From: Leo Famulari <leo@famulari.name>
To: 70113@debbugs.gnu.org
Subject: [bug#70113] SECURITY: Xz backdoor / JiaT75 cleanup for libarchive
Date: Sun, 31 Mar 2024 16:51:16 -0400 [thread overview]
Message-ID: <ZgnMxDxsDkjr-mEa@jasmine.lan> (raw)
In-Reply-To: <7a74261a419e9127887bc9ea096294e42156cce1.1711917891.git.leo@famulari.name>
[-- Attachment #1: Type: text/plain, Size: 8255 bytes --]
The malicious actor that attacked Xz was also active in the libarchive
codebase:
https://github.com/libarchive/libarchive/issues/2103
This patch cherry-picks a fix for a potential vulnerability added by
this entity. The patch file includes annotations.
Please test with packages that directly use libarchive! For example:
------
$ ./pre-inst-env guix package -s . | recsel -e '(dependencies ~ "libarchive")' -p name,synopsis,location
name: dwarfs
synopsis: Fast high compression read-only file system
location: gnu/packages/file-systems.scm:2106:2
name: patool
synopsis: Portable archive file manager
location: gnu/packages/patool.scm:37:2
name: gnome-boxes
synopsis: View, access, and manage remote and virtual systems
location: gnu/packages/gnome.scm:12554:2
name: proot
synopsis: Unprivileged chroot, bind mount, and binfmt_misc
location: gnu/packages/linux.scm:8449:2
name: geary
synopsis: GNOME email application built around conversations
location: gnu/packages/gnome.scm:12630:2
name: tesseract-ocr
synopsis: Optical character recognition engine
location: gnu/packages/ocr.scm:104:2
name: tesseract-ocr
synopsis: Optical character recognition engine
location: gnu/packages/ocr.scm:192:2
name: reprepro
synopsis: Debian package repository producer
location: gnu/packages/debian.scm:610:2
name: libjami
synopsis: Jami core library and daemon
location: gnu/packages/jami.scm:85:2
name: diffoscope
synopsis: Compare files, archives, and directories in depth
location: gnu/packages/diffoscope.scm:75:2
name: geeqie
synopsis: Lightweight GTK+ based image viewer
location: gnu/packages/image-viewers.scm:235:2
name: samba
synopsis: The standard Windows interoperability suite of programs for GNU and Unix
location: gnu/packages/samba.scm:296:2
name: gpaste
synopsis: Clipboard management system for GNOME Shell
location: gnu/packages/gnome-xyz.scm:1012:2
name: libextractor
synopsis: Library to extract meta-data from media files
location: gnu/packages/gnunet.scm:87:2
name: unrar-free
synopsis: Extract files from RAR archives
location: gnu/packages/compression.scm:2813:2
name: archivemount
synopsis: Tool for mounting archive files with FUSE
location: gnu/packages/linux.scm:4034:2
name: rpm
synopsis: The RPM Package Manager
location: gnu/packages/package-management.scm:934:2
name: nix
synopsis: The Nix package manager
location: gnu/packages/package-management.scm:804:2
name: gvfs
synopsis: Userspace virtual file system for GIO
location: gnu/packages/gnome.scm:7000:2
name: claws-mail
synopsis: GTK-based Email client
location: gnu/packages/mail.scm:1753:2
name: kbackup
synopsis: Backup program with an easy-to-use interface
location: gnu/packages/kde-utils.scm:438:2
name: cmake-minimal-cross
synopsis: Cross-platform build system
location: gnu/packages/cmake.scm:411:2
name: scilab
synopsis: Software for engineers and scientists
location: gnu/packages/maths.scm:9708:2
name: pixz
synopsis: Parallel indexing implementation of LZMA
location: gnu/packages/compression.scm:1037:2
name: cmake-minimal
synopsis: Cross-platform build system
location: gnu/packages/cmake.scm:263:2
name: python-fsspec
synopsis: File-system specification
location: gnu/packages/python-xyz.scm:27706:2
name: libostree
synopsis: Operating system and container binary deployment and upgrades
location: gnu/packages/package-management.scm:1958:2
name: cmake
synopsis: Cross-platform build system
location: gnu/packages/cmake.scm:346:2
name: meandmyshadow
synopsis: Puzzle/platform game
location: gnu/packages/games.scm:1788:2
name: reprotest
synopsis: Build software and check it for reproducibility
location: gnu/packages/diffoscope.scm:247:2
name: gimp-next
synopsis: GNU Image Manipulation Program
location: gnu/packages/gimp.scm:415:2
name: rdup
synopsis: Provide a list of files to backup
location: /home/leo/work/guix/gnu/packages/backup.scm:370:2
name: irods-client-icommands
synopsis: Data management software
location: gnu/packages/irods.scm:170:2
name: nestopia-ue
synopsis: Nintendo Entertainment System (NES/Famicom) emulator
location: gnu/packages/emulators.scm:1363:2
name: avogadrolibs
synopsis: Libraries for chemistry, bioinformatics, and related areas
location: gnu/packages/chemistry.scm:74:2
name: swi-prolog
synopsis: ISO/Edinburgh-style Prolog interpreter
location: gnu/packages/prolog.scm:88:2
name: evince
synopsis: GNOME's document viewer
location: gnu/packages/gnome.scm:2669:2
name: singularity
synopsis: Container platform
location: gnu/packages/linux.scm:5245:2
name: pqiv
synopsis: Powerful image viewer with minimal UI
location: gnu/packages/image-viewers.scm:896:2
name: python-libarchive-c
synopsis: Python interface to libarchive
location: gnu/packages/python-xyz.scm:16283:2
name: python-conda-package-handling
synopsis: Create and extract conda packages of various formats
location: gnu/packages/package-management.scm:1105:2
name: opencpn
synopsis: Chart plotter and marine GPS navigation software
location: gnu/packages/geo.scm:2473:2
name: midori
synopsis: Lightweight graphical web browser
location: gnu/packages/web-browsers.scm:106:2
name: appstream-glib
synopsis: Library for reading and writing AppStream metadata
location: gnu/packages/glib.scm:1346:2
name: libgxps
synopsis: GObject-based library for handling and rendering XPS documents
location: gnu/packages/gnome.scm:2069:2
name: libticalcs2
synopsis: Support library for TI calculators
location: gnu/packages/emulators.scm:1747:2
name: irods
synopsis: Data management software
location: gnu/packages/irods.scm:48:2
name: ardour
synopsis: Digital audio workstation
location: gnu/packages/audio.scm:775:2
name: libtifiles2
synopsis: File functions library for TI calculators
location: gnu/packages/emulators.scm:1712:2
name: flatpak
synopsis: System for building, distributing, and running sandboxed desktop applications
location: gnu/packages/package-management.scm:2011:2
name: epic5
synopsis: Epic5 IRC Client
location: gnu/packages/irc.scm:669:2
name: file-roller
synopsis: Graphical archive manager for GNOME
location: gnu/packages/gnome.scm:7628:2
name: rpi-imager
synopsis: Raspberry Pi Imaging Utility
location: gnu/packages/raspberry-pi.scm:467:2
name: fwupd
synopsis: Daemon to allow session software to update firmware
location: gnu/packages/firmware.scm:211:2
name: totem-pl-parser
synopsis: Library to parse and save media playlists for GNOME
location: gnu/packages/gnome.scm:6075:1
name: osinfo-db-tools
synopsis: Tools for managing the osinfo database
location: gnu/packages/virtualization.scm:2691:2
name: ark
synopsis: Graphical archiving tool
location: gnu/packages/kde-utils.scm:54:2
name: vlc
synopsis: Audio and video framework
location: gnu/packages/video.scm:2365:2
name: fpm
synopsis: Package building and mangling tool
location: gnu/packages/package-management.scm:2118:2
name: hydrogen
synopsis: Drum machine
location: gnu/packages/music.scm:869:2
name: gnome-autoar
synopsis: Archives integration support for GNOME
location: gnu/packages/gnome.scm:9531:2
name: python-py7zr
synopsis: 7-zip in Python
location: gnu/packages/python-compression.scm:444:2
name: zathura-cb
synopsis: Comic book support for zathura (libarchive backend)
location: gnu/packages/pdf.scm:516:2
name: python-rarfile
synopsis: RAR archive reader for Python
location: gnu/packages/python-xyz.scm:19616:2
name: epiphany
synopsis: GNOME web browser
location: gnu/packages/gnome.scm:7160:2
name: gnome-arcade
synopsis: Minimal MAME frontend
location: gnu/packages/emulators.scm:1962:2
name: zeal
synopsis: Offline documentation browser inspired by Dash
location: gnu/packages/documentation.scm:412:4
name: pcsxr
synopsis: PlayStation emulator
location: gnu/packages/emulators.scm:2057:4
name: atril
synopsis: Document viewer for Mate
location: gnu/packages/mate.scm:683:2
------
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2024-03-31 20:52 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-31 20:44 [bug#70114] [PATCH 0/1] Xz backdoor / JiaT75 cleanup for libarchive Leo Famulari
2024-03-31 20:44 ` [bug#70113] [PATCH 1/1] gnu: libarchive: Fix a potential security issue Leo Famulari
2024-03-31 20:51 ` Leo Famulari [this message]
2024-04-02 3:23 ` [bug#70114] " John Kehayias via Guix-patches via
2024-04-02 13:24 ` Efraim Flashner
2024-04-02 13:45 ` pelzflorian (Florian Pelz)
2024-04-04 2:38 ` John Kehayias via Guix-patches via
2024-04-03 22:08 ` bug#70113: " Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZgnMxDxsDkjr-mEa@jasmine.lan \
--to=leo@famulari.name \
--cc=70113@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).