From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms1.migadu.com with LMTPS id oB1VKTcHDGaqkQAAe85BDQ:P1 (envelope-from ) for ; Tue, 02 Apr 2024 15:25:11 +0200 Received: from aspmx1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2.migadu.com with LMTPS id oB1VKTcHDGaqkQAAe85BDQ (envelope-from ) for ; Tue, 02 Apr 2024 15:25:11 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20230601 header.b=MMXbeGdY; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1712064311; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=oUFcSpezYgZpqQ0GI5BT4QqXxoObOd2AHyQOT1B92U8=; b=iPFO7u+5ASFajDyhK1N7Wjmn0wgZJkWK7B743W6VgU4/Sw1pKhzJ6woixlQj9GSbR3RCsy JhPlTZ5yPZQfocHYhgQdSmAmuRPIu0u6o6jL+add2/ckVNAopWds5ws23I+MHGlMPd0yQG SxEJ6MeWHfWGCrv1meQA1KAVZQ5dXYHFupPaxMx8tqKz0TihYJ114upR5va62ikL4/nFuz mm7jL6Qr5htyVdv7iGs33c/VXg5kfBVL6YtSiv31sfzbLRhBnCeeq0YV2VCxBLp+m9IShk DC+SGilVPAW+sRF8uNyyxr3HWlRiyawR6BUg+PiVnoxfOFzFSfsbpy59MFTYeg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20230601 header.b=MMXbeGdY; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Seal: i=1; s=key1; d=yhetil.org; t=1712064311; a=rsa-sha256; cv=none; b=eqZdFdXrQXi/bVvIDKUmZU9O8jdUsHcJaZdUzrlHu9kGeqqGcB2N2WvcWUi3TPQKATn6tm jr+WOOcLL891e6i8X8pEhXu8ur4AnSLQuzaYmrbJTnlWzB9RVpZN3w3UqFMC0tX9ZwZNUa AUPbFZzXgxvGrIw2ba/zKHeClpwxMairwK+ALwbzeEMNbBvjj45a/yLUPbl+OWRAq9QyAs YahOLQRQL3iviVxEa61n3TAU+R7OAWZOdeWOP6ipa0ad4iV/WcSR0KyoBRk8u2Zw5C/icj eYe4ak1ffU2KJSpsjbFJSaoTteYvbjVU7chPJkknV063aUPRLjw5GpJOfH25jw== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 1EEE16BD1E for ; Tue, 2 Apr 2024 15:25:10 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rre8L-0006e8-DW; Tue, 02 Apr 2024 09:25:01 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rre8J-0006da-Qu for guix-patches@gnu.org; Tue, 02 Apr 2024 09:24:59 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rre8J-0004Tp-I0 for guix-patches@gnu.org; Tue, 02 Apr 2024 09:24:59 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1rre8N-00085q-8G for guix-patches@gnu.org; Tue, 02 Apr 2024 09:25:03 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#70114] [bug#70113] [PATCH 1/1] gnu: libarchive: Fix a potential security issue. Resent-From: Efraim Flashner Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 02 Apr 2024 13:25:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 70114 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: John Kehayias Cc: 70114@debbugs.gnu.org, 70113@debbugs.gnu.org, Leo Famulari Received: via spool by 70114-submit@debbugs.gnu.org id=B70114.171206426330897 (code B ref 70114); Tue, 02 Apr 2024 13:25:03 +0000 Received: (at 70114) by debbugs.gnu.org; 2 Apr 2024 13:24:23 +0000 Received: from localhost ([127.0.0.1]:53074 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rre7h-000827-Sn for submit@debbugs.gnu.org; Tue, 02 Apr 2024 09:24:23 -0400 Received: from mail-wr1-x42e.google.com ([2a00:1450:4864:20::42e]:52449) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rre7d-00081J-2t; Tue, 02 Apr 2024 09:24:20 -0400 Received: by mail-wr1-x42e.google.com with SMTP id ffacd0b85a97d-341b01dbebbso4610890f8f.0; Tue, 02 Apr 2024 06:24:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712064247; x=1712669047; darn=debbugs.gnu.org; h=in-reply-to:content-disposition:mime-version:references :mail-followup-to:message-id:subject:cc:to:from:date:sender:from:to :cc:subject:date:message-id:reply-to; bh=oUFcSpezYgZpqQ0GI5BT4QqXxoObOd2AHyQOT1B92U8=; b=MMXbeGdYxVMgD3xHlGeu4VGakEBOOfufdF8m5BtGzywX3edqqge/qqsGv6ZhCRlduw 1GT1WzaIuO0EQJ5Sho/cRI8GFhVVNrHNbIKXwNnXgRhXoeopsqoOaqc04FO+dtX1qZft YNNQqQlIE5bdPH9lyWIrFZvpno9yuG6mOlCCeg/STq5g1O7vNNx2SyAzA3UwWtMYrpw5 jufjvLd7JF0GHvaDPmavDi+PabNlq+pQSnPK4vJ3xPOx78q47TA80lTAemqcgB4dCNef 4RJXXo8kIMGvWI3LiEroF8p2k8eAugeF0NFL8/pY0RJS7v1JbUJO39o7ag9bzL8y4MBC PnTg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712064247; x=1712669047; h=in-reply-to:content-disposition:mime-version:references :mail-followup-to:message-id:subject:cc:to:from:date:sender :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=oUFcSpezYgZpqQ0GI5BT4QqXxoObOd2AHyQOT1B92U8=; b=MU4jxH92qZz4qoAq2hvmUq9iUZHsC5zsb29CxxQsKWWTC65bmTPNenx3Xwne+h2+JI uDLGAng9z7Eg/BOP4c37CcuTqTLGb4FYcYTa7kwsbyk/TISDE2BW74IKzSB2BxutqqIo hshKDcCcrGJ6rOGt4qF2pjJX7s+n+jgWLy7O5v3AiiKYJvucIvwy0WjXX7OQcHcdF9Uc 7TbHW3p+EbDR6PHyq7F4xlsUbphvC9JqU3tvM2GuKMpPP+IJAWM7w7jdINNfBLh75EwX LsMy359t2XuRVfe2KS/ew7w1D0KRojerzsZek/rrOtLB9UQ26l8YMeeviutQy9vIjoth 7Mzg== X-Forwarded-Encrypted: i=1; AJvYcCXymlFo5zjX6BCkPTKQ7XymIetMMEc8+aoMzaZJAWYAFvnqrQ8XC/u4skP5ZmQUNEfv/IE6MQnzvBMdFX7gRYHMX6ZdGSfKaxRzb6VyGHnxFWAqhpGqRr6mtFppsg== X-Gm-Message-State: AOJu0YxSClAb0O2QH3PsEDpqtBy6Ilpm/oaQtZwaN5K3iWhabeeOF8zf B7uFPdXOyCZld2yCZkFMS+bb5KQ3yn4JwRj8HzGXHspoSzEjfZd5 X-Google-Smtp-Source: AGHT+IGI9r7LBhPA6b6rHTCclQPNcdEcHjzt25wVpaw3pIRQJKBFqQDdORWQ6Ux9YsT+etYLRQzLug== X-Received: by 2002:a5d:4950:0:b0:33d:dcd4:9d8f with SMTP id r16-20020a5d4950000000b0033ddcd49d8fmr1357094wrs.65.1712064246770; Tue, 02 Apr 2024 06:24:06 -0700 (PDT) Received: from localhost ([141.226.12.177]) by smtp.gmail.com with ESMTPSA id di6-20020a0560000ac600b00341c9956dc9sm14206240wrb.68.2024.04.02.06.24.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Apr 2024 06:24:06 -0700 (PDT) Date: Tue, 2 Apr 2024 16:24:04 +0300 From: Efraim Flashner Message-ID: Mail-Followup-To: Efraim Flashner , John Kehayias , Leo Famulari , 70114@debbugs.gnu.org, 70113@debbugs.gnu.org References: <7a74261a419e9127887bc9ea096294e42156cce1.1711917891.git.leo@famulari.name> <87il10wipx.fsf@protonmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="Cm1u5KeWiQn8tqIz" Content-Disposition: inline In-Reply-To: <87il10wipx.fsf@protonmail.com> X-PGP-Key-ID: 0x41AAE7DCCA3D8351 X-PGP-Key: https://flashner.co.il/~efraim/efraim_flashner.asc X-PGP-Fingerprint: A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Queue-Id: 1EEE16BD1E X-Spam-Score: -6.96 X-Migadu-Spam-Score: -6.96 X-Migadu-Scanner: mx10.migadu.com X-TUID: jdJbRwZGm2cR --Cm1u5KeWiQn8tqIz Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 02, 2024 at 03:23:44AM +0000, John Kehayias via Guix-patches vi= a wrote: > Hi Leo, >=20 > On Sun, Mar 31, 2024 at 04:44 PM, Leo Famulari wrote: >=20 > > https://github.com/libarchive/libarchive/pull/2101 > > > > * gnu/packages/backup.scm (libarchive)[replacement]: New field. > > (libarchive/fixed): New variable. > > * gnu/packages/patches/libarchive-remove-potential-backdoor.patch: New = file. > > * gnu/local.mk (dist_patch_DATA): Add it. > > >=20 > Overall changes look good, but I have not had a chance to try it locally > (building or dependents). >=20 This looks like what I was going to suggest > [...] >=20 > > +(define-public libarchive/fixed > > + (package > > + (inherit libarchive) > > + (version "3.6.1") > > + (source > > + (origin > > + (method url-fetch) > > + (uri (list (string-append "https://libarchive.org/downloads/lib= archive-" > > + version ".tar.xz") > > + (string-append "https://github.com/libarchive/libarc= hive" > > + "/releases/download/v" version "/liba= rchive-" > > + version ".tar.xz"))) >=20 > In light of the xz backdoor, perhaps we should just do a git checkout of > the v3.6.1 tag rather than the tarballs? Assuming that works, of course. In this case it was just the patch which didn't do (just) what the commit message said. IMO applying this patch will make us safe from this potential JiaT75 backdoor, no bootstrapping from source needed. > I haven't had a chance to look at potential ABI changes, but perhaps at > least v3.6.2 is graftable? That also lists a security update (as well as > later versions). >=20 > Or, if it is easier and this is tested on your end, let's push this and > do an upgrade to the latest on a branch. I would volunteer mesa-updates, > but Cuirass has been stuck all day not building anything, so I don't > know what will end up being quickest (which branch or a new one). If it turns out that we need to move forward a bit to guard against other CVEs then this patch should be forward compatible, considering it was just added to the libarchive repository. > Thanks for the quick work! > John Indeed. Thanks! --=20 Efraim Flashner =D7=A8=D7=A0=D7=A9=D7=9C=D7=A4 = =D7=9D=D7=99=D7=A8=D7=A4=D7=90 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --Cm1u5KeWiQn8tqIz Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAmYMBvQACgkQQarn3Mo9 g1HyLg//TPAkGSR0VWtg1lqvIEuXZ1+mB2S+BKd1LBIAy62S8brhfLVSkC/o23Li 4ogrMWlrLFrLeTIC8U9PX+//FBOpTh8UgNUqcATNGoozhK9nRgkTtddg+ClGkSyb CEaZy4iVyfGHlJ9DwiTR4moz89XxA2Ax1c01MR38rgRi3keprPgHhXWguKBnGXPW 3hyln4Q9xqzKeRbiAUF0a8SJEzJFHF/CjA3556dLuK6pNqvqd1L7fv+efZMDaPVp LHpg3gTKMhl14vl/GwFwzO9EJcMZv4ltjjMLonHHvea8ZnhmRvWZb5Jf72hdG8QZ F2vYUGtVFXN0V/o8sALraI6MFcJff2Plm0BAqm8Kuqo78wBfhN/wAOe43K36uhCO 7hiqSoifrziItHnbHxRNhtHcTLIzh9v9yhjbZBL3atZiwo5MHMsRbw7a+/XwxSZ6 +aVaiP59RDXrampRQEbJMYtE++titfMRDvhQUH3cUYwf47lUDpKNhHGONHFW7V7e cPRsOSqmAShcCSWjlzF95gOwhlt2eUGv5GZq7isLNuHz1f7KZeHpF3LIGAhvmvC7 dwiFBIGXXmx5vkTFHXqbEHH+ZuqzmaDSTLI6pHwZbABAQBBjkLrN9fAr9wtzcbte Gmf0zvCgAJJ7hgCCNGLtVhw2lbofPIGj0eRYcGNDEJDEAJ7R/3c= =+yka -----END PGP SIGNATURE----- --Cm1u5KeWiQn8tqIz--