From: John Kehayias via Guix-patches via <guix-patches@gnu.org>
To: "pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de>
Cc: 70114@debbugs.gnu.org, 70113@debbugs.gnu.org,
Leo Famulari <leo@famulari.name>
Subject: [bug#70113] [PATCH 1/1] gnu: libarchive: Fix a potential security issue.
Date: Thu, 04 Apr 2024 02:38:55 +0000 [thread overview]
Message-ID: <8734s1x35x.fsf@protonmail.com> (raw)
In-Reply-To: <871q7nev3k.fsf@pelzflorian.de>
Hello,
On Tue, Apr 02, 2024 at 03:45 PM, pelzflorian (Florian Pelz) wrote:
> Hello,
>
> John Kehayias via Guix-patches via <guix-patches@gnu.org> writes:
>>> +(define-public libarchive/fixed
>>> + (package
>>> + (inherit libarchive)
>>> + (version "3.6.1")
>>> + (source
>>> + (origin
>>> + (method url-fetch)
>>> + (uri (list (string-append "<https://libarchive.org/downloads/libarchive>-"
>>> + version ".tar.xz")
>>> + (string-append "<https://github.com/libarchive/libarchive>"
>>> + "/releases/download/v" version "/libarchive-"
>>> + version ".tar.xz")))
>>
>> In light of the xz backdoor, perhaps we should just do a git checkout of
>> the v3.6.1 tag rather than the tarballs? Assuming that works, of course.
>
> Not having followed the details, I believe the git checkout contained an
> incomplete part of the malicious code too, from what Joshua Branson (I
> guess the sender is him?) cites from Phoronix
> <https://lists.gnu.org/archive/html/guix-devel/2024-04/msg00002.html>:
>
> jbranso@dismail.de writes:
>> The malicious injection present in the xz versions 5.6.0 and 5.6.1
>> libraries is obfuscated and only included in full in the download package
>> - the Git distribution lacks the M4 macro that triggers the build
>> of the malicious code. The second-stage artifacts are present in
>> the Git repository for the injection during the build time, in
>> case the malicious M4 macro is present.
>
> It doesn’t look like avoiding tarballs gives us more verified code.
>
Well, it removes one step where something can be added. From what I
understand release tarballs don't match a git checkout as often build
artifacts (from autotools) are added, so it is just another potential
attack vector. Indeed, it was only part of the attack here, but I do
believe there is general support for trying to favor git checkouts
when we can (there is overhead and I think issues for parts in
bootstrapping, to get git). Certainly not perfect, but gets us to
"just" the source. One can still do things with access of course.
Thanks Leo for the quick work here and pushing the patch, much
appreciated!
John
next prev parent reply other threads:[~2024-04-04 2:40 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-31 20:44 [bug#70114] [PATCH 0/1] Xz backdoor / JiaT75 cleanup for libarchive Leo Famulari
2024-03-31 20:44 ` [bug#70113] [PATCH 1/1] gnu: libarchive: Fix a potential security issue Leo Famulari
2024-03-31 20:51 ` [bug#70113] SECURITY: Xz backdoor / JiaT75 cleanup for libarchive Leo Famulari
2024-04-02 3:23 ` [bug#70114] [bug#70113] [PATCH 1/1] gnu: libarchive: Fix a potential security issue John Kehayias via Guix-patches via
2024-04-02 13:24 ` Efraim Flashner
2024-04-02 13:45 ` pelzflorian (Florian Pelz)
2024-04-04 2:38 ` John Kehayias via Guix-patches via [this message]
2024-04-03 22:08 ` bug#70113: " Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8734s1x35x.fsf@protonmail.com \
--to=guix-patches@gnu.org \
--cc=70113@debbugs.gnu.org \
--cc=70114@debbugs.gnu.org \
--cc=john.kehayias@protonmail.com \
--cc=leo@famulari.name \
--cc=pelzflorian@pelzflorian.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.