[bug#74283] [PATCH] gnu: libarchive: Graft to 3.7.7. [security fixes]

unofficial mirror of guix-patches@gnu.org 
 help / color / mirror / code / Atom feed

* [bug#74283] [PATCH] gnu: libarchive: Graft to 3.7.7. [security fixes]
@ 2024-11-09 14:27 Liliana Marie Prikler
  2024-11-12 11:32 ` bug#74283: " Maxim Cournoyer
  2024-11-13  2:56 ` [bug#74283] " Maxim Cournoyer
  0 siblings, 2 replies; 3+ messages in thread
From: Liliana Marie Prikler @ 2024-11-09 14:27 UTC (permalink / raw)
  To: 74283

* gnu/packages/backup.scm (libarchive): Add replacement with libarchive/fixed.
(libarchive/fixed): New variable.

Fixes: Out of bounds access in ZIP files [CVE-2024-37407].
Fixes: Out of bounds access in RAR files [CVE-2024-48957, CVE-2024-48958].
Fixes: Race condition in multi-threaded systems [CVE-2023-30571].
Fixes: NULL pointer dereference [CVE-2022-36227].
---
 gnu/packages/backup.scm | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm
index 0973c5ddca..22c1ef64e9 100644
--- a/gnu/packages/backup.scm
+++ b/gnu/packages/backup.scm
@@ -262,6 +262,7 @@ (define-public hdup
 (define-public libarchive
   (package
     (name "libarchive")
+    (replacement libarchive/fixed)
     (version "3.6.1")
     (source
      (origin
@@ -351,6 +352,22 @@ (define-public libarchive
 @command{bsdcat}, @command{bsdcpio} and @command{bsdtar} commands.")
     (license license:bsd-2)))
 
+(define-public libarchive/fixed
+  (package
+    (inherit libarchive)
+    (version "3.7.7")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (list (string-append "https://libarchive.org/downloads/libarchive-"
+                                 version ".tar.xz")
+                  (string-append "https://github.com/libarchive/libarchive"
+                                 "/releases/download/v" version "/libarchive-"
+                                 version ".tar.xz")))
+       (sha256
+        (base32
+         "1vps57mrpqmrk4zayh5g5amqfq7031s5zzkkxsm7r71rqf1wv6l7"))))))
+
 (define-public rdup
   (package
     (name "rdup")

base-commit: 2a6d96425eea57dc6dd48a2bec16743046e32e06
prerequisite-patch-id: ecae21ac778a87cc06da1605938183a6d068b4e0
prerequisite-patch-id: 556d0786c44ebcc378f5a35ba582d6b3c98d44a2
prerequisite-patch-id: 13d32cd5a82d8f7092c058d31369dbeda68dc472
prerequisite-patch-id: 9e85b59d6e53ffb000d6e3f9fe2d317190a9cd97
prerequisite-patch-id: df8a3ab92c9a09f631eb1d4fd109813ba6a79ab9
prerequisite-patch-id: dcffb45b7cd5a54797227bb7b92c528dddd5c7a2
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 3+ messages in thread

* bug#74283: [PATCH] gnu: libarchive: Graft to 3.7.7. [security fixes]
  2024-11-09 14:27 [bug#74283] [PATCH] gnu: libarchive: Graft to 3.7.7. [security fixes] Liliana Marie Prikler
@ 2024-11-12 11:32 ` Maxim Cournoyer
  2024-11-13  2:56 ` [bug#74283] " Maxim Cournoyer
  1 sibling, 0 replies; 3+ messages in thread
From: Maxim Cournoyer @ 2024-11-12 11:32 UTC (permalink / raw)
  To: Liliana Marie Prikler; +Cc: 74283-done

Hi,

Liliana Marie Prikler <liliana.prikler@gmail.com> writes:

> * gnu/packages/backup.scm (libarchive): Add replacement with libarchive/fixed.
> (libarchive/fixed): New variable.
>
> Fixes: Out of bounds access in ZIP files [CVE-2024-37407].
> Fixes: Out of bounds access in RAR files [CVE-2024-48957, CVE-2024-48958].
> Fixes: Race condition in multi-threaded systems [CVE-2023-30571].
> Fixes: NULL pointer dereference [CVE-2022-36227].

Pushed with a6dab6e915!  Thank you.

-- 
Thanks,
Maxim




^ permalink raw reply	[flat|nested] 3+ messages in thread

* [bug#74283] [PATCH] gnu: libarchive: Graft to 3.7.7. [security fixes]
  2024-11-09 14:27 [bug#74283] [PATCH] gnu: libarchive: Graft to 3.7.7. [security fixes] Liliana Marie Prikler
  2024-11-12 11:32 ` bug#74283: " Maxim Cournoyer
@ 2024-11-13  2:56 ` Maxim Cournoyer
  1 sibling, 0 replies; 3+ messages in thread
From: Maxim Cournoyer @ 2024-11-13  2:56 UTC (permalink / raw)
  To: Liliana Marie Prikler; +Cc: 74283-done

Hi Liliana,

Liliana Marie Prikler <liliana.prikler@gmail.com> writes:

> * gnu/packages/backup.scm (libarchive): Add replacement with libarchive/fixed.
> (libarchive/fixed): New variable.
>
> Fixes: Out of bounds access in ZIP files [CVE-2024-37407].
> Fixes: Out of bounds access in RAR files [CVE-2024-48957, CVE-2024-48958].
> Fixes: Race condition in multi-threaded systems [CVE-2023-30571].
> Fixes: NULL pointer dereference [CVE-2022-36227].

Seems serious.

> ---
>  gnu/packages/backup.scm | 17 +++++++++++++++++
>  1 file changed, 17 insertions(+)
>
> diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm
> index 0973c5ddca..22c1ef64e9 100644
> --- a/gnu/packages/backup.scm
> +++ b/gnu/packages/backup.scm
> @@ -262,6 +262,7 @@ (define-public hdup
>  (define-public libarchive
>    (package
>      (name "libarchive")
> +    (replacement libarchive/fixed)
>      (version "3.6.1")
>      (source
>       (origin
> @@ -351,6 +352,22 @@ (define-public libarchive
>  @command{bsdcat}, @command{bsdcpio} and @command{bsdtar} commands.")
>      (license license:bsd-2)))
>  
> +(define-public libarchive/fixed

The replacement doesn't need to be exposed itself to users/api.  I'd
drop the '-public' part.

I've pushed it already, but will adjust to drop the public part later.

-- 
Thanks,
Maxim




^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2024-11-13  2:58 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-11-09 14:27 [bug#74283] [PATCH] gnu: libarchive: Graft to 3.7.7. [security fixes] Liliana Marie Prikler
2024-11-12 11:32 ` bug#74283: " Maxim Cournoyer
2024-11-13  2:56 ` [bug#74283] " Maxim Cournoyer

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).