From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([209.51.188.92]:40299) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ggGMt-0000zh-GS for guix-patches@gnu.org; Sun, 06 Jan 2019 16:54:04 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ggGMs-0004zs-N6 for guix-patches@gnu.org; Sun, 06 Jan 2019 16:54:03 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:48114) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1ggGMs-0004zm-GY for guix-patches@gnu.org; Sun, 06 Jan 2019 16:54:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ggGMs-0000t3-E9 for guix-patches@gnu.org; Sun, 06 Jan 2019 16:54:02 -0500 Subject: bug#33988: [PATCH] gnu: libarchive: Replace with libarchive 3.3.3 and fix CVE-2018-{1000877, 1000878, 1000880}. Resent-To: guix-patches@gnu.org Resent-Message-ID: From: Alex Vong In-Reply-To: <20190106181638.GA18341@jasmine.lan> (Leo Famulari's message of "Sun, 6 Jan 2019 13:16:38 -0500") References: <87pntbw120.fsf@gmail.com> <20190106181638.GA18341@jasmine.lan> Date: Mon, 07 Jan 2019 05:53:19 +0800 Message-ID: <87va31pi5s.fsf@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: 33988-done@debbugs.gnu.org Cc: alexvong1995@gmail.com --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Leo Famulari writes: > On Sat, Jan 05, 2019 at 11:56:23PM +0800, Alex Vong wrote: >> Tags: security >>=20 >> Hello guix, >>=20 >> The following patch fixes all CVEs in libarchive. Since updating >> libarchive would cause > 3000 rebuilds, we graft instead. >>=20 > >> From c8f1c64de45c7a1fefed69d902164f3577aac817 Mon Sep 17 00:00:00 2001 >> From: Alex Vong >> Date: Sat, 5 Jan 2019 23:20:41 +0800 >> Subject: [PATCH] gnu: libarchive: Replace with libarchive 3.3.3 and fix >> CVE-2018-{1000877,1000878,1000880}. >>=20 >> * gnu/packages/backup.scm (libarchive)[source, home-page]: Use HTTPS. >> [replacement]: New field. >> (libarchive-3.3.3): New variable. >> * gnu/packages/patches/libarchive-CVE-2018-1000877.patch, >> gnu/packages/patches/libarchive-CVE-2018-1000878.patch, >> gnu/packages/patches/libarchive-CVE-2018-1000880.patch: New files. >> * gnu/local.mk (dist_patch_DATA): Add them. > > Thanks, this works for me. Please push! :) Thanks for the review. Pushed as c824dedf711dc4aa33e005fa291a3aec58a9e2e2! --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXDJ4zwAKCRBh71Au9gJS 8vZKAQCjIVLlMfl65jaNPVJRWlfoSDZULV0s5xl2u7w/tPxOowD/Xe/0qcImW8qX AqjC6gr53MxWxLYK5C7pU1NG5fUGuQM= =TZlY -----END PGP SIGNATURE----- --=-=-=--