From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms8.migadu.com with LMTPS id 2NMPCA7NCWbcfAAAe85BDQ:P1 (envelope-from ) for ; Sun, 31 Mar 2024 22:52:30 +0200 Received: from aspmx1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2.migadu.com with LMTPS id 2NMPCA7NCWbcfAAAe85BDQ (envelope-from ) for ; Sun, 31 Mar 2024 22:52:30 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=xo+sQ6wg; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=A8A6hfE3; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1711918350; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=9DwvR2HV133xw0mk0v/jDEcj3rHH3uSfyAFk+1qwBE4=; b=udwsxymNS9MymhJef7uez092x/7sFufaPxw2WaGu4DGD8rryBWmQRkvrbpNjx4IA/xr3KR 7V/JXvBoxq4x26uvY90ItWClrFG9pgEwgZRR04vNxmLJlusaevfY2QXXnyS1Tjh1/jr/1p KOqSU7yqK3EG7/SY9NQ06B24tPPheF9E5si1GkBNcvKJtvk6ngjWwFugq41MP0Dxn5FprJ nuIQgEyRdFvA+pVRqbbcc/bCgy/2KmDp3SnqOev0Gg0IN2ZWNNfoAzZPUyo6F84+1DANqW 91fUHln9avTg6kmr3IJmdGBo7KwXrrlg8Vj4JOVYZf23ylR1lI87wTtj1JFydA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=xo+sQ6wg; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=A8A6hfE3; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Seal: i=1; s=key1; d=yhetil.org; t=1711918350; a=rsa-sha256; cv=none; b=pJJEUgU0827MwZ48QoNQaoziqsXuK5yPqq/p0upxKmOXiMnS7mT1ys6XsnH2wehCtW8ksM KF6eu/HFCagNmRgYz5WpBOweGjpHC7o8PaDUfLeMWxeZn6njZmOiPzOFfKcUwXtIIXZ1na 1o8WiT8qkfS/TAhkSWlmDMH+7KwvE8dOsgWS784wteVX71Hc4xLruA4/MwGNQqrFRk4yQA xiyMiyNC93Q902IVU7ZVgUxlfehpUsq6kyEBB3KmbZIp71zO3I0tBiZurV4clKKfJgozlV WcZC21c0DGm4UUpe56134nCOEcim2vGqcUbYVUFKFS77SGr1+McGTBhP86+ziw== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id B909D6E5F4 for ; Sun, 31 Mar 2024 22:52:28 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rr29p-0002tZ-Lb; Sun, 31 Mar 2024 16:52:01 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rr29n-0002t9-PN for guix-patches@gnu.org; Sun, 31 Mar 2024 16:51:59 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rr29n-0001lv-Gq for guix-patches@gnu.org; Sun, 31 Mar 2024 16:51:59 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1rr29q-0000wX-7J for guix-patches@gnu.org; Sun, 31 Mar 2024 16:52:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#70113] SECURITY: Xz backdoor / JiaT75 cleanup for libarchive References: <7a74261a419e9127887bc9ea096294e42156cce1.1711917891.git.leo@famulari.name> In-Reply-To: <7a74261a419e9127887bc9ea096294e42156cce1.1711917891.git.leo@famulari.name> Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 31 Mar 2024 20:52:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 70113 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 70113@debbugs.gnu.org Received: via spool by 70113-submit@debbugs.gnu.org id=B70113.17119182883508 (code B ref 70113); Sun, 31 Mar 2024 20:52:02 +0000 Received: (at 70113) by debbugs.gnu.org; 31 Mar 2024 20:51:28 +0000 Received: from localhost ([127.0.0.1]:48619 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rr29H-0000uW-Od for submit@debbugs.gnu.org; Sun, 31 Mar 2024 16:51:28 -0400 Received: from fhigh5-smtp.messagingengine.com ([103.168.172.156]:49541) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rr29G-0000uF-5G for 70113@debbugs.gnu.org; Sun, 31 Mar 2024 16:51:26 -0400 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailfhigh.nyi.internal (Postfix) with ESMTP id 3E42E11400E8; Sun, 31 Mar 2024 16:51:18 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute5.internal (MEProxy); Sun, 31 Mar 2024 16:51:18 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-type:content-type:date:date:from:from:in-reply-to :message-id:mime-version:reply-to:subject:subject:to:to; s= mesmtp; t=1711918278; x=1712004678; bh=9DwvR2HV133xw0mk0v/jDEcj3 rHH3uSfyAFk+1qwBE4=; b=xo+sQ6wgR1G1uIInFyNZ09DKvlBSwHq+YgLPyaGeK Bcs59nSqAtCO3PITjyjupfBUFrfxWa59pkDm2peCOGJ5wK3bbK+BznxiYuZwmoBw q2Aty/gp3hfaFDYpss0Ul5aWs7/CW2fTe8GQOsffmyFuxgEKXfI99h+mQsWT6rEV Ms= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:message-id :mime-version:reply-to:subject:subject:to:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t= 1711918278; x=1712004678; bh=9DwvR2HV133xw0mk0v/jDEcj3rHH3uSfyAF k+1qwBE4=; b=A8A6hfE3fmdNKvrHeLUnf0ssP4Sztr06J4grvpGuByE+OV8NUAT Tsx9b3nynpD6eukQ8rTOjzE2Q2M09nxwc63n2S2wvMY3M51Ee9URkD4dfElwXLTV YMf0nAOtBMu2B7hZ4a9PIfvEMIQYpb18Ui1iWrwRVBwFnfEStXZPXQSyXs9oG3D4 3gYORf9Q8yFe6ooUMHcIDAwGnnSmBeJ5p32iHs7SRKJ/KY1EcPmhfsX4+2viHnKU xxCH4shNjkT1SM2SQmqbW00I+BxU4dhnlp/7E9TA4dzmEy5Eb/ifer5dZ0sCDl25 UrFsSdKiH+DccWa/b9u6NjnZdc5B8nsP27w== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledruddvkedgudeffecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfggtggusehgtderre dttddvnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghr ihdrnhgrmhgvqeenucggtffrrghtthgvrhhnpeeiieefleekgfdvkeelvdevudffgeelte fftedvvdelvddufefgudfhveduvdegveenucffohhmrghinhepghhithhhuhgsrdgtohhm necuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheplhgvoh esfhgrmhhulhgrrhhirdhnrghmvg X-ME-Proxy: Feedback-ID: i819c4023:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA for <70113@debbugs.gnu.org>; Sun, 31 Mar 2024 16:51:17 -0400 (EDT) Date: Sun, 31 Mar 2024 16:51:16 -0400 From: Leo Famulari Message-ID: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="AH2PtxUB8NLoEAvi" Content-Disposition: inline X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Queue-Id: B909D6E5F4 X-Spam-Score: -7.56 X-Migadu-Spam-Score: -7.56 X-Migadu-Scanner: mx10.migadu.com X-TUID: fRT0Rgql7Mzd --AH2PtxUB8NLoEAvi Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable The malicious actor that attacked Xz was also active in the libarchive codebase: https://github.com/libarchive/libarchive/issues/2103 This patch cherry-picks a fix for a potential vulnerability added by this entity. The patch file includes annotations. Please test with packages that directly use libarchive! For example: ------ $ ./pre-inst-env guix package -s . | recsel -e '(dependencies ~ "libarchive= ")' -p name,synopsis,location=20 name: dwarfs synopsis: Fast high compression read-only file system =20 location: gnu/packages/file-systems.scm:2106:2 name: patool synopsis: Portable archive file manager =20 location: gnu/packages/patool.scm:37:2 name: gnome-boxes synopsis: View, access, and manage remote and virtual systems =20 location: gnu/packages/gnome.scm:12554:2 name: proot synopsis: Unprivileged chroot, bind mount, and binfmt_misc =20 location: gnu/packages/linux.scm:8449:2 name: geary synopsis: GNOME email application built around conversations =20 location: gnu/packages/gnome.scm:12630:2 name: tesseract-ocr synopsis: Optical character recognition engine =20 location: gnu/packages/ocr.scm:104:2 name: tesseract-ocr synopsis: Optical character recognition engine =20 location: gnu/packages/ocr.scm:192:2 name: reprepro synopsis: Debian package repository producer =20 location: gnu/packages/debian.scm:610:2 name: libjami synopsis: Jami core library and daemon =20 location: gnu/packages/jami.scm:85:2 name: diffoscope synopsis: Compare files, archives, and directories in depth =20 location: gnu/packages/diffoscope.scm:75:2 name: geeqie synopsis: Lightweight GTK+ based image viewer =20 location: gnu/packages/image-viewers.scm:235:2 name: samba synopsis: The standard Windows interoperability suite of programs for GNU a= nd Unix =20 location: gnu/packages/samba.scm:296:2 name: gpaste synopsis: Clipboard management system for GNOME Shell =20 location: gnu/packages/gnome-xyz.scm:1012:2 name: libextractor synopsis: Library to extract meta-data from media files =20 location: gnu/packages/gnunet.scm:87:2 name: unrar-free synopsis: Extract files from RAR archives =20 location: gnu/packages/compression.scm:2813:2 name: archivemount synopsis: Tool for mounting archive files with FUSE =20 location: gnu/packages/linux.scm:4034:2 name: rpm synopsis: The RPM Package Manager =20 location: gnu/packages/package-management.scm:934:2 name: nix synopsis: The Nix package manager =20 location: gnu/packages/package-management.scm:804:2 name: gvfs synopsis: Userspace virtual file system for GIO =20 location: gnu/packages/gnome.scm:7000:2 name: claws-mail synopsis: GTK-based Email client =20 location: gnu/packages/mail.scm:1753:2 name: kbackup synopsis: Backup program with an easy-to-use interface =20 location: gnu/packages/kde-utils.scm:438:2 name: cmake-minimal-cross synopsis: Cross-platform build system =20 location: gnu/packages/cmake.scm:411:2 name: scilab synopsis: Software for engineers and scientists =20 location: gnu/packages/maths.scm:9708:2 name: pixz synopsis: Parallel indexing implementation of LZMA =20 location: gnu/packages/compression.scm:1037:2 name: cmake-minimal synopsis: Cross-platform build system =20 location: gnu/packages/cmake.scm:263:2 name: python-fsspec synopsis: File-system specification =20 location: gnu/packages/python-xyz.scm:27706:2 name: libostree synopsis: Operating system and container binary deployment and upgrades =20 location: gnu/packages/package-management.scm:1958:2 name: cmake synopsis: Cross-platform build system =20 location: gnu/packages/cmake.scm:346:2 name: meandmyshadow synopsis: Puzzle/platform game =20 location: gnu/packages/games.scm:1788:2 name: reprotest synopsis: Build software and check it for reproducibility =20 location: gnu/packages/diffoscope.scm:247:2 name: gimp-next synopsis: GNU Image Manipulation Program =20 location: gnu/packages/gimp.scm:415:2 name: rdup synopsis: Provide a list of files to backup =20 location: /home/leo/work/guix/gnu/packages/backup.scm:370:2 name: irods-client-icommands synopsis: Data management software =20 location: gnu/packages/irods.scm:170:2 name: nestopia-ue synopsis: Nintendo Entertainment System (NES/Famicom) emulator =20 location: gnu/packages/emulators.scm:1363:2 name: avogadrolibs synopsis: Libraries for chemistry, bioinformatics, and related areas =20 location: gnu/packages/chemistry.scm:74:2 name: swi-prolog synopsis: ISO/Edinburgh-style Prolog interpreter =20 location: gnu/packages/prolog.scm:88:2 name: evince synopsis: GNOME's document viewer =20 location: gnu/packages/gnome.scm:2669:2 name: singularity synopsis: Container platform =20 location: gnu/packages/linux.scm:5245:2 name: pqiv synopsis: Powerful image viewer with minimal UI =20 location: gnu/packages/image-viewers.scm:896:2 name: python-libarchive-c synopsis: Python interface to libarchive =20 location: gnu/packages/python-xyz.scm:16283:2 name: python-conda-package-handling synopsis: Create and extract conda packages of various formats =20 location: gnu/packages/package-management.scm:1105:2 name: opencpn synopsis: Chart plotter and marine GPS navigation software =20 location: gnu/packages/geo.scm:2473:2 name: midori synopsis: Lightweight graphical web browser =20 location: gnu/packages/web-browsers.scm:106:2 name: appstream-glib synopsis: Library for reading and writing AppStream metadata =20 location: gnu/packages/glib.scm:1346:2 name: libgxps synopsis: GObject-based library for handling and rendering XPS documents = =20 location: gnu/packages/gnome.scm:2069:2 name: libticalcs2 synopsis: Support library for TI calculators =20 location: gnu/packages/emulators.scm:1747:2 name: irods synopsis: Data management software =20 location: gnu/packages/irods.scm:48:2 name: ardour synopsis: Digital audio workstation =20 location: gnu/packages/audio.scm:775:2 name: libtifiles2 synopsis: File functions library for TI calculators =20 location: gnu/packages/emulators.scm:1712:2 name: flatpak synopsis: System for building, distributing, and running sandboxed desktop = applications =20 location: gnu/packages/package-management.scm:2011:2 name: epic5 synopsis: Epic5 IRC Client =20 location: gnu/packages/irc.scm:669:2 name: file-roller synopsis: Graphical archive manager for GNOME =20 location: gnu/packages/gnome.scm:7628:2 name: rpi-imager synopsis: Raspberry Pi Imaging Utility =20 location: gnu/packages/raspberry-pi.scm:467:2 name: fwupd synopsis: Daemon to allow session software to update firmware =20 location: gnu/packages/firmware.scm:211:2 name: totem-pl-parser synopsis: Library to parse and save media playlists for GNOME =20 location: gnu/packages/gnome.scm:6075:1 name: osinfo-db-tools synopsis: Tools for managing the osinfo database =20 location: gnu/packages/virtualization.scm:2691:2 name: ark synopsis: Graphical archiving tool =20 location: gnu/packages/kde-utils.scm:54:2 name: vlc synopsis: Audio and video framework =20 location: gnu/packages/video.scm:2365:2 name: fpm synopsis: Package building and mangling tool =20 location: gnu/packages/package-management.scm:2118:2 name: hydrogen synopsis: Drum machine =20 location: gnu/packages/music.scm:869:2 name: gnome-autoar synopsis: Archives integration support for GNOME =20 location: gnu/packages/gnome.scm:9531:2 name: python-py7zr synopsis: 7-zip in Python =20 location: gnu/packages/python-compression.scm:444:2 name: zathura-cb synopsis: Comic book support for zathura (libarchive backend) =20 location: gnu/packages/pdf.scm:516:2 name: python-rarfile synopsis: RAR archive reader for Python =20 location: gnu/packages/python-xyz.scm:19616:2 name: epiphany synopsis: GNOME web browser =20 location: gnu/packages/gnome.scm:7160:2 name: gnome-arcade synopsis: Minimal MAME frontend =20 location: gnu/packages/emulators.scm:1962:2 name: zeal synopsis: Offline documentation browser inspired by Dash =20 location: gnu/packages/documentation.scm:412:4 name: pcsxr synopsis: PlayStation emulator =20 location: gnu/packages/emulators.scm:2057:4 name: atril synopsis: Document viewer for Mate =20 location: gnu/packages/mate.scm:683:2 ------ --AH2PtxUB8NLoEAvi Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEaEByLu7k06ZO5T6saqwZY3V/R/8FAmYJzL0ACgkQaqwZY3V/ R//QwxAAh/AdfB1HpLEpq/ZLOqO/SJVPfEfpyDyvNF8uMUOz34Yt1KBNGQ8XLgJO 0UlhFil1WXxt3+goK85W7fjba1lYI8VZsNKX0K6FpYf3ql7+SywxH9GiWNEBw/Zz ZuIHa6NKM+lEnDJ9nxWjZ/wOjNiwYFHUcqSWLtUWlHSK8uzwBlT5/G3Y6dCN6uFS erLH8Eq6aZ0c+F+C86MEjEhN/mYan9+eKMV/d7j//QIhm8oCHVygJYaf7iexus1m XN3khCuFAsQMmYwCTwpCEgd+iX/d0TyHVHzcS1LLwTu3ZD7Yut1DnLOewKGOoeSg yBexVfgIYcrxZDYLgNwp8OxvPF/sa3jgsBSQQVuMliwfOysGZrHedPElqQ2TslYy JvhQ2O4DK++RqT/n/j6tarv4XUhKsvZ+Hfeu690tHEAYdGC77Fv+hIjauEgzVNv3 lPZjMLCfv2ihwdUavhZWpHVt86Mftu7Aez3XwmsPLEU2lrCpFA6vsuhouiUmXxzU AP6Yx/Qbf195ENgIfOq3d+ZQtA8No1VOSU/wOke21ZhR5AJZN1VXxgzkL3+ese// pqx0rh4xO/7fdFOdhv4c49bBq5F3LisXMkeZXy2DaB+j8i8Fcfw4ZSC2m9TcfPd9 XFEdk8JMvuBfh4y1SW7CYU2mg9V108aAMJOG1pzD1uDOE4LIRes= =nxqY -----END PGP SIGNATURE----- --AH2PtxUB8NLoEAvi--