE3MosAtCmTf5 IHo2RcHMh+wrIRC3bOsKcCbK32H96yedbzcjo2D5gAqoWhjwRXwe960fok1hxESR 4OOX/w0c/cFkxvTjmLZTvyj9NVbI4fs7PK4dWNfcwBMDZ7RS7GndIsKg63/omhOT Ch0= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=8612R0 upZa2i/BMkL070JalTIV/CZWvmBIXOrxC6Wv4=; b=fDRUv+UfWPDN9d1tCImrmU OIThKJWL6OKC62Sj/fg7JXMEYgld8fn5YnZ9pPghrUzChFCQpxUmqlO5xAe/zUhB oFoVuSmZgOyv8RPVDHMk/rdMkGcV4hX5kNvq846SNzbqJBm9CZVB7zoRVRCZtJpT AAnVnTXBBFVvW+1CdsC+trCABMTNENiChU1d2aYeE8y0YdC1AU8vmSlWUwgVNvFM cDuADDkXYVj6Sn9mAi+imJQbEs/nIOCoaDdRPOr6u6PEwesBpcDE/zjiBczOK6lg exb5TAZpfOCluPXeJQRHjZTUNH/tjaxb86oyo93pquEOYKg5gyX9KFYYb2wuTQSw == X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvuddrtdeigdekhecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpeffhffvuffkfhggtggujgesthdtrodttddtvdenucfhrhhomhepnfgvohcuhfgr mhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhirdhnrghmvgeqnecuggftrfgrthhtvg hrnhepffeivdduiefhgeelheefvdejgfdtffegvedtleethfffvdeugedtgedtteethedu necuffhomhgrihhnpehmihhtrhgvrdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenuc frrghrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgrrhhirdhnrghmvg X-ME-Proxy: Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri, 5 Nov 2021 12:23:46 -0400 (EDT) Date: Fri, 5 Nov 2021 12:23:44 -0400 From: Leo Famulari Message-ID: References: <520e2097011aae1bfd9c20278e27e25813517b42.camel@zaclys.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1636129465; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=8612R0upZa2i/BMkL070JalTIV/CZWvmBIXOrxC6Wv4=; b=UL82JkrhMgRWSY/VZ5xtVNAO5c2IVToco5N0/wVZ8pMFqGbTZ4VszK4dMFkvn9FwHUJzHJ zg0Z8XuP9tjdRQGyrIkzPM88Fdun/nOJ6oe8rVsKl4xBaZBuaYedOkNtYsWCmtn/SkW5H5 LYWHsV8aA7j0IkYyyQDUGHCvjuVzmSI4UhujP3vhd/ITMviH97TR+KhQrH/5oI1FeYLbr0 YZa2+GWqayPpwgIf5JM6iN6i5AZDPeUxLVdOD0Wn4R6i1+GMrjmig57jQLy0GlGQHi1jsI xFdXJOyR5fNJRnpMgDalUIab1CtTNgsLqiFPj6nHsh2aaJRQrkzap5a7EFz2tQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1636129465; a=rsa-sha256; cv=none; b=d2oRmRQ0XW+nl9dQfWBxyl1HkLQmI8L5aqWvh6+wPEbZ9471g57iyazBGo/qhtngY82++J Au48bHY5THP/pVaFfIOPw2lsSQ3HB4k5urZm7KOX6Z4JxpDzrCgV1uRZJVUa1lQUDJm87F ZYF+uJiGr5OcOiqC0HBZxOh5bd9sH800xCn85E88iJTNOPGYt91368/QFw+cWNP8An7o8Q IzLSILMJHC0MNyu5U1D2oTJS17xGUWPrRve9SImNoZXe/iqdQe6B4E8i2Be9a0Ahnm1onm 0wPqnO9kbRWa7gQvQsiNzRTCNFo8FXXst2AyqVHABD2nIg7kZljyKvQXkn9tEg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=MyfW1P9l; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm1 header.b=fDRUv+Uf; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -1.42 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=MyfW1P9l; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm1 header.b=fDRUv+Uf; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 9E9F45B75 X-Spam-Score: -1.42 X-Migadu-Scanner: scn0.migadu.com X-TUID: Zdj8doCN5X72 On Fri, Nov 05, 2021 at 05:14:13AM +0000, phodina via Bug reports for GNU Guix wrote: > here's patch for the master branch as I'm not sure what is the roadmap for merging core-updates into master. > > The obvious downside is that the update triggers large rebuild of core packages :-/ Right, it's not feasible to apply this patch on the master branch, for that reason. And, it would not only require rebuilding core packages, but every single package, if I understand correctly. For Guix's internal use of tar, it seems that CVE-2021-20193 [0] is not a problem: "This flaw allows an attacker who can submit a crafted input file to tar to cause uncontrolled consumption of memory. The highest threat from this vulnerability is to system availability." When tar is used by Guix to unpack an upstream tarball, a Guix developer has already tested that it's possible to unpack the tarball without making the system unavailable. And Guix checks the source hash before unpacking the tarball. Does this evaluation seem correct? For use of tar by Guix users, we could add a new package 'tar-1.34' and arrange so that `guix install tar` selects it instead of tar@1.32, and so that whatever tar is provided by default on Guix System [1] is tar-1.34. And we would also take care to properly undo this workaround on the core-updates branch. [0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20193 [1] I *think* that is handled by ((gnu system) %base-packages-utils)