From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:52476)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1d7pvt-0004hr-O9
	for guix-patches@gnu.org; Mon, 08 May 2017 17:11:06 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1d7pvq-0007us-21
	for guix-patches@gnu.org; Mon, 08 May 2017 17:11:05 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:57658)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1d7pvp-0007um-TC
	for guix-patches@gnu.org; Mon, 08 May 2017 17:11:01 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1d7pvp-0000VT-Nc
	for guix-patches@gnu.org; Mon, 08 May 2017 17:11:01 -0400
Subject: bug#26836: [PATCH] gnu: libarchive: Update to 3.3.1.
Resent-Message-ID: <handler.26836.B26836.14942778441923@debbugs.gnu.org>
From: Kei Kebreau <kei@openmailbox.org>
References: <20170508190714.15902-1-kei@openmailbox.org>
	<20170508192548.GA20051@jasmine>
Date: Mon, 08 May 2017 17:10:28 -0400
In-Reply-To: <20170508192548.GA20051@jasmine> (Leo Famulari's message of "Mon,
	8 May 2017 15:25:48 -0400")
Message-ID: <878tm7kqbf.fsf@openmailbox.org>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="==-=-=";
	micalg=pgp-sha256; protocol="application/pgp-signature"
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-patches/>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: Leo Famulari <leo@famulari.name>
Cc: 26836@debbugs.gnu.org

--==-=-=
Content-Type: multipart/mixed; boundary="=-=-="

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Leo Famulari <leo@famulari.name> writes:

> On Mon, May 08, 2017 at 03:07:14PM -0400, Kei Kebreau wrote:
>> Fixes CVE-2016-{10209,10350} and CVE-2017-5601.
>>=20
>> * gnu/packages/backup.scm (libarchive): Update to 3.3.1.
>
> Thanks!
>
> Can you use a graft instead? Then, the commit message can be like this:
>
> gnu: libarchive: Replace with 3.3.1 [security fixes].
>
> Fixes CVE-2016-{10209,10350}, CVE-2017-5601.
>
> * gnu/packages/backup.scm (libarchive)[replacement]: New field.
> (libarchive-3.3.1): New variable.

Like the patch I've attached?

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Disposition: attachment;
 filename=0001-gnu-libarchive-Replace-with-3.3.1-security-fixes.patch
Content-Transfer-Encoding: quoted-printable

From=2045d3157bb61bb8b5f26ff13feb672759b6043e6f Mon Sep 17 00:00:00 2001
From: Kei Kebreau <kei@openmailbox.org>
Date: Mon, 8 May 2017 14:58:07 -0400
Subject: [PATCH] gnu: libarchive: Replace with 3.3.1 [security fixes].
To: 26836@debbugs.gnu.org

Fixes CVE-2016-{10209,10350} and CVE-2017-5601.

* gnu/packages/backup.scm (libarchive)[replacement]: New field.
(libarchive-3.3.1): New variable.
=2D--
 gnu/packages/backup.scm | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm
index f9c0a22a0..d5cb5783a 100644
=2D-- a/gnu/packages/backup.scm
+++ b/gnu/packages/backup.scm
@@ -5,6 +5,7 @@
 ;;; Copyright =C2=A9 2017 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright =C2=A9 2017 Thomas Danckaert <post@thomasdanckaert.be>
 ;;; Copyright =C2=A9 2017 Arun Isaac <arunisaac@systemreboot.net>
+;;; Copyright =C2=A9 2017 Kei Kebreau <kei@openmailbox.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -186,6 +187,7 @@ backups (called chunks) to allow easy burning to CD/DVD=
.")
 (define-public libarchive
   (package
     (name "libarchive")
+    (replacement libarchive-3.3.1)
     (version "3.2.2")
     (source
      (origin
@@ -241,6 +243,20 @@ archive.  In particular, note that there is currently =
no built-in support for
 random access nor for in-place modification.")
     (license license:bsd-2)))
=20
+(define libarchive-3.3.1
+  (package
+    (inherit libarchive)
+    (name "libarchive")
+    (version "3.3.1")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "http://libarchive.org/downloads/libarchive-"
+                           version ".tar.gz"))
+       (sha256
+        (base32
+         "1rr40hxlm9vy5z2zb5w7pyfkgd1a4s061qapm83s19accb8mpji9"))))))
+
 (define-public rdup
   (package
     (name "rdup")
=2D-=20
2.12.2


--=-=-=--

--==-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEg7ZwOtzKO2lLzi2m5qXuPBlGeg0FAlkQ3sUACgkQ5qXuPBlG
eg3itw//Tac6M7DbEYI4GF14bSvk3iV4+Pe9Qekcc6sh7aaflyANhD9rvpNDDJ+W
/B25XUpe1YagW7tywlfIt61teFqlO+LazDhKjgo0W8GQv51qOPcP0bb1BkD1u/d1
pW11gacFKhwPIO4ZjFroatCR3f1f4tI+/mg9KedfWaZADEaKMTl+8T2lxAsSzcji
VEThgp321TE7krjfTrabzTpfsuZUwvXyti1y+RvAf82eGvG4ukkZMoYLIhHB9USV
L+STL7rJox0dU6TaRBvH0htPwPQLcl28IugXQ4FrrDzxMDwjtlUY0v0elpk+urlg
nfvAttS/17yNXfAnrAZkKfRS2yv1aqYiWzHPVOwselq0w+rQqHuKtRLbMBrapGjS
92eXoLUikBqRyS63Q791u5E6+ybWsX9I+oXdxPxopz9/Wpj7x+capZIOrxKCB+Sv
VpnZGXmUYLksowNzhdygWjKSNr0mVIYp7RXtTVvUdLkjr4GrwKs7yjA2wmJUn7Zi
6DKtYqDxMr5bqt7L6kq2RnE+Sjy+gZjL9lLKGVQJOXTloXHulAFxI4SkIFikKPst
SYnAprDEx1//oB53B1XOVmZZ+Owqg1TBxruvkK8Xbduh4wu3fvBQ7V4GF4VXOqAn
IwfdombCf4b/q70p9DeFZ5kKwQUpgiuraX+iuxO1KtUq4Qz8O3A=
=pCJ8
-----END PGP SIGNATURE-----
--==-=-=--