GNU bug report logs - #74283
[PATCH] gnu: libarchive: Graft to 3.7.7. [security fixes]

Previous Next

Full log

View this message in rfc822 format

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Liliana Marie Prikler <liliana.prikler <at> gmail.com>
Cc: 74283-done <at> debbugs.gnu.org
Subject: [bug#74283] [PATCH] gnu: libarchive: Graft to 3.7.7. [security fixes]
Date: Wed, 13 Nov 2024 11:56:22 +0900

Hi Liliana,

Liliana Marie Prikler <liliana.prikler <at> gmail.com> writes:

> * gnu/packages/backup.scm (libarchive): Add replacement with libarchive/fixed.
> (libarchive/fixed): New variable.
>
> Fixes: Out of bounds access in ZIP files [CVE-2024-37407].
> Fixes: Out of bounds access in RAR files [CVE-2024-48957, CVE-2024-48958].
> Fixes: Race condition in multi-threaded systems [CVE-2023-30571].
> Fixes: NULL pointer dereference [CVE-2022-36227].

Seems serious.

> ---
>  gnu/packages/backup.scm | 17 +++++++++++++++++
>  1 file changed, 17 insertions(+)
>
> diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm
> index 0973c5ddca..22c1ef64e9 100644
> --- a/gnu/packages/backup.scm
> +++ b/gnu/packages/backup.scm
> @@ -262,6 +262,7 @@ (define-public hdup
>  (define-public libarchive
>    (package
>      (name "libarchive")
> +    (replacement libarchive/fixed)
>      (version "3.6.1")
>      (source
>       (origin
> @@ -351,6 +352,22 @@ (define-public libarchive
>  @command{bsdcat}, @command{bsdcpio} and @command{bsdtar} commands.")
>      (license license:bsd-2)))
>  
> +(define-public libarchive/fixed

The replacement doesn't need to be exposed itself to users/api.  I'd
drop the '-public' part.

I've pushed it already, but will adjust to drop the public part later.

-- 
Thanks,
Maxim

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.