From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: libarchive security fixes (was Re: Core-updates timeline) Date: Mon, 03 Oct 2016 18:10:10 +0200 Message-ID: <871szx9zx9.fsf@gnu.org> References: <20160920045607.18936-1-donttrustben@gmail.com> <20160920045607.18936-3-donttrustben@gmail.com> <87fuopriox.fsf@gnu.org> <61f55931-6fd2-2fd1-9f61-e52b7302d3b8@uq.edu.au> <8760pci4pv.fsf@gnu.org> <20161001164049.GD1499@jasmine> <87mvimg9al.fsf@gnu.org> <20161002185034.GA32485@jasmine> <20161002201404.GA9126@jasmine> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:35546) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1br5op-0002GO-5W for guix-devel@gnu.org; Mon, 03 Oct 2016 12:10:22 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1br5oj-0003UI-3J for guix-devel@gnu.org; Mon, 03 Oct 2016 12:10:18 -0400 In-Reply-To: <20161002201404.GA9126@jasmine> (Leo Famulari's message of "Sun, 2 Oct 2016 16:14:04 -0400") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari Cc: guix-devel@gnu.org Hi! Leo Famulari skribis: > On Sun, Oct 02, 2016 at 02:50:34PM -0400, Leo Famulari wrote: >> On Sun, Oct 02, 2016 at 03:38:58PM +0200, Ludovic Court=C3=A8s wrote: >> > We could wait an additional day for libarchive if it=E2=80=99s more co= nvenient, >> > but maybe not longer than that. >> >=20 >> > What do you think would be the most convenient approach? >>=20 >> I will send a patch that cherry-picks what I think are the most >> important bug fixes. I can't guess when libarchive 3.2.2 will be >> released. > > I've attached a patch. > > It cherry-picks some fixes for some filesystem attacks and two overflows > that can be triggered with "crafted" input. The details are in the patch > files. > > I understand if this approach of cherry-picking a handful of commits is > not acceptable. It's hard to judge the full impact of taking only these > changes, some of which a quite significant, without being familiar with > the libarchive code. > > That's the reason why I've been waiting for a new upstream release. But > I figured I should at least try to get these bug fixes into the next > release of Guix :) Sounds reasonable. :-) > From 042d5a7df4962c3b81fbfefa0027b6f1cf356b5f Mon Sep 17 00:00:00 2001 > From: Leo Famulari > Date: Sun, 2 Oct 2016 15:58:06 -0400 > Subject: [PATCH] gnu: libarchive: Fix several security issues. > > * gnu/packages/backup.scm (libarchive)[replacement]: New field. > (libarchive/fixed): New variable. > * gnu/packages/patches/libarchive-7zip-heap-overflow.patch, > gnu/packages/patches/libarchive-fix-symlink-check.patch, > gnu/packages/patches/libarchive-fix-filesystem-attacks.patch, > gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch: New f= iles. > * gnu/local.mk (dist_patch_DATA): Add them. Don=E2=80=99t they have a CVE assigned? If so, please make sure to name th= em accordingly. Otherwise LGTM. I won=E2=80=99t pretend to have a precise understanding of the impact of th= ese bugs, but clearly they can be triggered with specially-crafted input, which sounds bad. So better have these fixes. Thank you! Ludo=E2=80=99.