GNU bug report logs - #74283
[PATCH] gnu: libarchive: Graft to 3.7.7. [security fixes]

Previous Next

Package: guix-patches;

Reported by: Liliana Marie Prikler <liliana.prikler <at> gmail.com>

Date: Sat, 9 Nov 2024 16:11:02 UTC

Severity: normal

Tags: patch

Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Liliana Marie Prikler <liliana.prikler <at> gmail.com>
Subject: bug#74283: closed (Re: [bug#74283] [PATCH] gnu: libarchive: Graft
 to 3.7.7. [security fixes])
Date: Tue, 12 Nov 2024 11:35:02 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#74283: [PATCH] gnu: libarchive: Graft to 3.7.7. [security fixes]

which was filed against the guix-patches package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 74283 <at> debbugs.gnu.org.

-- 
74283: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=74283
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Liliana Marie Prikler <liliana.prikler <at> gmail.com>
Cc: 74283-done <at> debbugs.gnu.org
Subject: Re: [bug#74283] [PATCH] gnu: libarchive: Graft to 3.7.7. [security
 fixes]
Date: Tue, 12 Nov 2024 20:32:50 +0900

Hi,

Liliana Marie Prikler <liliana.prikler <at> gmail.com> writes:

> * gnu/packages/backup.scm (libarchive): Add replacement with libarchive/fixed.
> (libarchive/fixed): New variable.
>
> Fixes: Out of bounds access in ZIP files [CVE-2024-37407].
> Fixes: Out of bounds access in RAR files [CVE-2024-48957, CVE-2024-48958].
> Fixes: Race condition in multi-threaded systems [CVE-2023-30571].
> Fixes: NULL pointer dereference [CVE-2022-36227].

Pushed with a6dab6e915!  Thank you.

-- 
Thanks,
Maxim


[Message part 3 (message/rfc822, inline)]
From: Liliana Marie Prikler <liliana.prikler <at> gmail.com>
To: guix-patches <at> gnu.org
Subject: [PATCH] gnu: libarchive: Graft to 3.7.7. [security fixes]
Date: Sat, 9 Nov 2024 15:27:49 +0100

* gnu/packages/backup.scm (libarchive): Add replacement with libarchive/fixed.
(libarchive/fixed): New variable.

Fixes: Out of bounds access in ZIP files [CVE-2024-37407].
Fixes: Out of bounds access in RAR files [CVE-2024-48957, CVE-2024-48958].
Fixes: Race condition in multi-threaded systems [CVE-2023-30571].
Fixes: NULL pointer dereference [CVE-2022-36227].
---
 gnu/packages/backup.scm | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm
index 0973c5ddca..22c1ef64e9 100644
--- a/gnu/packages/backup.scm
+++ b/gnu/packages/backup.scm
@@ -262,6 +262,7 @@ (define-public hdup
 (define-public libarchive
   (package
     (name "libarchive")
+    (replacement libarchive/fixed)
     (version "3.6.1")
     (source
      (origin
@@ -351,6 +352,22 @@ (define-public libarchive
 @command{bsdcat}, @command{bsdcpio} and @command{bsdtar} commands.")
     (license license:bsd-2)))
 
+(define-public libarchive/fixed
+  (package
+    (inherit libarchive)
+    (version "3.7.7")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (list (string-append "https://libarchive.org/downloads/libarchive-"
+                                 version ".tar.xz")
+                  (string-append "https://github.com/libarchive/libarchive"
+                                 "/releases/download/v" version "/libarchive-"
+                                 version ".tar.xz")))
+       (sha256
+        (base32
+         "1vps57mrpqmrk4zayh5g5amqfq7031s5zzkkxsm7r71rqf1wv6l7"))))))
+
 (define-public rdup
   (package
     (name "rdup")

base-commit: 2a6d96425eea57dc6dd48a2bec16743046e32e06
prerequisite-patch-id: ecae21ac778a87cc06da1605938183a6d068b4e0
prerequisite-patch-id: 556d0786c44ebcc378f5a35ba582d6b3c98d44a2
prerequisite-patch-id: 13d32cd5a82d8f7092c058d31369dbeda68dc472
prerequisite-patch-id: 9e85b59d6e53ffb000d6e3f9fe2d317190a9cd97
prerequisite-patch-id: df8a3ab92c9a09f631eb1d4fd109813ba6a79ab9
prerequisite-patch-id: dcffb45b7cd5a54797227bb7b92c528dddd5c7a2
-- 
2.46.0
This bug report was last modified 193 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.