From: Liliana Marie Prikler <liliana.prikler@gmail.com>
To: 74283@debbugs.gnu.org
Subject: [bug#74283] [PATCH] gnu: libarchive: Graft to 3.7.7. [security fixes]
Date: Sat, 9 Nov 2024 15:27:49 +0100 [thread overview]
Message-ID: <1ca0c3d9b6423645ebdfda7efbc9376477b07943.1731168409.git.liliana.prikler@gmail.com> (raw)
* gnu/packages/backup.scm (libarchive): Add replacement with libarchive/fixed.
(libarchive/fixed): New variable.
Fixes: Out of bounds access in ZIP files [CVE-2024-37407].
Fixes: Out of bounds access in RAR files [CVE-2024-48957, CVE-2024-48958].
Fixes: Race condition in multi-threaded systems [CVE-2023-30571].
Fixes: NULL pointer dereference [CVE-2022-36227].
---
gnu/packages/backup.scm | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm
index 0973c5ddca..22c1ef64e9 100644
--- a/gnu/packages/backup.scm
+++ b/gnu/packages/backup.scm
@@ -262,6 +262,7 @@ (define-public hdup
(define-public libarchive
(package
(name "libarchive")
+ (replacement libarchive/fixed)
(version "3.6.1")
(source
(origin
@@ -351,6 +352,22 @@ (define-public libarchive
@command{bsdcat}, @command{bsdcpio} and @command{bsdtar} commands.")
(license license:bsd-2)))
+(define-public libarchive/fixed
+ (package
+ (inherit libarchive)
+ (version "3.7.7")
+ (source
+ (origin
+ (method url-fetch)
+ (uri (list (string-append "https://libarchive.org/downloads/libarchive-"
+ version ".tar.xz")
+ (string-append "https://github.com/libarchive/libarchive"
+ "/releases/download/v" version "/libarchive-"
+ version ".tar.xz")))
+ (sha256
+ (base32
+ "1vps57mrpqmrk4zayh5g5amqfq7031s5zzkkxsm7r71rqf1wv6l7"))))))
+
(define-public rdup
(package
(name "rdup")
base-commit: 2a6d96425eea57dc6dd48a2bec16743046e32e06
prerequisite-patch-id: ecae21ac778a87cc06da1605938183a6d068b4e0
prerequisite-patch-id: 556d0786c44ebcc378f5a35ba582d6b3c98d44a2
prerequisite-patch-id: 13d32cd5a82d8f7092c058d31369dbeda68dc472
prerequisite-patch-id: 9e85b59d6e53ffb000d6e3f9fe2d317190a9cd97
prerequisite-patch-id: df8a3ab92c9a09f631eb1d4fd109813ba6a79ab9
prerequisite-patch-id: dcffb45b7cd5a54797227bb7b92c528dddd5c7a2
--
2.46.0
next reply other threads:[~2024-11-09 16:11 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-09 14:27 Liliana Marie Prikler [this message]
2024-11-12 11:32 ` bug#74283: [PATCH] gnu: libarchive: Graft to 3.7.7. [security fixes] Maxim Cournoyer
2024-11-13 2:56 ` [bug#74283] " Maxim Cournoyer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1ca0c3d9b6423645ebdfda7efbc9376477b07943.1731168409.git.liliana.prikler@gmail.com \
--to=liliana.prikler@gmail.com \
--cc=74283@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).