From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms1.migadu.com with LMTPS id wAfdIxETDmYGlQAAqHPOHw:P1 (envelope-from ) for ; Thu, 04 Apr 2024 04:40:17 +0200 Received: from aspmx1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0.migadu.com with LMTPS id wAfdIxETDmYGlQAAqHPOHw (envelope-from ) for ; Thu, 04 Apr 2024 04:40:17 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=protonmail.com header.s=protonmail3 header.b=UhzthM56; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" ARC-Seal: i=1; s=key1; d=yhetil.org; t=1712198417; a=rsa-sha256; cv=none; b=Uf3Y8+yYZOwN20pPLBxKgXzCHzNi0hPrGQCPYKhzAt8Pc24wg044BJ1BB7LSspAxD4nrLz AxvhrD8W3JTpqyTYvrJfzrwNiStpxf4tPO5KidVRJwWgNhEhI1n3POFcnt0Nd1bJre2MHG C98i9Kt7cqonPt0hR38fKlbCJ6/HmrXyZyzTRWDFLugFZnf9AKpz5WsoA8nGMoQJmsz6Yc Z3Rf74AFDdHzfB2Ex9sgPtNUX7vcAiYBB+gDx+LcAkxpHCONwcQ/SrYpC1HmriFZt8EWK9 smRWJJI82trUqgi6XVb5RfAwK2J8EVlVincGwiCO33LnTNj9W7/0PnFYowuxEg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=protonmail.com header.s=protonmail3 header.b=UhzthM56; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1712198417; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=YzpKTd6L+i+8jMeCNQm7J2CHgmZ5B/dO5jHZ5CCPU2g=; b=fxuVI8RCREn5Sopz+1ucJ5O9wnnUstHORYynq+AbDWBD+tpsBGl/IUKCw7KbseyL9Cgi6Y ACtSiNrCI243E+/k9ZBxPg/kcVgNOle6FtXiZR+w0ocmGSc9DdsFfjJUwejwaf1Cb18sjE FEhEEhCpyV+IjC7SlaudLn8DZG2wq5QjOkfUXtBvcx5Y8nlIAIEIuHx2GDWCkOp95YxNwl f9JNMeNx6DAb97cbxboz0Kd/ZZt2PZIPM3Uyp4q72+rDbymmCXJyjrqfSQvrKlBLbUDCUA cGqVRyN4Lew66KtmwQ78T0Xd3RP8XaOPovUfpAcpjR5eQAEYK5aqJ2MpXbd9Cg== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 190E46AED2 for ; Thu, 4 Apr 2024 04:40:16 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rsD1D-0002VS-CX; Wed, 03 Apr 2024 22:39:59 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rsD1C-0002V5-2O for guix-patches@gnu.org; Wed, 03 Apr 2024 22:39:58 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rsD1B-0003Ut-O5 for guix-patches@gnu.org; Wed, 03 Apr 2024 22:39:57 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1rsD1G-0005ZI-7t for guix-patches@gnu.org; Wed, 03 Apr 2024 22:40:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#70113] [PATCH 1/1] gnu: libarchive: Fix a potential security issue. Resent-From: John Kehayias Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 04 Apr 2024 02:40:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 70113 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: "pelzflorian (Florian Pelz)" Cc: 70114@debbugs.gnu.org, 70113@debbugs.gnu.org, Leo Famulari Received: via spool by 70113-submit@debbugs.gnu.org id=B70113.171219835821158 (code B ref 70113); Thu, 04 Apr 2024 02:40:02 +0000 Received: (at 70113) by debbugs.gnu.org; 4 Apr 2024 02:39:18 +0000 Received: from localhost ([127.0.0.1]:60068 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rsD0W-0005Uq-Q4 for submit@debbugs.gnu.org; Wed, 03 Apr 2024 22:39:18 -0400 Received: from mail-40131.protonmail.ch ([185.70.40.131]:18565) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rsD0R-0005Td-8f; Wed, 03 Apr 2024 22:39:14 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1712198340; x=1712457540; bh=YzpKTd6L+i+8jMeCNQm7J2CHgmZ5B/dO5jHZ5CCPU2g=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=UhzthM56H1DZzaF54yjIJimmKqrtv51SV9+l5H7cCLLbfIECrVnW4sHcEO9tVHqzU +oZXVqiD2uJn4Auz7Pay5hLBg4uMt/4vRaMEEYdm4FCV9RbvKXp7gR+rhPGUsL7hwN fxlvqhJr5K2fvfjfCnW+ex/MDCWmOyxCZTABI2gdwfOOnNr2yttgvDZPtRdJCagDhN z3Q70OCSglXhQN6ZWGAwC9mHOqXi2weF4kyGDtlS49u09VFmfnes6XK1o4PUgSGsbO T8s09DLrDJzjA7atoidnm9gyFHD3KQZSp5Fl88fZ7MCoSHcHTzcUPEl5suMkYYRYbw wi3wpd9mdmhdQ== Date: Thu, 04 Apr 2024 02:38:55 +0000 Message-ID: <8734s1x35x.fsf@protonmail.com> In-Reply-To: <871q7nev3k.fsf@pelzflorian.de> References: <7a74261a419e9127887bc9ea096294e42156cce1.1711917891.git.leo@famulari.name> <87il10wipx.fsf@protonmail.com> <871q7nev3k.fsf@pelzflorian.de> Feedback-ID: 7805494:user:proton MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: John Kehayias X-ACL-Warn: , John Kehayias via Guix-patches From: John Kehayias via Guix-patches via Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Spam-Score: -6.86 X-Migadu-Queue-Id: 190E46AED2 X-Migadu-Spam-Score: -6.86 X-Migadu-Scanner: mx10.migadu.com X-TUID: EYZ5jJBKMlHq Hello, On Tue, Apr 02, 2024 at 03:45 PM, pelzflorian (Florian Pelz) wrote: > Hello, > > John Kehayias via Guix-patches via writes: >>> +(define-public libarchive/fixed >>> + (package >>> + (inherit libarchive) >>> + (version "3.6.1") >>> + (source >>> + (origin >>> + (method url-fetch) >>> + (uri (list (string-append "-" >>> + version ".tar.xz") >>> + (string-append "" >>> + "/releases/download/v" version "/liba= rchive-" >>> + version ".tar.xz"))) >> >> In light of the xz backdoor, perhaps we should just do a git checkout of >> the v3.6.1 tag rather than the tarballs? Assuming that works, of course. > > Not having followed the details, I believe the git checkout contained an > incomplete part of the malicious code too, from what Joshua Branson (I > guess the sender is him?) cites from Phoronix > : > > jbranso@dismail.de writes: >> The malicious injection present in the xz versions 5.6.0 and 5.6.1 >> libraries is obfuscated and only included in full in the download packag= e >> - the Git distribution lacks the M4 macro that triggers the build >> of the malicious code. The second-stage artifacts are present in >> the Git repository for the injection during the build time, in >> case the malicious M4 macro is present. > > It doesn=E2=80=99t look like avoiding tarballs gives us more verified cod= e. > Well, it removes one step where something can be added. From what I understand release tarballs don't match a git checkout as often build artifacts (from autotools) are added, so it is just another potential attack vector. Indeed, it was only part of the attack here, but I do believe there is general support for trying to favor git checkouts when we can (there is overhead and I think issues for parts in bootstrapping, to get git). Certainly not perfect, but gets us to "just" the source. One can still do things with access of course. Thanks Leo for the quick work here and pushing the patch, much appreciated! John