From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([209.51.188.92]:40299)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ggGMt-0000zh-GS
	for guix-patches@gnu.org; Sun, 06 Jan 2019 16:54:04 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ggGMs-0004zs-N6
	for guix-patches@gnu.org; Sun, 06 Jan 2019 16:54:03 -0500
Received: from debbugs.gnu.org ([209.51.188.43]:48114)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1ggGMs-0004zm-GY
	for guix-patches@gnu.org; Sun, 06 Jan 2019 16:54:02 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ggGMs-0000t3-E9
	for guix-patches@gnu.org; Sun, 06 Jan 2019 16:54:02 -0500
Subject: bug#33988: [PATCH] gnu: libarchive: Replace with libarchive 3.3.3 and
	fix CVE-2018-{1000877, 1000878, 1000880}.
Resent-To: guix-patches@gnu.org
Resent-Message-ID: <handler.33988.D33988.15468116193375.done@debbugs.gnu.org>
From: Alex Vong <alexvong1995@gmail.com>
In-Reply-To: <20190106181638.GA18341@jasmine.lan> (Leo Famulari's message of
	"Sun, 6 Jan 2019 13:16:38 -0500")
References: <87pntbw120.fsf@gmail.com> <20190106181638.GA18341@jasmine.lan>
Date: Mon, 07 Jan 2019 05:53:19 +0800
Message-ID: <87va31pi5s.fsf@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha256; protocol="application/pgp-signature"
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-patches/>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: 33988-done@debbugs.gnu.org
Cc: alexvong1995@gmail.com

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Leo Famulari <leo@famulari.name> writes:

> On Sat, Jan 05, 2019 at 11:56:23PM +0800, Alex Vong wrote:
>> Tags: security
>>=20
>> Hello guix,
>>=20
>> The following patch fixes all CVEs in libarchive. Since updating
>> libarchive would cause > 3000 rebuilds, we graft instead.
>>=20
>
>> From c8f1c64de45c7a1fefed69d902164f3577aac817 Mon Sep 17 00:00:00 2001
>> From: Alex Vong <alexvong1995@gmail.com>
>> Date: Sat, 5 Jan 2019 23:20:41 +0800
>> Subject: [PATCH] gnu: libarchive: Replace with libarchive 3.3.3 and fix
>>  CVE-2018-{1000877,1000878,1000880}.
>>=20
>> * gnu/packages/backup.scm (libarchive)[source, home-page]: Use HTTPS.
>> [replacement]: New field.
>> (libarchive-3.3.3): New variable.
>> * gnu/packages/patches/libarchive-CVE-2018-1000877.patch,
>> gnu/packages/patches/libarchive-CVE-2018-1000878.patch,
>> gnu/packages/patches/libarchive-CVE-2018-1000880.patch: New files.
>> * gnu/local.mk (dist_patch_DATA): Add them.
>
> Thanks, this works for me. Please push! :)

Thanks for the review.
Pushed as c824dedf711dc4aa33e005fa291a3aec58a9e2e2!

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXDJ4zwAKCRBh71Au9gJS
8vZKAQCjIVLlMfl65jaNPVJRWlfoSDZULV0s5xl2u7w/tPxOowD/Xe/0qcImW8qX
AqjC6gr53MxWxLYK5C7pU1NG5fUGuQM=
=TZlY
-----END PGP SIGNATURE-----
--=-=-=--