From unknown Tue Jun 24 17:24:57 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#28374 <28374@debbugs.gnu.org> To: bug#28374 <28374@debbugs.gnu.org> Subject: Status: [PATCH] gnu: libarchive: Replace with libarchive 3.3.2 and fix CVE-2017-14166. Reply-To: bug#28374 <28374@debbugs.gnu.org> Date: Wed, 25 Jun 2025 00:24:57 +0000 retitle 28374 [PATCH] gnu: libarchive: Replace with libarchive 3.3.2 and fi= x CVE-2017-14166. reassign 28374 guix-patches submitter 28374 Leo Famulari severity 28374 normal tag 28374 patch thanks From debbugs-submit-bounces@debbugs.gnu.org Wed Sep 06 15:45:20 2017 Received: (at submit) by debbugs.gnu.org; 6 Sep 2017 19:45:20 +0000 Received: from localhost ([127.0.0.1]:53419 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dpgG8-0002EO-Vf for submit@debbugs.gnu.org; Wed, 06 Sep 2017 15:45:20 -0400 Received: from eggs.gnu.org ([208.118.235.92]:53530) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dpgG4-0002E9-Kv for submit@debbugs.gnu.org; Wed, 06 Sep 2017 15:45:11 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dpgFx-0000D7-6I for submit@debbugs.gnu.org; Wed, 06 Sep 2017 15:45:03 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_05,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:42849) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dpgFx-0000Cw-2h for submit@debbugs.gnu.org; Wed, 06 Sep 2017 15:45:01 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:44485) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dpgFr-0003g9-Pq for guix-patches@gnu.org; Wed, 06 Sep 2017 15:45:00 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dpgFn-0000AF-NR for guix-patches@gnu.org; Wed, 06 Sep 2017 15:44:55 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:60453) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dpgFn-00009M-Bj for guix-patches@gnu.org; Wed, 06 Sep 2017 15:44:51 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 45C9C20D0E; Wed, 6 Sep 2017 15:44:48 -0400 (EDT) Received: from frontend1 ([10.202.2.160]) by compute4.internal (MEProxy); Wed, 06 Sep 2017 15:44:48 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:message-id:subject:to:x-me-sender:x-me-sender :x-sasl-enc:x-sasl-enc; s=mesmtp; bh=Y+VfuD2KTxlHVthQnaf9wNozmL4 n9OYAnnAWblcIkKA=; b=Omzo5PLfffdjfMp9CpBPsZLkC5OJIR21PCllrsDdA4J XVzPZz6lyxjkIBLZy2QYuqQT0B7KGYftEI5FZNQQUXCOVTJhbSbByT2pz4q8fClJ R/C7ipvdAPRDR6hXSszi97kNxAI0C1g+3T/xz8YlJuUoTqc4Oelt4Ik2NZYpdaok = DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=date:from:message-id:subject:to :x-me-sender:x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=Y+VfuD 2KTxlHVthQnaf9wNozmL4n9OYAnnAWblcIkKA=; b=ON1Sz1hfPgFTpQI9qFrUzy zdMsZ9g/VcaA2oC5oeKziWti2guGPvzqZR+WtLBjvK5AsxOW5CgSq8yh3P693dbV pxFDx4ygDtOR5w9AzT4w5unofLLPTLvuPSYfA94SobjN1XOeHKbCe/OH2H3Vy9mH Vzvorrqkr/48KqwSqNR10G1OiLHfdllHb3NRwsKZtEF2wSY0dSpFRRJ9OEomDStf zWhe4wc9v9nw0BNHaDc3t8bC25Rx7Zzk0rOnL1Ybs5E0Nff14Qdo2bgpFAygngTu fslfshr4+uX7esC0HbzqNrT74CnLYW2v5ryfmxP11/owykmdBky7+m8gOIph6hgg == X-ME-Sender: X-Sasl-enc: Tqf3h2ffgHCT5gervQ0YVUR4bjDmds4oZMbLKvMrZEVB 1504727087 Received: from jasmine.lan (c-73-165-108-70.hsd1.pa.comcast.net [73.165.108.70]) by mail.messagingengine.com (Postfix) with ESMTPA id DE6667E101 for ; Wed, 6 Sep 2017 15:44:47 -0400 (EDT) From: Leo Famulari To: guix-patches@gnu.org Subject: [PATCH] gnu: libarchive: Replace with libarchive 3.3.2 and fix CVE-2017-14166. Date: Wed, 6 Sep 2017 15:44:44 -0400 Message-Id: X-Mailer: git-send-email 2.14.1 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.1 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.9 (/) * gnu/packages/backup.scm (libarchive)[replacement]: New field. (libarchive-3.3.2): New variable. * gnu/packages/patches/libarchive-CVE-2017-14166.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. --- gnu/local.mk | 1 + gnu/packages/backup.scm | 9 +++-- .../patches/libarchive-CVE-2017-14166.patch | 45 ++++++++++++++++++++++ 3 files changed, 51 insertions(+), 4 deletions(-) create mode 100644 gnu/packages/patches/libarchive-CVE-2017-14166.patch diff --git a/gnu/local.mk b/gnu/local.mk index a38e4e2d5..60e9ff29f 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -752,6 +752,7 @@ dist_patch_DATA = \ %D%/packages/patches/liba52-link-with-libm.patch \ %D%/packages/patches/liba52-set-soname.patch \ %D%/packages/patches/liba52-use-mtune-not-mcpu.patch \ + %D%/packages/patches/libarchive-CVE-2017-14166.patch \ %D%/packages/patches/libbase-fix-includes.patch \ %D%/packages/patches/libbase-use-own-logging.patch \ %D%/packages/patches/libbonobo-activation-test-race.patch \ diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm index eca69bebe..006d00ef0 100644 --- a/gnu/packages/backup.scm +++ b/gnu/packages/backup.scm @@ -184,6 +184,7 @@ backups (called chunks) to allow easy burning to CD/DVD.") (define-public libarchive (package (name "libarchive") + (replacement libarchive-3.3.2) (version "3.3.1") (source (origin @@ -239,19 +240,19 @@ archive. In particular, note that there is currently no built-in support for random access nor for in-place modification.") (license license:bsd-2))) -(define libarchive-3.3.1 +(define libarchive-3.3.2 (package (inherit libarchive) - (name "libarchive") - (version "3.3.1") + (version "3.3.2") (source (origin (method url-fetch) (uri (string-append "http://libarchive.org/downloads/libarchive-" version ".tar.gz")) + (patches (search-patches "libarchive-CVE-2017-14166.patch")) (sha256 (base32 - "1rr40hxlm9vy5z2zb5w7pyfkgd1a4s061qapm83s19accb8mpji9")))))) + "1km0mzfl6in7l5vz9kl09a88ajx562rw93ng9h2jqavrailvsbgd")))))) (define-public rdup (package diff --git a/gnu/packages/patches/libarchive-CVE-2017-14166.patch b/gnu/packages/patches/libarchive-CVE-2017-14166.patch new file mode 100644 index 000000000..a12284844 --- /dev/null +++ b/gnu/packages/patches/libarchive-CVE-2017-14166.patch @@ -0,0 +1,45 @@ +Fix CVE-2017-14166: + +https://github.com/libarchive/libarchive/issues/935 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14166 + +Patch copied from upstream source repository: + +https://github.com/libarchive/libarchive/commit/fa7438a0ff4033e4741c807394a9af6207940d71 + +From fa7438a0ff4033e4741c807394a9af6207940d71 Mon Sep 17 00:00:00 2001 +From: Joerg Sonnenberger +Date: Tue, 5 Sep 2017 18:12:19 +0200 +Subject: [PATCH] Do something sensible for empty strings to make fuzzers + happy. + +--- + libarchive/archive_read_support_format_xar.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/libarchive/archive_read_support_format_xar.c b/libarchive/archive_read_support_format_xar.c +index 7a22beb9d..93eeacc5e 100644 +--- a/libarchive/archive_read_support_format_xar.c ++++ b/libarchive/archive_read_support_format_xar.c +@@ -1040,6 +1040,9 @@ atol10(const char *p, size_t char_cnt) + uint64_t l; + int digit; + ++ if (char_cnt == 0) ++ return (0); ++ + l = 0; + digit = *p - '0'; + while (digit >= 0 && digit < 10 && char_cnt-- > 0) { +@@ -1054,7 +1057,10 @@ atol8(const char *p, size_t char_cnt) + { + int64_t l; + int digit; +- ++ ++ if (char_cnt == 0) ++ return (0); ++ + l = 0; + while (char_cnt-- > 0) { + if (*p >= '0' && *p <= '7') -- 2.14.1 From debbugs-submit-bounces@debbugs.gnu.org Thu Sep 07 14:30:25 2017 Received: (at control) by debbugs.gnu.org; 7 Sep 2017 18:30:25 +0000 Received: from localhost ([127.0.0.1]:54656 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dq1ZJ-0008Rh-M4 for submit@debbugs.gnu.org; Thu, 07 Sep 2017 14:30:25 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:36133) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dq1ZI-0008RY-A1 for control@debbugs.gnu.org; Thu, 07 Sep 2017 14:30:24 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id A44C020ACE; Thu, 7 Sep 2017 14:30:23 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Thu, 07 Sep 2017 14:30:23 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=content-type:date:from:message-id:mime-version:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=mesmtp; bh=ay+jT8AwYT21i4P 3alAOpaSrXuIdsbwJv9EkBuwt4C0=; b=L2AfnSzdkIj43Db/SmAf8N463sEatZc oFqWpYTH5oHmoxuvcYJH24Bb7uEanbebhmCF1akvB07SjmlK06V/Nc0ywXgsAt3G 18cZnvwJEEMUO75uX8HeXpfwu5rJ5p41tcR81kRrFVewm/H8YIwCVezqcgLkjKYw PragRcDhnuks= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:to:x-me-sender:x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=ay+jT8AwYT21i4P3alAOpaSrXuIdsbwJv9EkBuwt4C0=; b=U3YZu 52hPchW7lOOEPIxiYsP7xMZ1ymzB1WAy7yuEsq39taQoSI9WdZBQh3UYXMfZfdmy ptozHwR1bEKEpSvbV+MbXgHpTvh0rGaG67ZSo9Fmh6Yx1OMCpA/5cJXrGlYW7/qz mcgdlyE2Eza6VX3Q+tXsj2WTQ31U3eWbQPXntqFzJBzNe2gqi8Ifw2AxJ5rNomD8 OQZDuDuSkT4AqWg/73eqAdDJnJptg1/4Be3J5V3Xzd2s7K+4aZbdRB8vPl85vWQd ZuRXWA971kK3M9W3gVvxGU9RpjZXIblwTUgp1Rduje7jTyYbqwL837NJK4wjLoYJ m6Vx3gvRs/+YysfrQ== X-ME-Sender: X-Sasl-enc: nDUentPJI/KM7oNptdnjSNJ540yQm8AidGdig6ryVQHZ 1504809023 Received: from localhost (c-73-165-108-70.hsd1.pa.comcast.net [73.165.108.70]) by mail.messagingengine.com (Postfix) with ESMTPA id 2EB52243C8 for ; Thu, 7 Sep 2017 14:30:23 -0400 (EDT) Date: Thu, 7 Sep 2017 14:30:18 -0400 From: Leo Famulari To: control@debbugs.gnu.org Message-ID: <20170907183018.GA4095@jasmine.lan> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="y0ulUmNC+osPPQO6" Content-Disposition: inline User-Agent: Mutt/1.8.3 (2017-05-23) X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: 28374 close close 28374 [...] Content analysis details: (1.3 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [66.111.4.25 listed in wl.mailspike.net] -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [66.111.4.25 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid 1.8 MISSING_SUBJECT Missing Subject: header 0.2 NO_SUBJECT Extra score for no subject -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: 28374 close close 28374 [...] Content analysis details: (1.3 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [66.111.4.25 listed in wl.mailspike.net] -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [66.111.4.25 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid 1.8 MISSING_SUBJECT Missing Subject: header 0.2 NO_SUBJECT Extra score for no subject -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders --y0ulUmNC+osPPQO6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline 28374 close close 28374 --y0ulUmNC+osPPQO6 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlmxkDoACgkQJkb6MLrK fwj0dg/9GD8riyqvjj/fOprcJl6w+7T3WTM+7C923F7m4SjyTQf/N3YZC9mmY+jm 5BT4q94nMEO0iulT2rkfIOdHTG0EYmeFdQmHVcVMTwmQocbHu3u6AqjKDhVdqB9L zBcPNgCcxJa0se/Ao0tWMwEhyhUTm/tBzZhnskcqQbQEQmgl1wDbuT1i8OhIRDLL z2CAYmnB39V5bkxAhqq+WpuXjRBhIGFqdakGKRAsPAbJmTIJA+z+b/yUj8MOzMqD ZEYkV1Ysr2RD6G5l6x7MwwHCCGnFyKxwo/qKzvQbVrzlrsWEaT8tfif+rOzjOu8F XkLmqz8b0q1tYyWkMJows+mdTJBOVtcBUhLgBNvCLzjYDGh6VUdmoHP1wx0432Bb Gi3DwD8/aixJuJp2yVpfId7qMT4uk+QJGEmSiRtuhfZ2ah76csa6xXoshG+WgecI 8T/OIZ5gHgjciyRCYP3Cs47Mm36iI6K7H0RtCYgBGN8p6QSTG9bxB75pMiTQBfrg FlYil7EkP/MqANAmbC9CXok/6JYtW2q+akep8S+k1XbXMlNKvJL1rZmQAHPNDyAs t1ov1ajUcQDcZSAcVu19cBw+nvus2LHyAbcP5arqPRYGd99YOiN2gWNTWOrN3FkQ qJybCjckut6Ab7Eb40C4yvPioHHGi9jQjgHqGk3so81Ox+Z+P9g= =DLFR -----END PGP SIGNATURE----- --y0ulUmNC+osPPQO6-- From unknown Tue Jun 24 17:24:57 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Fri, 06 Oct 2017 11:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator