bug#26836: [PATCH] gnu: libarchive: Update to 3.3.1.

bug#26836: [PATCH] gnu: libarchive: Update to 3.3.1.

[Kei Kebreau]

Fixes CVE-2016-{10209,10350} and CVE-2017-5601.

* gnu/packages/backup.scm (libarchive): Update to 3.3.1.
---
 gnu/packages/backup.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm
index f9c0a22a0..569d5d64b 100644
--- a/gnu/packages/backup.scm
+++ b/gnu/packages/backup.scm
@@ -186,7 +186,7 @@ backups (called chunks) to allow easy burning to CD/DVD.")
 (define-public libarchive
   (package
     (name "libarchive")
-    (version "3.2.2")
+    (version "3.3.1")
     (source
      (origin
        (method url-fetch)
@@ -194,7 +194,7 @@ backups (called chunks) to allow easy burning to CD/DVD.")
                            version ".tar.gz"))
        (sha256
         (base32
-         "03q6y428rg723c9fj1vidzjw46w1vf8z0h95lkvz1l9jw571j739"))))
+         "1rr40hxlm9vy5z2zb5w7pyfkgd1a4s061qapm83s19accb8mpji9"))))
     (build-system gnu-build-system)
     ;; TODO: Add -L/path/to/nettle in libarchive.pc.
     (inputs
-- 
2.12.2

bug#26836: [PATCH] gnu: libarchive: Update to 3.3.1.

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 470 bytes --]

On Mon, May 08, 2017 at 03:07:14PM -0400, Kei Kebreau wrote:
> Fixes CVE-2016-{10209,10350} and CVE-2017-5601.
> 
> * gnu/packages/backup.scm (libarchive): Update to 3.3.1.

Thanks!

Can you use a graft instead? Then, the commit message can be like this:

gnu: libarchive: Replace with 3.3.1 [security fixes].

Fixes CVE-2016-{10209,10350}, CVE-2017-5601.

* gnu/packages/backup.scm (libarchive)[replacement]: New field.
(libarchive-3.3.1): New variable.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

bug#26836: [PATCH] gnu: libarchive: Update to 3.3.1.

[Kei Kebreau]

[-- Attachment #1.1: Type: text/plain, Size: 569 bytes --]

Leo Famulari <leo@famulari.name> writes:

> On Mon, May 08, 2017 at 03:07:14PM -0400, Kei Kebreau wrote:
>> Fixes CVE-2016-{10209,10350} and CVE-2017-5601.
>> 
>> * gnu/packages/backup.scm (libarchive): Update to 3.3.1.
>
> Thanks!
>
> Can you use a graft instead? Then, the commit message can be like this:
>
> gnu: libarchive: Replace with 3.3.1 [security fixes].
>
> Fixes CVE-2016-{10209,10350}, CVE-2017-5601.
>
> * gnu/packages/backup.scm (libarchive)[replacement]: New field.
> (libarchive-3.3.1): New variable.

Like the patch I've attached?

[-- Attachment #1.2: 0001-gnu-libarchive-Replace-with-3.3.1-security-fixes.patch --]
[-- Type: text/plain, Size: 1869 bytes --]

From 45d3157bb61bb8b5f26ff13feb672759b6043e6f Mon Sep 17 00:00:00 2001
From: Kei Kebreau <kei@openmailbox.org>
Date: Mon, 8 May 2017 14:58:07 -0400
Subject: [PATCH] gnu: libarchive: Replace with 3.3.1 [security fixes].
To: 26836@debbugs.gnu.org

Fixes CVE-2016-{10209,10350} and CVE-2017-5601.

* gnu/packages/backup.scm (libarchive)[replacement]: New field.
(libarchive-3.3.1): New variable.
---
 gnu/packages/backup.scm | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm
index f9c0a22a0..d5cb5783a 100644
--- a/gnu/packages/backup.scm
+++ b/gnu/packages/backup.scm
@@ -5,6 +5,7 @@
 ;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2017 Thomas Danckaert <post@thomasdanckaert.be>
 ;;; Copyright © 2017 Arun Isaac <arunisaac@systemreboot.net>
+;;; Copyright © 2017 Kei Kebreau <kei@openmailbox.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -186,6 +187,7 @@ backups (called chunks) to allow easy burning to CD/DVD.")
 (define-public libarchive
   (package
     (name "libarchive")
+    (replacement libarchive-3.3.1)
     (version "3.2.2")
     (source
      (origin
@@ -241,6 +243,20 @@ archive.  In particular, note that there is currently no built-in support for
 random access nor for in-place modification.")
     (license license:bsd-2)))
 
+(define libarchive-3.3.1
+  (package
+    (inherit libarchive)
+    (name "libarchive")
+    (version "3.3.1")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "http://libarchive.org/downloads/libarchive-"
+                           version ".tar.gz"))
+       (sha256
+        (base32
+         "1rr40hxlm9vy5z2zb5w7pyfkgd1a4s061qapm83s19accb8mpji9"))))))
+
 (define-public rdup
   (package
     (name "rdup")
-- 
2.12.2


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

bug#26836: [PATCH] gnu: libarchive: Update to 3.3.1.

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 1111 bytes --]

On Mon, May 08, 2017 at 05:10:28PM -0400, Kei Kebreau wrote:
> Leo Famulari <leo@famulari.name> writes:
> 
> > On Mon, May 08, 2017 at 03:07:14PM -0400, Kei Kebreau wrote:
> >> Fixes CVE-2016-{10209,10350} and CVE-2017-5601.
> >> 
> >> * gnu/packages/backup.scm (libarchive): Update to 3.3.1.
> >
> > Thanks!
> >
> > Can you use a graft instead? Then, the commit message can be like this:
> >
> > gnu: libarchive: Replace with 3.3.1 [security fixes].
> >
> > Fixes CVE-2016-{10209,10350}, CVE-2017-5601.
> >
> > * gnu/packages/backup.scm (libarchive)[replacement]: New field.
> > (libarchive-3.3.1): New variable.
> 
> Like the patch I've attached?

> From 45d3157bb61bb8b5f26ff13feb672759b6043e6f Mon Sep 17 00:00:00 2001
> From: Kei Kebreau <kei@openmailbox.org>
> Date: Mon, 8 May 2017 14:58:07 -0400
> Subject: [PATCH] gnu: libarchive: Replace with 3.3.1 [security fixes].
> To: 26836@debbugs.gnu.org
> 
> Fixes CVE-2016-{10209,10350} and CVE-2017-5601.
> 
> * gnu/packages/backup.scm (libarchive)[replacement]: New field.
> (libarchive-3.3.1): New variable.

Thanks, LGTM!

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

bug#26836: [PATCH] gnu: libarchive: Update to 3.3.1.

[Kei Kebreau]

[-- Attachment #1: Type: text/plain, Size: 1218 bytes --]

Leo Famulari <leo@famulari.name> writes:

> On Mon, May 08, 2017 at 05:10:28PM -0400, Kei Kebreau wrote:
>> Leo Famulari <leo@famulari.name> writes:
>> 
>> > On Mon, May 08, 2017 at 03:07:14PM -0400, Kei Kebreau wrote:
>> >> Fixes CVE-2016-{10209,10350} and CVE-2017-5601.
>> >> 
>> >> * gnu/packages/backup.scm (libarchive): Update to 3.3.1.
>> >
>> > Thanks!
>> >
>> > Can you use a graft instead? Then, the commit message can be like this:
>> >
>> > gnu: libarchive: Replace with 3.3.1 [security fixes].
>> >
>> > Fixes CVE-2016-{10209,10350}, CVE-2017-5601.
>> >
>> > * gnu/packages/backup.scm (libarchive)[replacement]: New field.
>> > (libarchive-3.3.1): New variable.
>> 
>> Like the patch I've attached?
>
>> From 45d3157bb61bb8b5f26ff13feb672759b6043e6f Mon Sep 17 00:00:00 2001
>> From: Kei Kebreau <kei@openmailbox.org>
>> Date: Mon, 8 May 2017 14:58:07 -0400
>> Subject: [PATCH] gnu: libarchive: Replace with 3.3.1 [security fixes].
>> To: 26836@debbugs.gnu.org
>> 
>> Fixes CVE-2016-{10209,10350} and CVE-2017-5601.
>> 
>> * gnu/packages/backup.scm (libarchive)[replacement]: New field.
>> (libarchive-3.3.1): New variable.
>
> Thanks, LGTM!

Great! Pushed to master.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]