From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id EHKEHMIVNGfkmQAAe85BDQ:P1 (envelope-from ) for ; Wed, 13 Nov 2024 02:58:10 +0000 Received: from aspmx1.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2.migadu.com with LMTPS id EHKEHMIVNGfkmQAAe85BDQ (envelope-from ) for ; Wed, 13 Nov 2024 03:58:10 +0100 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b=YAaiurBh; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20230601 header.b=UmObuLx5; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=gmail.com (policy=none) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1731466690; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=AO7h2pc8OnpwIAgCD3NHwPonEiestCHL7fP70dSMs8U=; b=Gv6+0FTUik32ukJejqibjyzL0UyuF7wfvC0QWcoyMi+bmTlgMdUY8GdNOU2jhayAxhNCs/ 7GVFVJuQ/Idretm9Y4CguojGZZgHe4J7x/OVqwB2z46exxiJaLVFbiSRsaCOqlDy7ktKNg wQKpOWugVqQLEL81Q9R7Mq7lz1HiyJaeS6GqX+iZJ2hqht6Lspl9VDh1rJJkHVzqookKrb H29bspOe0NZqTWoELooCVEqsAiMgZ6lO+glpaKcH0eZAZ/ZotO4qWkmYU2AQlvE2KW5VjD Wv8lTS3iB0TD6EiNU3CWq1dJ+dmWRm1FP5TWjqn0ynmWfTysKPeKHqvXqDFnNw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1731466690; a=rsa-sha256; cv=none; b=tZauui8Av4ZBopX7GYYjmQ2PHRdx0/bJX+UMRHJiBT26awf7eInUDRhV942opD6IZbm2sa hcfPB1Rm4XFgtxncrElJagcfAJu1+zIt8oM5p5w3wYXa1jOBDa7zNCUAtTGWC0mycU6D4x pbnQ0FE6mmrEWYJJCEtaZzxeIXSAdlro8mdzSPDxC85M5IXdRiNCU3jE4ZNvKNn6hiuS+T gPUKJqvdmj4aSvfnq9RAyATOwpbsJGxNmOexNvhMf4DZ3GDrtHHlPAf+8TCzdClY0uHrxV ccjcotMTdXOurE8VDfOaKdYrxHaxmZMLzHxbQIHg3ARZUAzXkTYrgYeakN59zg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b=YAaiurBh; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20230601 header.b=UmObuLx5; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=gmail.com (policy=none) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 606BB6FC8 for ; Wed, 13 Nov 2024 03:58:09 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tB3a0-0000iG-DO; Tue, 12 Nov 2024 21:58:04 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tB3Zy-0000hp-W5 for guix-patches@gnu.org; Tue, 12 Nov 2024 21:58:03 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tB3Zy-0002Uo-NS for guix-patches@gnu.org; Tue, 12 Nov 2024 21:58:02 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:Date:References:In-Reply-To:From:To:Subject; bh=AO7h2pc8OnpwIAgCD3NHwPonEiestCHL7fP70dSMs8U=; b=YAaiurBhst6B/9Z7op9ezJ3qcZCkCMLrY8YFcBpB1uFdTXh8HIp8avGd+e2vrtQyy5eFzUwTeI3aqBUDDDojKQHVuvD7G6Vs4mJg55w5q1XWTUrUk8SYbwlzBxFIq6EIIdI2gBrBJbS2OmIBRTPQduuGnlCl87jcMCBO0RkiydWnX5LZyA8LLFp+pb/Pq0p9ftBIvWwbPxM21ZJ5vrFBjOc5Gs9NnAV1sWUoz1Hi+zAE4bRsMyLNOEuTKNH0qZL6HoERvJUPdcUXCGMFoXx1n/M1hjW64rzbM15dSGILFUUcaQdeXAzjq9IkbL96SzZ0h6666FRMcJ0isx1eldmTdQ==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tB3Zy-0003oa-Hw for guix-patches@gnu.org; Tue, 12 Nov 2024 21:58:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#74283] [PATCH] gnu: libarchive: Graft to 3.7.7. [security fixes] Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 13 Nov 2024 02:58:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 74283 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Liliana Marie Prikler Cc: 74283-done@debbugs.gnu.org Received: via spool by 74283-done@debbugs.gnu.org id=D74283.173146665714604 (code D ref 74283); Wed, 13 Nov 2024 02:58:02 +0000 Received: (at 74283-done) by debbugs.gnu.org; 13 Nov 2024 02:57:37 +0000 Received: from localhost ([127.0.0.1]:40206 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tB3ZZ-0003nU-66 for submit@debbugs.gnu.org; Tue, 12 Nov 2024 21:57:37 -0500 Received: from mail-pf1-f171.google.com ([209.85.210.171]:43376) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tB3ZX-0003nH-B3 for 74283-done@debbugs.gnu.org; Tue, 12 Nov 2024 21:57:35 -0500 Received: by mail-pf1-f171.google.com with SMTP id d2e1a72fcca58-72458c0e0d5so214953b3a.1 for <74283-done@debbugs.gnu.org>; Tue, 12 Nov 2024 18:57:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1731466589; x=1732071389; darn=debbugs.gnu.org; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to; bh=AO7h2pc8OnpwIAgCD3NHwPonEiestCHL7fP70dSMs8U=; b=UmObuLx5X1YJO7KunXoB0I0XgPoMV/D0HNcup40Vg3n9CjXikKUrJyKO48FggbJ0Aw sC8I9s39h40OQFmb9iBg0nYFlzaHn5qH9vH7I/nmhi/srUky2HHpYjPfx3fJkh6Rwr6x yibImaT5H6f0Ty1TsH3ASXq5wutYtEkposFsOODRZPzTfOwYok5zvGhMw3sjvAkYnPuF NUE/ChBfuac960SLAHC2CYjT/I0mpfyNq2A2WQm9b3qICgTiaWNnTx2V6mOsjHVD/r0W zWK9aOMBcVCY8DiwFRoTyO2x2v2YuhoHr3+3D5913MnOb5zhhT2WYiFGbespBBL0ZV5W +MEA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1731466589; x=1732071389; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=AO7h2pc8OnpwIAgCD3NHwPonEiestCHL7fP70dSMs8U=; b=I88PbB+5tQazCRRi4MlmVI7WGaHRwvw30zK3kjpXSqwRqJdl2xtsv3OtVzRjXHvclZ O+Vy6x+Xt9hGVI80BJP83oxy/mlGojpC3WCh9sLFNGoGoPvjESg2L5nRecmueTTNL4Vw xe9iMsoBkwyS0a4W9trjtlIJoXs9EI5ZyCD1HVpPZFJ9KthrN/f+5RgP/+DshtYf/zbu g5pp8GIQj7NMH0b+9YGmA7v3Fv4Q8qqFqrYQwRD2K4akDmF8ULGcrOjOSnqsKFtg1rcB tjtCIlQKPet5a6LbnmFsawE06CVitfGfaxtc9ZyVeFgxsQptU+mKwZBFO4ld/bl/x0xd hDkg== X-Gm-Message-State: AOJu0YxMmC4Jj5EkmcfzWY9BvWlWDQq5YpBFEomEL40uxlsIk+nP9T+o dV8Mx781FspiNQnFi8kEhVlVmpmoD+LWe9PJh8xYatfq3CNjopDJ5Vc8bV9H X-Google-Smtp-Source: AGHT+IH4wNPMW01rndGWpPnzFs87ypuXVjNB/1sDkq8NUkGFoAXQwjbuAIozSG+US4o4NYFAr/VjIQ== X-Received: by 2002:a05:6a20:c520:b0:1db:94ca:660c with SMTP id adf61e73a8af0-1dc2062068emr19475646637.18.1731466589162; Tue, 12 Nov 2024 18:56:29 -0800 (PST) Received: from terra ([2405:6586:be0:0:c8ff:1707:9b9:af89]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-7f41f48abbdsm11401378a12.10.2024.11.12.18.56.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Nov 2024 18:56:28 -0800 (PST) From: Maxim Cournoyer In-Reply-To: <1ca0c3d9b6423645ebdfda7efbc9376477b07943.1731168409.git.liliana.prikler@gmail.com> (Liliana Marie Prikler's message of "Sat, 9 Nov 2024 15:27:49 +0100") References: <1ca0c3d9b6423645ebdfda7efbc9376477b07943.1731168409.git.liliana.prikler@gmail.com> Date: Wed, 13 Nov 2024 11:56:22 +0900 Message-ID: <877c97265l.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: 0.38 X-Spam-Score: 0.38 X-Migadu-Queue-Id: 606BB6FC8 X-Migadu-Scanner: mx13.migadu.com X-TUID: JNt7u6GLB0M5 Hi Liliana, Liliana Marie Prikler writes: > * gnu/packages/backup.scm (libarchive): Add replacement with libarchive/fixed. > (libarchive/fixed): New variable. > > Fixes: Out of bounds access in ZIP files [CVE-2024-37407]. > Fixes: Out of bounds access in RAR files [CVE-2024-48957, CVE-2024-48958]. > Fixes: Race condition in multi-threaded systems [CVE-2023-30571]. > Fixes: NULL pointer dereference [CVE-2022-36227]. Seems serious. > --- > gnu/packages/backup.scm | 17 +++++++++++++++++ > 1 file changed, 17 insertions(+) > > diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm > index 0973c5ddca..22c1ef64e9 100644 > --- a/gnu/packages/backup.scm > +++ b/gnu/packages/backup.scm > @@ -262,6 +262,7 @@ (define-public hdup > (define-public libarchive > (package > (name "libarchive") > + (replacement libarchive/fixed) > (version "3.6.1") > (source > (origin > @@ -351,6 +352,22 @@ (define-public libarchive > @command{bsdcat}, @command{bsdcpio} and @command{bsdtar} commands.") > (license license:bsd-2))) > > +(define-public libarchive/fixed The replacement doesn't need to be exposed itself to users/api. I'd drop the '-public' part. I've pushed it already, but will adjust to drop the public part later. -- Thanks, Maxim