unofficial mirror of guix-patches@gnu.org 
 help / color / mirror / code / Atom feed
From: Efraim Flashner <efraim@flashner.co.il>
To: John Kehayias <john.kehayias@protonmail.com>
Cc: 70114@debbugs.gnu.org, 70113@debbugs.gnu.org,
	Leo Famulari <leo@famulari.name>
Subject: [bug#70114] [bug#70113] [PATCH 1/1] gnu: libarchive: Fix a potential security issue.
Date: Tue, 2 Apr 2024 16:24:04 +0300	[thread overview]
Message-ID: <ZgwG9F56NpS1YGt-@3900XT> (raw)
In-Reply-To: <87il10wipx.fsf@protonmail.com>

[-- Attachment #1: Type: text/plain, Size: 2489 bytes --]

On Tue, Apr 02, 2024 at 03:23:44AM +0000, John Kehayias via Guix-patches via wrote:
> Hi Leo,
> 
> On Sun, Mar 31, 2024 at 04:44 PM, Leo Famulari wrote:
> 
> > https://github.com/libarchive/libarchive/pull/2101
> >
> > * gnu/packages/backup.scm (libarchive)[replacement]: New field.
> > (libarchive/fixed): New variable.
> > * gnu/packages/patches/libarchive-remove-potential-backdoor.patch: New file.
> > * gnu/local.mk (dist_patch_DATA): Add it.
> >
> 
> Overall changes look good, but I have not had a chance to try it locally
> (building or dependents).
> 

This looks like what I was going to suggest

> [...]
> 
> > +(define-public libarchive/fixed
> > +  (package
> > +    (inherit libarchive)
> > +    (version "3.6.1")
> > +    (source
> > +     (origin
> > +       (method url-fetch)
> > +       (uri (list (string-append "https://libarchive.org/downloads/libarchive-"
> > +                                 version ".tar.xz")
> > +                  (string-append "https://github.com/libarchive/libarchive"
> > +                                 "/releases/download/v" version "/libarchive-"
> > +                                 version ".tar.xz")))
> 
> In light of the xz backdoor, perhaps we should just do a git checkout of
> the v3.6.1 tag rather than the tarballs? Assuming that works, of course.

In this case it was just the patch which didn't do (just) what the
commit message said. IMO applying this patch will make us safe from this
potential JiaT75 backdoor, no bootstrapping from source needed.

> I haven't had a chance to look at potential ABI changes, but perhaps at
> least v3.6.2 is graftable? That also lists a security update (as well as
> later versions).
> 
> Or, if it is easier and this is tested on your end, let's push this and
> do an upgrade to the latest on a branch. I would volunteer mesa-updates,
> but Cuirass has been stuck all day not building anything, so I don't
> know what will end up being quickest (which branch or a new one).

If it turns out that we need to move forward a bit to guard against
other CVEs then this patch should be forward compatible, considering it
was just added to the libarchive repository.

> Thanks for the quick work!
> John

Indeed. Thanks!

-- 
Efraim Flashner   <efraim@flashner.co.il>   רנשלפ םירפא
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

  reply	other threads:[~2024-04-02 13:25 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-03-31 20:44 [bug#70114] [PATCH 0/1] Xz backdoor / JiaT75 cleanup for libarchive Leo Famulari
2024-03-31 20:44 ` [bug#70113] [PATCH 1/1] gnu: libarchive: Fix a potential security issue Leo Famulari
2024-03-31 20:51   ` [bug#70113] SECURITY: Xz backdoor / JiaT75 cleanup for libarchive Leo Famulari
2024-04-02  3:23 ` [bug#70114] [bug#70113] [PATCH 1/1] gnu: libarchive: Fix a potential security issue John Kehayias via Guix-patches via
2024-04-02 13:24   ` Efraim Flashner [this message]
2024-04-02 13:45   ` pelzflorian (Florian Pelz)
2024-04-04  2:38     ` John Kehayias via Guix-patches via
2024-04-03 22:08   ` bug#70113: " Leo Famulari

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZgwG9F56NpS1YGt-@3900XT \
    --to=efraim@flashner.co.il \
    --cc=70113@debbugs.gnu.org \
    --cc=70114@debbugs.gnu.org \
    --cc=john.kehayias@protonmail.com \
    --cc=leo@famulari.name \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).