unofficial mirror of guix-patches@gnu.org 
 help / color / mirror / code / Atom feed
* [bug#70114] [PATCH 0/1] Xz backdoor / JiaT75 cleanup for libarchive
@ 2024-03-31 20:44 Leo Famulari
  2024-03-31 20:44 ` [bug#70113] [PATCH 1/1] gnu: libarchive: Fix a potential security issue Leo Famulari
  2024-04-02  3:23 ` [bug#70114] [bug#70113] [PATCH 1/1] gnu: libarchive: Fix a potential security issue John Kehayias via Guix-patches via
  0 siblings, 2 replies; 8+ messages in thread
From: Leo Famulari @ 2024-03-31 20:44 UTC (permalink / raw)
  To: 70114

The malicious actor that attacked Xz was also active in the libarchive
codebase:

https://github.com/libarchive/libarchive/issues/2103

This patch cherry-picks a fix for a potential vulnerability added by
this entity. The patch file includes annotations.

Please test with packages that directly use libarchive! For example:

------
$ ./pre-inst-env guix package -s . | recsel -e '(dependencies ~ "libarchive")' -p name,synopsis,location 
name: dwarfs
synopsis: Fast high compression read-only file system  
location: gnu/packages/file-systems.scm:2106:2

name: patool
synopsis: Portable archive file manager  
location: gnu/packages/patool.scm:37:2

name: gnome-boxes
synopsis: View, access, and manage remote and virtual systems  
location: gnu/packages/gnome.scm:12554:2

name: proot
synopsis: Unprivileged chroot, bind mount, and binfmt_misc  
location: gnu/packages/linux.scm:8449:2

name: geary
synopsis: GNOME email application built around conversations  
location: gnu/packages/gnome.scm:12630:2

name: tesseract-ocr
synopsis: Optical character recognition engine  
location: gnu/packages/ocr.scm:104:2

name: tesseract-ocr
synopsis: Optical character recognition engine  
location: gnu/packages/ocr.scm:192:2

name: reprepro
synopsis: Debian package repository producer  
location: gnu/packages/debian.scm:610:2

name: libjami
synopsis: Jami core library and daemon  
location: gnu/packages/jami.scm:85:2

name: diffoscope
synopsis: Compare files, archives, and directories in depth  
location: gnu/packages/diffoscope.scm:75:2

name: geeqie
synopsis: Lightweight GTK+ based image viewer  
location: gnu/packages/image-viewers.scm:235:2

name: samba
synopsis: The standard Windows interoperability suite of programs for GNU and Unix  
location: gnu/packages/samba.scm:296:2

name: gpaste
synopsis: Clipboard management system for GNOME Shell  
location: gnu/packages/gnome-xyz.scm:1012:2

name: libextractor
synopsis: Library to extract meta-data from media files  
location: gnu/packages/gnunet.scm:87:2

name: unrar-free
synopsis: Extract files from RAR archives  
location: gnu/packages/compression.scm:2813:2

name: archivemount
synopsis: Tool for mounting archive files with FUSE  
location: gnu/packages/linux.scm:4034:2

name: rpm
synopsis: The RPM Package Manager  
location: gnu/packages/package-management.scm:934:2

name: nix
synopsis: The Nix package manager  
location: gnu/packages/package-management.scm:804:2

name: gvfs
synopsis: Userspace virtual file system for GIO  
location: gnu/packages/gnome.scm:7000:2

name: claws-mail
synopsis: GTK-based Email client  
location: gnu/packages/mail.scm:1753:2

name: kbackup
synopsis: Backup program with an easy-to-use interface  
location: gnu/packages/kde-utils.scm:438:2

name: cmake-minimal-cross
synopsis: Cross-platform build system  
location: gnu/packages/cmake.scm:411:2

name: scilab
synopsis: Software for engineers and scientists  
location: gnu/packages/maths.scm:9708:2

name: pixz
synopsis: Parallel indexing implementation of LZMA  
location: gnu/packages/compression.scm:1037:2

name: cmake-minimal
synopsis: Cross-platform build system  
location: gnu/packages/cmake.scm:263:2

name: python-fsspec
synopsis: File-system specification  
location: gnu/packages/python-xyz.scm:27706:2

name: libostree
synopsis: Operating system and container binary deployment and upgrades  
location: gnu/packages/package-management.scm:1958:2

name: cmake
synopsis: Cross-platform build system  
location: gnu/packages/cmake.scm:346:2

name: meandmyshadow
synopsis: Puzzle/platform game  
location: gnu/packages/games.scm:1788:2

name: reprotest
synopsis: Build software and check it for reproducibility  
location: gnu/packages/diffoscope.scm:247:2

name: gimp-next
synopsis: GNU Image Manipulation Program  
location: gnu/packages/gimp.scm:415:2

name: rdup
synopsis: Provide a list of files to backup  
location: /home/leo/work/guix/gnu/packages/backup.scm:370:2

name: irods-client-icommands
synopsis: Data management software  
location: gnu/packages/irods.scm:170:2

name: nestopia-ue
synopsis: Nintendo Entertainment System (NES/Famicom) emulator  
location: gnu/packages/emulators.scm:1363:2

name: avogadrolibs
synopsis: Libraries for chemistry, bioinformatics, and related areas  
location: gnu/packages/chemistry.scm:74:2

name: swi-prolog
synopsis: ISO/Edinburgh-style Prolog interpreter  
location: gnu/packages/prolog.scm:88:2

name: evince
synopsis: GNOME's document viewer  
location: gnu/packages/gnome.scm:2669:2

name: singularity
synopsis: Container platform  
location: gnu/packages/linux.scm:5245:2

name: pqiv
synopsis: Powerful image viewer with minimal UI  
location: gnu/packages/image-viewers.scm:896:2

name: python-libarchive-c
synopsis: Python interface to libarchive  
location: gnu/packages/python-xyz.scm:16283:2

name: python-conda-package-handling
synopsis: Create and extract conda packages of various formats  
location: gnu/packages/package-management.scm:1105:2

name: opencpn
synopsis: Chart plotter and marine GPS navigation software  
location: gnu/packages/geo.scm:2473:2

name: midori
synopsis: Lightweight graphical web browser  
location: gnu/packages/web-browsers.scm:106:2

name: appstream-glib
synopsis: Library for reading and writing AppStream metadata  
location: gnu/packages/glib.scm:1346:2

name: libgxps
synopsis: GObject-based library for handling and rendering XPS documents  
location: gnu/packages/gnome.scm:2069:2

name: libticalcs2
synopsis: Support library for TI calculators  
location: gnu/packages/emulators.scm:1747:2

name: irods
synopsis: Data management software  
location: gnu/packages/irods.scm:48:2

name: ardour
synopsis: Digital audio workstation  
location: gnu/packages/audio.scm:775:2

name: libtifiles2
synopsis: File functions library for TI calculators  
location: gnu/packages/emulators.scm:1712:2

name: flatpak
synopsis: System for building, distributing, and running sandboxed desktop applications  
location: gnu/packages/package-management.scm:2011:2

name: epic5
synopsis: Epic5 IRC Client  
location: gnu/packages/irc.scm:669:2

name: file-roller
synopsis: Graphical archive manager for GNOME  
location: gnu/packages/gnome.scm:7628:2

name: rpi-imager
synopsis: Raspberry Pi Imaging Utility  
location: gnu/packages/raspberry-pi.scm:467:2

name: fwupd
synopsis: Daemon to allow session software to update firmware  
location: gnu/packages/firmware.scm:211:2

name: totem-pl-parser
synopsis: Library to parse and save media playlists for GNOME  
location: gnu/packages/gnome.scm:6075:1

name: osinfo-db-tools
synopsis: Tools for managing the osinfo database  
location: gnu/packages/virtualization.scm:2691:2

name: ark
synopsis: Graphical archiving tool  
location: gnu/packages/kde-utils.scm:54:2

name: vlc
synopsis: Audio and video framework  
location: gnu/packages/video.scm:2365:2

name: fpm
synopsis: Package building and mangling tool  
location: gnu/packages/package-management.scm:2118:2

name: hydrogen
synopsis: Drum machine  
location: gnu/packages/music.scm:869:2

name: gnome-autoar
synopsis: Archives integration support for GNOME  
location: gnu/packages/gnome.scm:9531:2

name: python-py7zr
synopsis: 7-zip in Python  
location: gnu/packages/python-compression.scm:444:2

name: zathura-cb
synopsis: Comic book support for zathura (libarchive backend)  
location: gnu/packages/pdf.scm:516:2

name: python-rarfile
synopsis: RAR archive reader for Python  
location: gnu/packages/python-xyz.scm:19616:2

name: epiphany
synopsis: GNOME web browser  
location: gnu/packages/gnome.scm:7160:2

name: gnome-arcade
synopsis: Minimal MAME frontend  
location: gnu/packages/emulators.scm:1962:2

name: zeal
synopsis: Offline documentation browser inspired by Dash  
location: gnu/packages/documentation.scm:412:4

name: pcsxr
synopsis: PlayStation emulator  
location: gnu/packages/emulators.scm:2057:4

name: atril
synopsis: Document viewer for Mate  
location: gnu/packages/mate.scm:683:2
------

Leo Famulari (1):
  gnu: libarchive: Fix a potential security issue.

 gnu/local.mk                                  |  1 +
 gnu/packages/backup.scm                       | 19 ++++++++
 ...libarchive-remove-potential-backdoor.patch | 47 +++++++++++++++++++
 3 files changed, 67 insertions(+)
 create mode 100644 gnu/packages/patches/libarchive-remove-potential-backdoor.patch


base-commit: 4d79a9cd6b5f0d8c5afbab0c6b70ae42740d5470
-- 
2.41.0





^ permalink raw reply	[flat|nested] 8+ messages in thread

* [bug#70113] [PATCH 1/1] gnu: libarchive: Fix a potential security issue.
  2024-03-31 20:44 [bug#70114] [PATCH 0/1] Xz backdoor / JiaT75 cleanup for libarchive Leo Famulari
@ 2024-03-31 20:44 ` Leo Famulari
  2024-03-31 20:51   ` [bug#70113] SECURITY: Xz backdoor / JiaT75 cleanup for libarchive Leo Famulari
  2024-04-02  3:23 ` [bug#70114] [bug#70113] [PATCH 1/1] gnu: libarchive: Fix a potential security issue John Kehayias via Guix-patches via
  1 sibling, 1 reply; 8+ messages in thread
From: Leo Famulari @ 2024-03-31 20:44 UTC (permalink / raw)
  To: 70113

https://github.com/libarchive/libarchive/pull/2101

* gnu/packages/backup.scm (libarchive)[replacement]: New field.
(libarchive/fixed): New variable.
* gnu/packages/patches/libarchive-remove-potential-backdoor.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.

Change-Id: I939e9b842b10d1a78125da4a4599c38d9c037079
---
 gnu/local.mk                                  |  1 +
 gnu/packages/backup.scm                       | 19 ++++++++
 ...libarchive-remove-potential-backdoor.patch | 47 +++++++++++++++++++
 3 files changed, 67 insertions(+)
 create mode 100644 gnu/packages/patches/libarchive-remove-potential-backdoor.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index f2b480bded..68c6851402 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1575,6 +1575,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/liba52-use-mtune-not-mcpu.patch		\
   %D%/packages/patches/libaio-32bit-test.patch                  \
   %D%/packages/patches/libaio-riscv-test5.patch			\
+  %D%/packages/patches/libarchive-remove-potential-backdoor.patch	\
   %D%/packages/patches/libbase-fix-includes.patch		\
   %D%/packages/patches/libbase-use-own-logging.patch		\
   %D%/packages/patches/libbonobo-activation-test-race.patch	\
diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm
index 604102bc7b..5dfdfe7dd4 100644
--- a/gnu/packages/backup.scm
+++ b/gnu/packages/backup.scm
@@ -259,6 +259,7 @@ (define-public hdup
 (define-public libarchive
   (package
     (name "libarchive")
+    (replacement libarchive/fixed)
     (version "3.6.1")
     (source
      (origin
@@ -347,6 +348,24 @@ (define-public libarchive
 @command{bsdcat}, @command{bsdcpio} and @command{bsdtar} commands.")
     (license license:bsd-2)))
 
+(define-public libarchive/fixed
+  (package
+    (inherit libarchive)
+    (version "3.6.1")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (list (string-append "https://libarchive.org/downloads/libarchive-"
+                                 version ".tar.xz")
+                  (string-append "https://github.com/libarchive/libarchive"
+                                 "/releases/download/v" version "/libarchive-"
+                                 version ".tar.xz")))
+       (patches (search-patches "libarchive-remove-potential-backdoor.patch"))
+       (sha256
+        (base32
+         "1rj8q5v26lxxr8x4b4nqbrj7p06qvl91hb8cdxi3xx3qp771lhas"))))))
+
+
 (define-public rdup
   (package
     (name "rdup")
diff --git a/gnu/packages/patches/libarchive-remove-potential-backdoor.patch b/gnu/packages/patches/libarchive-remove-potential-backdoor.patch
new file mode 100644
index 0000000000..2b9a9e2ffe
--- /dev/null
+++ b/gnu/packages/patches/libarchive-remove-potential-backdoor.patch
@@ -0,0 +1,47 @@
+Remove code added by 'JiaT75', the malicious actor that backdoored `xz`:
+
+https://github.com/libarchive/libarchive/pull/2101
+
+At libarchive, they are reviewing all code contributed by this actor:
+
+https://github.com/libarchive/libarchive/issues/2103
+
+See the original disclosure and subsequent discussion for more
+information about this incident:
+
+https://seclists.org/oss-sec/2024/q1/268
+
+Patch copied from upstream source repository:
+
+https://github.com/libarchive/libarchive/pull/2101/commits/e200fd8abfb4cf895a1cab4d89b67e6eefe83942
+
+From 6110e9c82d8ba830c3440f36b990483ceaaea52c Mon Sep 17 00:00:00 2001
+From: Ed Maste <emaste@freebsd.org>
+Date: Fri, 29 Mar 2024 18:02:06 -0400
+Subject: [PATCH] tar: make error reporting more robust and use correct errno
+ (#2101)
+
+As discussed in #1609.
+---
+ tar/read.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/tar/read.c b/tar/read.c
+index af3d3f42..a7f14a07 100644
+--- a/tar/read.c
++++ b/tar/read.c
+@@ -371,8 +371,9 @@ read_archive(struct bsdtar *bsdtar, char mode, struct archive *writer)
+ 			if (r != ARCHIVE_OK) {
+ 				if (!bsdtar->verbose)
+ 					safe_fprintf(stderr, "%s", archive_entry_pathname(entry));
+-				fprintf(stderr, ": %s: ", archive_error_string(a));
+-				fprintf(stderr, "%s", strerror(errno));
++				safe_fprintf(stderr, ": %s: %s",
++				    archive_error_string(a),
++				    strerror(archive_errno(a)));
+ 				if (!bsdtar->verbose)
+ 					fprintf(stderr, "\n");
+ 				bsdtar->return_value = 1;
+-- 
+2.41.0
+
-- 
2.41.0





^ permalink raw reply related	[flat|nested] 8+ messages in thread

* [bug#70113] SECURITY: Xz backdoor / JiaT75 cleanup for libarchive
  2024-03-31 20:44 ` [bug#70113] [PATCH 1/1] gnu: libarchive: Fix a potential security issue Leo Famulari
@ 2024-03-31 20:51   ` Leo Famulari
  0 siblings, 0 replies; 8+ messages in thread
From: Leo Famulari @ 2024-03-31 20:51 UTC (permalink / raw)
  To: 70113

[-- Attachment #1: Type: text/plain, Size: 8255 bytes --]

The malicious actor that attacked Xz was also active in the libarchive
codebase:

https://github.com/libarchive/libarchive/issues/2103

This patch cherry-picks a fix for a potential vulnerability added by
this entity. The patch file includes annotations.

Please test with packages that directly use libarchive! For example:

------
$ ./pre-inst-env guix package -s . | recsel -e '(dependencies ~ "libarchive")' -p name,synopsis,location 
name: dwarfs
synopsis: Fast high compression read-only file system  
location: gnu/packages/file-systems.scm:2106:2

name: patool
synopsis: Portable archive file manager  
location: gnu/packages/patool.scm:37:2

name: gnome-boxes
synopsis: View, access, and manage remote and virtual systems  
location: gnu/packages/gnome.scm:12554:2

name: proot
synopsis: Unprivileged chroot, bind mount, and binfmt_misc  
location: gnu/packages/linux.scm:8449:2

name: geary
synopsis: GNOME email application built around conversations  
location: gnu/packages/gnome.scm:12630:2

name: tesseract-ocr
synopsis: Optical character recognition engine  
location: gnu/packages/ocr.scm:104:2

name: tesseract-ocr
synopsis: Optical character recognition engine  
location: gnu/packages/ocr.scm:192:2

name: reprepro
synopsis: Debian package repository producer  
location: gnu/packages/debian.scm:610:2

name: libjami
synopsis: Jami core library and daemon  
location: gnu/packages/jami.scm:85:2

name: diffoscope
synopsis: Compare files, archives, and directories in depth  
location: gnu/packages/diffoscope.scm:75:2

name: geeqie
synopsis: Lightweight GTK+ based image viewer  
location: gnu/packages/image-viewers.scm:235:2

name: samba
synopsis: The standard Windows interoperability suite of programs for GNU and Unix  
location: gnu/packages/samba.scm:296:2

name: gpaste
synopsis: Clipboard management system for GNOME Shell  
location: gnu/packages/gnome-xyz.scm:1012:2

name: libextractor
synopsis: Library to extract meta-data from media files  
location: gnu/packages/gnunet.scm:87:2

name: unrar-free
synopsis: Extract files from RAR archives  
location: gnu/packages/compression.scm:2813:2

name: archivemount
synopsis: Tool for mounting archive files with FUSE  
location: gnu/packages/linux.scm:4034:2

name: rpm
synopsis: The RPM Package Manager  
location: gnu/packages/package-management.scm:934:2

name: nix
synopsis: The Nix package manager  
location: gnu/packages/package-management.scm:804:2

name: gvfs
synopsis: Userspace virtual file system for GIO  
location: gnu/packages/gnome.scm:7000:2

name: claws-mail
synopsis: GTK-based Email client  
location: gnu/packages/mail.scm:1753:2

name: kbackup
synopsis: Backup program with an easy-to-use interface  
location: gnu/packages/kde-utils.scm:438:2

name: cmake-minimal-cross
synopsis: Cross-platform build system  
location: gnu/packages/cmake.scm:411:2

name: scilab
synopsis: Software for engineers and scientists  
location: gnu/packages/maths.scm:9708:2

name: pixz
synopsis: Parallel indexing implementation of LZMA  
location: gnu/packages/compression.scm:1037:2

name: cmake-minimal
synopsis: Cross-platform build system  
location: gnu/packages/cmake.scm:263:2

name: python-fsspec
synopsis: File-system specification  
location: gnu/packages/python-xyz.scm:27706:2

name: libostree
synopsis: Operating system and container binary deployment and upgrades  
location: gnu/packages/package-management.scm:1958:2

name: cmake
synopsis: Cross-platform build system  
location: gnu/packages/cmake.scm:346:2

name: meandmyshadow
synopsis: Puzzle/platform game  
location: gnu/packages/games.scm:1788:2

name: reprotest
synopsis: Build software and check it for reproducibility  
location: gnu/packages/diffoscope.scm:247:2

name: gimp-next
synopsis: GNU Image Manipulation Program  
location: gnu/packages/gimp.scm:415:2

name: rdup
synopsis: Provide a list of files to backup  
location: /home/leo/work/guix/gnu/packages/backup.scm:370:2

name: irods-client-icommands
synopsis: Data management software  
location: gnu/packages/irods.scm:170:2

name: nestopia-ue
synopsis: Nintendo Entertainment System (NES/Famicom) emulator  
location: gnu/packages/emulators.scm:1363:2

name: avogadrolibs
synopsis: Libraries for chemistry, bioinformatics, and related areas  
location: gnu/packages/chemistry.scm:74:2

name: swi-prolog
synopsis: ISO/Edinburgh-style Prolog interpreter  
location: gnu/packages/prolog.scm:88:2

name: evince
synopsis: GNOME's document viewer  
location: gnu/packages/gnome.scm:2669:2

name: singularity
synopsis: Container platform  
location: gnu/packages/linux.scm:5245:2

name: pqiv
synopsis: Powerful image viewer with minimal UI  
location: gnu/packages/image-viewers.scm:896:2

name: python-libarchive-c
synopsis: Python interface to libarchive  
location: gnu/packages/python-xyz.scm:16283:2

name: python-conda-package-handling
synopsis: Create and extract conda packages of various formats  
location: gnu/packages/package-management.scm:1105:2

name: opencpn
synopsis: Chart plotter and marine GPS navigation software  
location: gnu/packages/geo.scm:2473:2

name: midori
synopsis: Lightweight graphical web browser  
location: gnu/packages/web-browsers.scm:106:2

name: appstream-glib
synopsis: Library for reading and writing AppStream metadata  
location: gnu/packages/glib.scm:1346:2

name: libgxps
synopsis: GObject-based library for handling and rendering XPS documents  
location: gnu/packages/gnome.scm:2069:2

name: libticalcs2
synopsis: Support library for TI calculators  
location: gnu/packages/emulators.scm:1747:2

name: irods
synopsis: Data management software  
location: gnu/packages/irods.scm:48:2

name: ardour
synopsis: Digital audio workstation  
location: gnu/packages/audio.scm:775:2

name: libtifiles2
synopsis: File functions library for TI calculators  
location: gnu/packages/emulators.scm:1712:2

name: flatpak
synopsis: System for building, distributing, and running sandboxed desktop applications  
location: gnu/packages/package-management.scm:2011:2

name: epic5
synopsis: Epic5 IRC Client  
location: gnu/packages/irc.scm:669:2

name: file-roller
synopsis: Graphical archive manager for GNOME  
location: gnu/packages/gnome.scm:7628:2

name: rpi-imager
synopsis: Raspberry Pi Imaging Utility  
location: gnu/packages/raspberry-pi.scm:467:2

name: fwupd
synopsis: Daemon to allow session software to update firmware  
location: gnu/packages/firmware.scm:211:2

name: totem-pl-parser
synopsis: Library to parse and save media playlists for GNOME  
location: gnu/packages/gnome.scm:6075:1

name: osinfo-db-tools
synopsis: Tools for managing the osinfo database  
location: gnu/packages/virtualization.scm:2691:2

name: ark
synopsis: Graphical archiving tool  
location: gnu/packages/kde-utils.scm:54:2

name: vlc
synopsis: Audio and video framework  
location: gnu/packages/video.scm:2365:2

name: fpm
synopsis: Package building and mangling tool  
location: gnu/packages/package-management.scm:2118:2

name: hydrogen
synopsis: Drum machine  
location: gnu/packages/music.scm:869:2

name: gnome-autoar
synopsis: Archives integration support for GNOME  
location: gnu/packages/gnome.scm:9531:2

name: python-py7zr
synopsis: 7-zip in Python  
location: gnu/packages/python-compression.scm:444:2

name: zathura-cb
synopsis: Comic book support for zathura (libarchive backend)  
location: gnu/packages/pdf.scm:516:2

name: python-rarfile
synopsis: RAR archive reader for Python  
location: gnu/packages/python-xyz.scm:19616:2

name: epiphany
synopsis: GNOME web browser  
location: gnu/packages/gnome.scm:7160:2

name: gnome-arcade
synopsis: Minimal MAME frontend  
location: gnu/packages/emulators.scm:1962:2

name: zeal
synopsis: Offline documentation browser inspired by Dash  
location: gnu/packages/documentation.scm:412:4

name: pcsxr
synopsis: PlayStation emulator  
location: gnu/packages/emulators.scm:2057:4

name: atril
synopsis: Document viewer for Mate  
location: gnu/packages/mate.scm:683:2
------

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* [bug#70114] [bug#70113] [PATCH 1/1] gnu: libarchive: Fix a potential security issue.
  2024-03-31 20:44 [bug#70114] [PATCH 0/1] Xz backdoor / JiaT75 cleanup for libarchive Leo Famulari
  2024-03-31 20:44 ` [bug#70113] [PATCH 1/1] gnu: libarchive: Fix a potential security issue Leo Famulari
@ 2024-04-02  3:23 ` John Kehayias via Guix-patches via
  2024-04-02 13:24   ` Efraim Flashner
                     ` (2 more replies)
  1 sibling, 3 replies; 8+ messages in thread
From: John Kehayias via Guix-patches via @ 2024-04-02  3:23 UTC (permalink / raw)
  To: Leo Famulari; +Cc: 70114, 70113

Hi Leo,

On Sun, Mar 31, 2024 at 04:44 PM, Leo Famulari wrote:

> https://github.com/libarchive/libarchive/pull/2101
>
> * gnu/packages/backup.scm (libarchive)[replacement]: New field.
> (libarchive/fixed): New variable.
> * gnu/packages/patches/libarchive-remove-potential-backdoor.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
>

Overall changes look good, but I have not had a chance to try it locally
(building or dependents).

[...]

> +(define-public libarchive/fixed
> +  (package
> +    (inherit libarchive)
> +    (version "3.6.1")
> +    (source
> +     (origin
> +       (method url-fetch)
> +       (uri (list (string-append "https://libarchive.org/downloads/libarchive-"
> +                                 version ".tar.xz")
> +                  (string-append "https://github.com/libarchive/libarchive"
> +                                 "/releases/download/v" version "/libarchive-"
> +                                 version ".tar.xz")))

In light of the xz backdoor, perhaps we should just do a git checkout of
the v3.6.1 tag rather than the tarballs? Assuming that works, of course.

I haven't had a chance to look at potential ABI changes, but perhaps at
least v3.6.2 is graftable? That also lists a security update (as well as
later versions).

Or, if it is easier and this is tested on your end, let's push this and
do an upgrade to the latest on a branch. I would volunteer mesa-updates,
but Cuirass has been stuck all day not building anything, so I don't
know what will end up being quickest (which branch or a new one).

Thanks for the quick work!
John





^ permalink raw reply	[flat|nested] 8+ messages in thread

* [bug#70114] [bug#70113] [PATCH 1/1] gnu: libarchive: Fix a potential security issue.
  2024-04-02  3:23 ` [bug#70114] [bug#70113] [PATCH 1/1] gnu: libarchive: Fix a potential security issue John Kehayias via Guix-patches via
@ 2024-04-02 13:24   ` Efraim Flashner
  2024-04-02 13:45   ` pelzflorian (Florian Pelz)
  2024-04-03 22:08   ` bug#70113: " Leo Famulari
  2 siblings, 0 replies; 8+ messages in thread
From: Efraim Flashner @ 2024-04-02 13:24 UTC (permalink / raw)
  To: John Kehayias; +Cc: 70114, 70113, Leo Famulari

[-- Attachment #1: Type: text/plain, Size: 2489 bytes --]

On Tue, Apr 02, 2024 at 03:23:44AM +0000, John Kehayias via Guix-patches via wrote:
> Hi Leo,
> 
> On Sun, Mar 31, 2024 at 04:44 PM, Leo Famulari wrote:
> 
> > https://github.com/libarchive/libarchive/pull/2101
> >
> > * gnu/packages/backup.scm (libarchive)[replacement]: New field.
> > (libarchive/fixed): New variable.
> > * gnu/packages/patches/libarchive-remove-potential-backdoor.patch: New file.
> > * gnu/local.mk (dist_patch_DATA): Add it.
> >
> 
> Overall changes look good, but I have not had a chance to try it locally
> (building or dependents).
> 

This looks like what I was going to suggest

> [...]
> 
> > +(define-public libarchive/fixed
> > +  (package
> > +    (inherit libarchive)
> > +    (version "3.6.1")
> > +    (source
> > +     (origin
> > +       (method url-fetch)
> > +       (uri (list (string-append "https://libarchive.org/downloads/libarchive-"
> > +                                 version ".tar.xz")
> > +                  (string-append "https://github.com/libarchive/libarchive"
> > +                                 "/releases/download/v" version "/libarchive-"
> > +                                 version ".tar.xz")))
> 
> In light of the xz backdoor, perhaps we should just do a git checkout of
> the v3.6.1 tag rather than the tarballs? Assuming that works, of course.

In this case it was just the patch which didn't do (just) what the
commit message said. IMO applying this patch will make us safe from this
potential JiaT75 backdoor, no bootstrapping from source needed.

> I haven't had a chance to look at potential ABI changes, but perhaps at
> least v3.6.2 is graftable? That also lists a security update (as well as
> later versions).
> 
> Or, if it is easier and this is tested on your end, let's push this and
> do an upgrade to the latest on a branch. I would volunteer mesa-updates,
> but Cuirass has been stuck all day not building anything, so I don't
> know what will end up being quickest (which branch or a new one).

If it turns out that we need to move forward a bit to guard against
other CVEs then this patch should be forward compatible, considering it
was just added to the libarchive repository.

> Thanks for the quick work!
> John

Indeed. Thanks!

-- 
Efraim Flashner   <efraim@flashner.co.il>   רנשלפ םירפא
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* [bug#70113] [PATCH 1/1] gnu: libarchive: Fix a potential security issue.
  2024-04-02  3:23 ` [bug#70114] [bug#70113] [PATCH 1/1] gnu: libarchive: Fix a potential security issue John Kehayias via Guix-patches via
  2024-04-02 13:24   ` Efraim Flashner
@ 2024-04-02 13:45   ` pelzflorian (Florian Pelz)
  2024-04-04  2:38     ` John Kehayias via Guix-patches via
  2024-04-03 22:08   ` bug#70113: " Leo Famulari
  2 siblings, 1 reply; 8+ messages in thread
From: pelzflorian (Florian Pelz) @ 2024-04-02 13:45 UTC (permalink / raw)
  To: John Kehayias; +Cc: 70114, 70113, Leo Famulari

Hello,

John Kehayias via Guix-patches via <guix-patches@gnu.org> writes:
>> +(define-public libarchive/fixed
>> +  (package
>> +    (inherit libarchive)
>> +    (version "3.6.1")
>> +    (source
>> +     (origin
>> +       (method url-fetch)
>> +       (uri (list (string-append "https://libarchive.org/downloads/libarchive-"
>> +                                 version ".tar.xz")
>> +                  (string-append "https://github.com/libarchive/libarchive"
>> +                                 "/releases/download/v" version "/libarchive-"
>> +                                 version ".tar.xz")))
>
> In light of the xz backdoor, perhaps we should just do a git checkout of
> the v3.6.1 tag rather than the tarballs? Assuming that works, of course.

Not having followed the details, I believe the git checkout contained an
incomplete part of the malicious code too, from what Joshua Branson (I
guess the sender is him?) cites from Phoronix
<https://lists.gnu.org/archive/html/guix-devel/2024-04/msg00002.html>:

jbranso@dismail.de writes:
> The malicious injection present in the xz versions 5.6.0 and 5.6.1
> libraries is obfuscated and only included in full in the download package
> - the Git distribution lacks the M4 macro that triggers the build 
> of the malicious code. The second-stage artifacts are present in 
> the Git repository for the injection during the build time, in 
> case the malicious M4 macro is present.

It doesn’t look like avoiding tarballs gives us more verified code.

Regards,
Florian




^ permalink raw reply	[flat|nested] 8+ messages in thread

* bug#70113: [PATCH 1/1] gnu: libarchive: Fix a potential security issue.
  2024-04-02  3:23 ` [bug#70114] [bug#70113] [PATCH 1/1] gnu: libarchive: Fix a potential security issue John Kehayias via Guix-patches via
  2024-04-02 13:24   ` Efraim Flashner
  2024-04-02 13:45   ` pelzflorian (Florian Pelz)
@ 2024-04-03 22:08   ` Leo Famulari
  2 siblings, 0 replies; 8+ messages in thread
From: Leo Famulari @ 2024-04-03 22:08 UTC (permalink / raw)
  To: John Kehayias; +Cc: 70114, 70113-done

[-- Attachment #1: Type: text/plain, Size: 509 bytes --]

On Tue, Apr 02, 2024 at 03:23:44AM +0000, John Kehayias wrote:
> Overall changes look good, but I have not had a chance to try it locally
> (building or dependents).

I successfully tested with the file-roller package, which depends
directly on libarchive and no other related packages. I think it's a
reasonable basic test case.

I agree it's a good idea to look into a more comprehensive update to
libarchive, but I just wanted to get this patch in ASAP.

Pushed as 629614c7a3f9283306939402f1ff46914f327c21

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* [bug#70113] [PATCH 1/1] gnu: libarchive: Fix a potential security issue.
  2024-04-02 13:45   ` pelzflorian (Florian Pelz)
@ 2024-04-04  2:38     ` John Kehayias via Guix-patches via
  0 siblings, 0 replies; 8+ messages in thread
From: John Kehayias via Guix-patches via @ 2024-04-04  2:38 UTC (permalink / raw)
  To: pelzflorian (Florian Pelz); +Cc: 70114, 70113, Leo Famulari

Hello,

On Tue, Apr 02, 2024 at 03:45 PM, pelzflorian (Florian Pelz) wrote:

> Hello,
>
> John Kehayias via Guix-patches via <guix-patches@gnu.org> writes:
>>> +(define-public libarchive/fixed
>>> +  (package
>>> +    (inherit libarchive)
>>> +    (version "3.6.1")
>>> +    (source
>>> +     (origin
>>> +       (method url-fetch)
>>> +       (uri (list (string-append "<https://libarchive.org/downloads/libarchive>-"
>>> +                                 version ".tar.xz")
>>> +                  (string-append "<https://github.com/libarchive/libarchive>"
>>> +                                 "/releases/download/v" version "/libarchive-"
>>> +                                 version ".tar.xz")))
>>
>> In light of the xz backdoor, perhaps we should just do a git checkout of
>> the v3.6.1 tag rather than the tarballs? Assuming that works, of course.
>
> Not having followed the details, I believe the git checkout contained an
> incomplete part of the malicious code too, from what Joshua Branson (I
> guess the sender is him?) cites from Phoronix
> <https://lists.gnu.org/archive/html/guix-devel/2024-04/msg00002.html>:
>
> jbranso@dismail.de writes:
>> The malicious injection present in the xz versions 5.6.0 and 5.6.1
>> libraries is obfuscated and only included in full in the download package
>> - the Git distribution lacks the M4 macro that triggers the build
>> of the malicious code. The second-stage artifacts are present in
>> the Git repository for the injection during the build time, in
>> case the malicious M4 macro is present.
>
> It doesn’t look like avoiding tarballs gives us more verified code.
>

Well, it removes one step where something can be added. From what I
understand release tarballs don't match a git checkout as often build
artifacts (from autotools) are added, so it is just another potential
attack vector. Indeed, it was only part of the attack here, but I do
believe there is general support for trying to favor git checkouts
when we can (there is overhead and I think issues for parts in
bootstrapping, to get git). Certainly not perfect, but gets us to
"just" the source. One can still do things with access of course.

Thanks Leo for the quick work here and pushing the patch, much
appreciated!

John





^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2024-04-04  2:40 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-03-31 20:44 [bug#70114] [PATCH 0/1] Xz backdoor / JiaT75 cleanup for libarchive Leo Famulari
2024-03-31 20:44 ` [bug#70113] [PATCH 1/1] gnu: libarchive: Fix a potential security issue Leo Famulari
2024-03-31 20:51   ` [bug#70113] SECURITY: Xz backdoor / JiaT75 cleanup for libarchive Leo Famulari
2024-04-02  3:23 ` [bug#70114] [bug#70113] [PATCH 1/1] gnu: libarchive: Fix a potential security issue John Kehayias via Guix-patches via
2024-04-02 13:24   ` Efraim Flashner
2024-04-02 13:45   ` pelzflorian (Florian Pelz)
2024-04-04  2:38     ` John Kehayias via Guix-patches via
2024-04-03 22:08   ` bug#70113: " Leo Famulari

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).