unofficial mirror of guix-patches@gnu.org 
 help / color / mirror / code / Atom feed
From: Leo Famulari <leo@famulari.name>
To: 70113@debbugs.gnu.org
Subject: [bug#70113] SECURITY: Xz backdoor / JiaT75 cleanup for libarchive
Date: Sun, 31 Mar 2024 16:51:16 -0400	[thread overview]
Message-ID: <ZgnMxDxsDkjr-mEa@jasmine.lan> (raw)
In-Reply-To: <7a74261a419e9127887bc9ea096294e42156cce1.1711917891.git.leo@famulari.name>

[-- Attachment #1: Type: text/plain, Size: 8255 bytes --]

The malicious actor that attacked Xz was also active in the libarchive
codebase:

https://github.com/libarchive/libarchive/issues/2103

This patch cherry-picks a fix for a potential vulnerability added by
this entity. The patch file includes annotations.

Please test with packages that directly use libarchive! For example:

------
$ ./pre-inst-env guix package -s . | recsel -e '(dependencies ~ "libarchive")' -p name,synopsis,location 
name: dwarfs
synopsis: Fast high compression read-only file system  
location: gnu/packages/file-systems.scm:2106:2

name: patool
synopsis: Portable archive file manager  
location: gnu/packages/patool.scm:37:2

name: gnome-boxes
synopsis: View, access, and manage remote and virtual systems  
location: gnu/packages/gnome.scm:12554:2

name: proot
synopsis: Unprivileged chroot, bind mount, and binfmt_misc  
location: gnu/packages/linux.scm:8449:2

name: geary
synopsis: GNOME email application built around conversations  
location: gnu/packages/gnome.scm:12630:2

name: tesseract-ocr
synopsis: Optical character recognition engine  
location: gnu/packages/ocr.scm:104:2

name: tesseract-ocr
synopsis: Optical character recognition engine  
location: gnu/packages/ocr.scm:192:2

name: reprepro
synopsis: Debian package repository producer  
location: gnu/packages/debian.scm:610:2

name: libjami
synopsis: Jami core library and daemon  
location: gnu/packages/jami.scm:85:2

name: diffoscope
synopsis: Compare files, archives, and directories in depth  
location: gnu/packages/diffoscope.scm:75:2

name: geeqie
synopsis: Lightweight GTK+ based image viewer  
location: gnu/packages/image-viewers.scm:235:2

name: samba
synopsis: The standard Windows interoperability suite of programs for GNU and Unix  
location: gnu/packages/samba.scm:296:2

name: gpaste
synopsis: Clipboard management system for GNOME Shell  
location: gnu/packages/gnome-xyz.scm:1012:2

name: libextractor
synopsis: Library to extract meta-data from media files  
location: gnu/packages/gnunet.scm:87:2

name: unrar-free
synopsis: Extract files from RAR archives  
location: gnu/packages/compression.scm:2813:2

name: archivemount
synopsis: Tool for mounting archive files with FUSE  
location: gnu/packages/linux.scm:4034:2

name: rpm
synopsis: The RPM Package Manager  
location: gnu/packages/package-management.scm:934:2

name: nix
synopsis: The Nix package manager  
location: gnu/packages/package-management.scm:804:2

name: gvfs
synopsis: Userspace virtual file system for GIO  
location: gnu/packages/gnome.scm:7000:2

name: claws-mail
synopsis: GTK-based Email client  
location: gnu/packages/mail.scm:1753:2

name: kbackup
synopsis: Backup program with an easy-to-use interface  
location: gnu/packages/kde-utils.scm:438:2

name: cmake-minimal-cross
synopsis: Cross-platform build system  
location: gnu/packages/cmake.scm:411:2

name: scilab
synopsis: Software for engineers and scientists  
location: gnu/packages/maths.scm:9708:2

name: pixz
synopsis: Parallel indexing implementation of LZMA  
location: gnu/packages/compression.scm:1037:2

name: cmake-minimal
synopsis: Cross-platform build system  
location: gnu/packages/cmake.scm:263:2

name: python-fsspec
synopsis: File-system specification  
location: gnu/packages/python-xyz.scm:27706:2

name: libostree
synopsis: Operating system and container binary deployment and upgrades  
location: gnu/packages/package-management.scm:1958:2

name: cmake
synopsis: Cross-platform build system  
location: gnu/packages/cmake.scm:346:2

name: meandmyshadow
synopsis: Puzzle/platform game  
location: gnu/packages/games.scm:1788:2

name: reprotest
synopsis: Build software and check it for reproducibility  
location: gnu/packages/diffoscope.scm:247:2

name: gimp-next
synopsis: GNU Image Manipulation Program  
location: gnu/packages/gimp.scm:415:2

name: rdup
synopsis: Provide a list of files to backup  
location: /home/leo/work/guix/gnu/packages/backup.scm:370:2

name: irods-client-icommands
synopsis: Data management software  
location: gnu/packages/irods.scm:170:2

name: nestopia-ue
synopsis: Nintendo Entertainment System (NES/Famicom) emulator  
location: gnu/packages/emulators.scm:1363:2

name: avogadrolibs
synopsis: Libraries for chemistry, bioinformatics, and related areas  
location: gnu/packages/chemistry.scm:74:2

name: swi-prolog
synopsis: ISO/Edinburgh-style Prolog interpreter  
location: gnu/packages/prolog.scm:88:2

name: evince
synopsis: GNOME's document viewer  
location: gnu/packages/gnome.scm:2669:2

name: singularity
synopsis: Container platform  
location: gnu/packages/linux.scm:5245:2

name: pqiv
synopsis: Powerful image viewer with minimal UI  
location: gnu/packages/image-viewers.scm:896:2

name: python-libarchive-c
synopsis: Python interface to libarchive  
location: gnu/packages/python-xyz.scm:16283:2

name: python-conda-package-handling
synopsis: Create and extract conda packages of various formats  
location: gnu/packages/package-management.scm:1105:2

name: opencpn
synopsis: Chart plotter and marine GPS navigation software  
location: gnu/packages/geo.scm:2473:2

name: midori
synopsis: Lightweight graphical web browser  
location: gnu/packages/web-browsers.scm:106:2

name: appstream-glib
synopsis: Library for reading and writing AppStream metadata  
location: gnu/packages/glib.scm:1346:2

name: libgxps
synopsis: GObject-based library for handling and rendering XPS documents  
location: gnu/packages/gnome.scm:2069:2

name: libticalcs2
synopsis: Support library for TI calculators  
location: gnu/packages/emulators.scm:1747:2

name: irods
synopsis: Data management software  
location: gnu/packages/irods.scm:48:2

name: ardour
synopsis: Digital audio workstation  
location: gnu/packages/audio.scm:775:2

name: libtifiles2
synopsis: File functions library for TI calculators  
location: gnu/packages/emulators.scm:1712:2

name: flatpak
synopsis: System for building, distributing, and running sandboxed desktop applications  
location: gnu/packages/package-management.scm:2011:2

name: epic5
synopsis: Epic5 IRC Client  
location: gnu/packages/irc.scm:669:2

name: file-roller
synopsis: Graphical archive manager for GNOME  
location: gnu/packages/gnome.scm:7628:2

name: rpi-imager
synopsis: Raspberry Pi Imaging Utility  
location: gnu/packages/raspberry-pi.scm:467:2

name: fwupd
synopsis: Daemon to allow session software to update firmware  
location: gnu/packages/firmware.scm:211:2

name: totem-pl-parser
synopsis: Library to parse and save media playlists for GNOME  
location: gnu/packages/gnome.scm:6075:1

name: osinfo-db-tools
synopsis: Tools for managing the osinfo database  
location: gnu/packages/virtualization.scm:2691:2

name: ark
synopsis: Graphical archiving tool  
location: gnu/packages/kde-utils.scm:54:2

name: vlc
synopsis: Audio and video framework  
location: gnu/packages/video.scm:2365:2

name: fpm
synopsis: Package building and mangling tool  
location: gnu/packages/package-management.scm:2118:2

name: hydrogen
synopsis: Drum machine  
location: gnu/packages/music.scm:869:2

name: gnome-autoar
synopsis: Archives integration support for GNOME  
location: gnu/packages/gnome.scm:9531:2

name: python-py7zr
synopsis: 7-zip in Python  
location: gnu/packages/python-compression.scm:444:2

name: zathura-cb
synopsis: Comic book support for zathura (libarchive backend)  
location: gnu/packages/pdf.scm:516:2

name: python-rarfile
synopsis: RAR archive reader for Python  
location: gnu/packages/python-xyz.scm:19616:2

name: epiphany
synopsis: GNOME web browser  
location: gnu/packages/gnome.scm:7160:2

name: gnome-arcade
synopsis: Minimal MAME frontend  
location: gnu/packages/emulators.scm:1962:2

name: zeal
synopsis: Offline documentation browser inspired by Dash  
location: gnu/packages/documentation.scm:412:4

name: pcsxr
synopsis: PlayStation emulator  
location: gnu/packages/emulators.scm:2057:4

name: atril
synopsis: Document viewer for Mate  
location: gnu/packages/mate.scm:683:2
------

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

  reply	other threads:[~2024-03-31 20:52 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-03-31 20:44 [bug#70114] [PATCH 0/1] Xz backdoor / JiaT75 cleanup for libarchive Leo Famulari
2024-03-31 20:44 ` [bug#70113] [PATCH 1/1] gnu: libarchive: Fix a potential security issue Leo Famulari
2024-03-31 20:51   ` Leo Famulari [this message]
2024-04-02  3:23 ` [bug#70114] " John Kehayias via Guix-patches via
2024-04-02 13:24   ` Efraim Flashner
2024-04-02 13:45   ` pelzflorian (Florian Pelz)
2024-04-04  2:38     ` John Kehayias via Guix-patches via
2024-04-03 22:08   ` bug#70113: " Leo Famulari

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZgnMxDxsDkjr-mEa@jasmine.lan \
    --to=leo@famulari.name \
    --cc=70113@debbugs.gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).