GNU bug report logs -
#74283
[PATCH] gnu: libarchive: Graft to 3.7.7. [security fixes]
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 74283 in the body.
You can then email your comments to 74283 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#74283; Package
guix-patches.
(Sat, 09 Nov 2024 16:11:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Liliana Marie Prikler <liliana.prikler <at> gmail.com>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Sat, 09 Nov 2024 16:11:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/backup.scm (libarchive): Add replacement with libarchive/fixed.
(libarchive/fixed): New variable.
Fixes: Out of bounds access in ZIP files [CVE-2024-37407].
Fixes: Out of bounds access in RAR files [CVE-2024-48957, CVE-2024-48958].
Fixes: Race condition in multi-threaded systems [CVE-2023-30571].
Fixes: NULL pointer dereference [CVE-2022-36227].
---
gnu/packages/backup.scm | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm
index 0973c5ddca..22c1ef64e9 100644
--- a/gnu/packages/backup.scm
+++ b/gnu/packages/backup.scm
@@ -262,6 +262,7 @@ (define-public hdup
(define-public libarchive
(package
(name "libarchive")
+ (replacement libarchive/fixed)
(version "3.6.1")
(source
(origin
@@ -351,6 +352,22 @@ (define-public libarchive
@command{bsdcat}, @command{bsdcpio} and @command{bsdtar} commands.")
(license license:bsd-2)))
+(define-public libarchive/fixed
+ (package
+ (inherit libarchive)
+ (version "3.7.7")
+ (source
+ (origin
+ (method url-fetch)
+ (uri (list (string-append "https://libarchive.org/downloads/libarchive-"
+ version ".tar.xz")
+ (string-append "https://github.com/libarchive/libarchive"
+ "/releases/download/v" version "/libarchive-"
+ version ".tar.xz")))
+ (sha256
+ (base32
+ "1vps57mrpqmrk4zayh5g5amqfq7031s5zzkkxsm7r71rqf1wv6l7"))))))
+
(define-public rdup
(package
(name "rdup")
base-commit: 2a6d96425eea57dc6dd48a2bec16743046e32e06
prerequisite-patch-id: ecae21ac778a87cc06da1605938183a6d068b4e0
prerequisite-patch-id: 556d0786c44ebcc378f5a35ba582d6b3c98d44a2
prerequisite-patch-id: 13d32cd5a82d8f7092c058d31369dbeda68dc472
prerequisite-patch-id: 9e85b59d6e53ffb000d6e3f9fe2d317190a9cd97
prerequisite-patch-id: df8a3ab92c9a09f631eb1d4fd109813ba6a79ab9
prerequisite-patch-id: dcffb45b7cd5a54797227bb7b92c528dddd5c7a2
--
2.46.0
Reply sent
to
Maxim Cournoyer <maxim.cournoyer <at> gmail.com>:
You have taken responsibility.
(Tue, 12 Nov 2024 11:35:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Liliana Marie Prikler <liliana.prikler <at> gmail.com>:
bug acknowledged by developer.
(Tue, 12 Nov 2024 11:35:02 GMT)
Full text and
rfc822 format available.
Message #10 received at 74283-done <at> debbugs.gnu.org (full text, mbox):
Hi,
Liliana Marie Prikler <liliana.prikler <at> gmail.com> writes:
> * gnu/packages/backup.scm (libarchive): Add replacement with libarchive/fixed.
> (libarchive/fixed): New variable.
>
> Fixes: Out of bounds access in ZIP files [CVE-2024-37407].
> Fixes: Out of bounds access in RAR files [CVE-2024-48957, CVE-2024-48958].
> Fixes: Race condition in multi-threaded systems [CVE-2023-30571].
> Fixes: NULL pointer dereference [CVE-2022-36227].
Pushed with a6dab6e915! Thank you.
--
Thanks,
Maxim
Information forwarded
to
guix-patches <at> gnu.org:
bug#74283; Package
guix-patches.
(Wed, 13 Nov 2024 02:58:02 GMT)
Full text and
rfc822 format available.
Message #13 received at 74283-done <at> debbugs.gnu.org (full text, mbox):
Hi Liliana,
Liliana Marie Prikler <liliana.prikler <at> gmail.com> writes:
> * gnu/packages/backup.scm (libarchive): Add replacement with libarchive/fixed.
> (libarchive/fixed): New variable.
>
> Fixes: Out of bounds access in ZIP files [CVE-2024-37407].
> Fixes: Out of bounds access in RAR files [CVE-2024-48957, CVE-2024-48958].
> Fixes: Race condition in multi-threaded systems [CVE-2023-30571].
> Fixes: NULL pointer dereference [CVE-2022-36227].
Seems serious.
> ---
> gnu/packages/backup.scm | 17 +++++++++++++++++
> 1 file changed, 17 insertions(+)
>
> diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm
> index 0973c5ddca..22c1ef64e9 100644
> --- a/gnu/packages/backup.scm
> +++ b/gnu/packages/backup.scm
> @@ -262,6 +262,7 @@ (define-public hdup
> (define-public libarchive
> (package
> (name "libarchive")
> + (replacement libarchive/fixed)
> (version "3.6.1")
> (source
> (origin
> @@ -351,6 +352,22 @@ (define-public libarchive
> @command{bsdcat}, @command{bsdcpio} and @command{bsdtar} commands.")
> (license license:bsd-2)))
>
> +(define-public libarchive/fixed
The replacement doesn't need to be exposed itself to users/api. I'd
drop the '-public' part.
I've pushed it already, but will adjust to drop the public part later.
--
Thanks,
Maxim
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Wed, 11 Dec 2024 12:24:15 GMT)
Full text and
rfc822 format available.
This bug report was last modified 193 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.