From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-patches-bounces+larch=yhetil.org@gnu.org>
Received: from mp1.migadu.com ([2001:41d0:303:e16b::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms1.migadu.com with LMTPS
	id SKBgB3UMDGapWAEA62LTzQ:P1
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 02 Apr 2024 15:47:33 +0200
Received: from aspmx1.migadu.com ([2001:41d0:303:e16b::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp1.migadu.com with LMTPS
	id SKBgB3UMDGapWAEA62LTzQ
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 02 Apr 2024 15:47:33 +0200
X-Envelope-To: larch@yhetil.org
Authentication-Results: aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=pelzflorian.de header.s=key2 header.b=Oy7UUVl5;
	spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org";
	dmarc=none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1712065653;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:resent-cc:
	 resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to:
	 references:references:list-id:list-help:list-unsubscribe:
	 list-subscribe:list-post:dkim-signature;
	bh=Ibfv9BcFSQnZIMtiAGlsYPVvcG0oKXkjqAtmePG/Uos=;
	b=RtSZrH50swIsIJbFdhJp2Zu0lX9WJ/a15ZCxVN6Il2FCfWFzQjaKmjjdVBb3W962Lb5PoK
	Cq+iUQy+kZ1Z1tUJLvKBdbpr5fTwVfi4/ZhXPzz8vQsbGoQauLncRvpUlvXT8LfUAcR7+C
	wcK2Ae5t4KOXtV+cBgZ55MvdtesS9N7d1/ZXoiYEstmqu+/azKPR5HQC8kjQYcqncZe2Lg
	/QloGzbpM6l5U8qbinRVY6ghYqpqcg8w5xuhD8cs6VD/HbKg6MqoR4kmhqMKTEhGY/hHL0
	YS8rbuCoQ2Ut9sp7Dv1Bg6OTX32MepeheITJS3QsR1NmLjsAiaxJq5LmJ4fgRA==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=pelzflorian.de header.s=key2 header.b=Oy7UUVl5;
	spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org";
	dmarc=none
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1712065653; a=rsa-sha256; cv=none;
	b=JKtFX23ggoY80K2cM8f8yKN9CeNa4z+MwfRxfhsImmgzB3o1cZlali3TEtzp7/ok3Ap16+
	vIJJ/KmRHHoJyQ0I4ig+GHMPoB+23Vfq8IxwA3pV+3zyYLQ9SykslOEipxghrYF8U6jJh5
	ISVFou3HcxcIyCk/9UqubmHHpG4Eb1is9Rb0DZIuro0OmZHoxuZlc1lfbz43lm4PLiPe3G
	EI41+Vbz4ZfGYLGVzBZr8+WTa+A3lhvtTvZTY5MniZbKQcPXaOixZKV2Pyy15FjQ97txJm
	sQoslrTZNXPDwdarHrohoPZARzfnTORxPeS2J2SSE+0dDHjMulbzHYxke3Z3qw==
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id B47E83F5CF
	for <larch@yhetil.org>; Tue,  2 Apr 2024 15:47:32 +0200 (CEST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces@gnu.org>)
	id 1rreTe-0005h4-Lq; Tue, 02 Apr 2024 09:47:02 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1rreTc-0005gV-F1
 for guix-patches@gnu.org; Tue, 02 Apr 2024 09:47:00 -0400
Received: from debbugs.gnu.org ([2001:470:142:5::43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1rreTc-0004pP-68
 for guix-patches@gnu.org; Tue, 02 Apr 2024 09:47:00 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1rreTf-0004OH-M2
 for guix-patches@gnu.org; Tue, 02 Apr 2024 09:47:03 -0400
X-Loop: help-debbugs@gnu.org
Subject: [bug#70113] [PATCH 1/1] gnu: libarchive: Fix a potential security
 issue.
Resent-From: "pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Tue, 02 Apr 2024 13:47:03 +0000
Resent-Message-ID: <handler.70113.B70113.171206557616475@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 70113
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: John Kehayias <john.kehayias@protonmail.com>
Cc: 70114@debbugs.gnu.org, 70113@debbugs.gnu.org,
 Leo Famulari <leo@famulari.name>
Received: via spool by 70113-submit@debbugs.gnu.org id=B70113.171206557616475
 (code B ref 70113); Tue, 02 Apr 2024 13:47:03 +0000
Received: (at 70113) by debbugs.gnu.org; 2 Apr 2024 13:46:16 +0000
Received: from localhost ([127.0.0.1]:53136 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1rreSq-0004Ha-6E
 for submit@debbugs.gnu.org; Tue, 02 Apr 2024 09:46:15 -0400
Received: from relay.yourmailgateway.de ([188.68.63.102]:55773)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <pelzflorian@pelzflorian.de>)
 id 1rreSk-0004GW-Qc; Tue, 02 Apr 2024 09:46:10 -0400
Received: from mors-relay-2502.netcup.net (localhost [127.0.0.1])
 by mors-relay-2502.netcup.net (Postfix) with ESMTPS id 4V88Kj40qwz62dV;
 Tue,  2 Apr 2024 15:46:01 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=pelzflorian.de;
 s=key2; t=1712065561;
 bh=R7tLzbN993hVz4XOtG8st6lW9F5XA3V3H5rLj6alTZk=;
 h=From:To:Cc:Subject:In-Reply-To:References:Date:From;
 b=Oy7UUVl5QLntdTntMEa+JZf+1OqlFOqOMQGgNP+zX2fFPUq5eZt2EBoUIbx1yxGip
 QbBaXBRAUt0SrpUBYYfk2bGPvfNj5Dhp8GAEiotpOKTN5pBdIWtXKs5S3tE/YR6d0O
 FrfdS+Z4rh0ZJfvFnNxAYEb9B3ErOhQvoiPTAFTzonKOL7m0rgpwhzrgEFztwq+Zkb
 8ptck7V7y8ZXIJSTmOe9k617WJy+wh7dN/e7HRhspm4v1OkjXi9Chk9gosm3R3oK5h
 9jpNfCCHZSmYV72oH4ZqWR016Dhl5oLjCFN/YoP4pEXkJLutfCCwjyZjUbtvrIGsQM
 1d+RtFL5Rwriw==
Received: from policy02-mors.netcup.net (unknown [46.38.225.35])
 by mors-relay-2502.netcup.net (Postfix) with ESMTPS id 4V88Kj3J81z4yXk;
 Tue,  2 Apr 2024 15:46:01 +0200 (CEST)
Received: from mxe217.netcup.net (unknown [10.243.12.53])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by policy02-mors.netcup.net (Postfix) with ESMTPS id 4V88Kj01SCz8sbD;
 Tue,  2 Apr 2024 15:46:00 +0200 (CEST)
Received: from florianrock64 (ip92344de0.dynamic.kabel-deutschland.de
 [146.52.77.224])
 by mxe217.netcup.net (Postfix) with ESMTPSA id A90CE83799;
 Tue,  2 Apr 2024 15:45:52 +0200 (CEST)
From: "pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de>
In-Reply-To: <87il10wipx.fsf@protonmail.com> (John Kehayias via Guix-patches
 via's message of "Tue, 02 Apr 2024 03:23:44 +0000")
References: <7a74261a419e9127887bc9ea096294e42156cce1.1711917891.git.leo@famulari.name>
 <87il10wipx.fsf@protonmail.com>
Date: Tue, 02 Apr 2024 15:45:51 +0200
Message-ID: <871q7nev3k.fsf@pelzflorian.de>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Rspamd-Queue-Id: A90CE83799
X-Rspamd-Server: rspamd-worker-8404
X-NC-CID: wKS53i7lKiZmblAnJNGyYXm1KXEjtPDAyF0XlTDnfdOxvUMaz7xm4Gdf
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org
Sender: guix-patches-bounces+larch=yhetil.org@gnu.org
X-Migadu-Country: US
X-Migadu-Flow: FLOW_IN
X-Spam-Score: -2.35
X-Migadu-Queue-Id: B47E83F5CF
X-Migadu-Scanner: mx13.migadu.com
X-Migadu-Spam-Score: -2.35
X-TUID: OCk6R1fUlgKK

Hello,

John Kehayias via Guix-patches via <guix-patches@gnu.org> writes:
>> +(define-public libarchive/fixed
>> +  (package
>> +    (inherit libarchive)
>> +    (version "3.6.1")
>> +    (source
>> +     (origin
>> +       (method url-fetch)
>> +       (uri (list (string-append "https://libarchive.org/downloads/liba=
rchive-"
>> +                                 version ".tar.xz")
>> +                  (string-append "https://github.com/libarchive/libarch=
ive"
>> +                                 "/releases/download/v" version "/libar=
chive-"
>> +                                 version ".tar.xz")))
>
> In light of the xz backdoor, perhaps we should just do a git checkout of
> the v3.6.1 tag rather than the tarballs? Assuming that works, of course.

Not having followed the details, I believe the git checkout contained an
incomplete part of the malicious code too, from what Joshua Branson (I
guess the sender is him?) cites from Phoronix
<https://lists.gnu.org/archive/html/guix-devel/2024-04/msg00002.html>:

jbranso@dismail.de writes:
> The malicious injection present in the xz versions 5.6.0 and 5.6.1
> libraries is obfuscated and only included in full in the download package
> - the Git distribution lacks the M4 macro that triggers the build=20
> of the malicious code. The second-stage artifacts are present in=20
> the Git repository for the injection during the build time, in=20
> case the malicious M4 macro is present.

It doesn=E2=80=99t look like avoiding tarballs gives us more verified code.

Regards,
Florian