[PATCH] gnu: libarchive: Replace with libarchive 3.3.3 and fix CVE-2018-{1000877, 1000878, 1000880}.

  • Done
  • quality assurance status badge
Details
3 participants
  • Alex Vong
  • Leo Famulari
  • Ludovic Courtès
Owner
unassigned
Submitted by
Alex Vong
Severity
normal
A
A
Alex Vong wrote on 5 Jan 2019 16:56
(address . guix-patches@gnu.org)
87pntbw120.fsf@gmail.com
Tags: security

Hello guix,

The following patch fixes all CVEs in libarchive. Since updating
libarchive would cause > 3000 rebuilds, we graft instead.
Cheers,
Alex
-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXDDTpwAKCRBh71Au9gJS
8nLRAQC+OYAjLWLK9qYlY6/SI9b2+9wU/aEyxt1Tkykv6FSL9wEA9tQriX64sSlH
47hMZx3nnnRcIgtegTOpcqmt9INdbAY=
=lE/M
-----END PGP SIGNATURE-----

L
L
Leo Famulari wrote on 6 Jan 2019 19:16
(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 33988@debbugs.gnu.org)
20190106181638.GA18341@jasmine.lan
On Sat, Jan 05, 2019 at 11:56:23PM +0800, Alex Vong wrote:
Toggle quote (22 lines)
> Tags: security
>
> Hello guix,
>
> The following patch fixes all CVEs in libarchive. Since updating
> libarchive would cause > 3000 rebuilds, we graft instead.
>

> From c8f1c64de45c7a1fefed69d902164f3577aac817 Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Sat, 5 Jan 2019 23:20:41 +0800
> Subject: [PATCH] gnu: libarchive: Replace with libarchive 3.3.3 and fix
> CVE-2018-{1000877,1000878,1000880}.
>
> * gnu/packages/backup.scm (libarchive)[source, home-page]: Use HTTPS.
> [replacement]: New field.
> (libarchive-3.3.3): New variable.
> * gnu/packages/patches/libarchive-CVE-2018-1000877.patch,
> gnu/packages/patches/libarchive-CVE-2018-1000878.patch,
> gnu/packages/patches/libarchive-CVE-2018-1000880.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Add them.

Thanks, this works for me. Please push! :)
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlwyRgIACgkQJkb6MLrK
fwhaIA//c2/eVCJTsWSFtB2r8RMx6JCwiB7VuKbzQhpuFPXTiTF2lSI2gQWC0ATc
4VSbk2XLmNOeAV4I4LZF9r4pA1rjlWbQh9aSCoEGxMWfmkMfsWABoal0XsLcYccb
SxmtWsTOYiZ+qgt6y6ef7odnnmBLikzcWg+Vr2xqqMmyoxiYKK7HdxNx3/KarTZk
5waonSqi+9wf+ES9V30XeKDGwdyf55mVkyRsQ+QibwPJ7UoHFhfSJs12gRxNxloW
6DTSbRVgra0Aebd9g0qvYjxvkQCT6PuSI5mucq9/StNjSuWpNa55Ao/agv1xt+/h
wPidDx92CjY8fQoy0RBvbseMhadGILlJSlEi1pfFR9NGnxN96IWlpENR6hpReDSF
DNXsYf4U+Rv0BUfIx2vpC/kjmCq4vmwJOhXd8DKfjIkOPITyp9VjVnZZxKKn3HWe
ruA2cQ9BqHfglFVQiBM7ilFGoDe22w7WNBh6t1u3upQUdgUATI+AuZqQF1nz2tdI
U+9rIkXUXS5PO3/pfMBANVvNWgDCXId6il+YsM4A9FLDwL9RW7lS07+eFsDi6A8n
H97PdOGnDlFbJ/aedm19mjFAqTEXLqlwyBP0BWlJfXfZ6sjQOW7WjHHO2Xabcgdu
rWuVJ3EEa24kbfuyIZi5PHkrjln4Ewvur7EBcUFlbTNQgeHJ98I=
=Ojun
-----END PGP SIGNATURE-----


A
A
Alex Vong wrote on 6 Jan 2019 22:53
(address . 33988-done@debbugs.gnu.org)
87va31pi5s.fsf@gmail.com
Leo Famulari <leo@famulari.name> writes:

Toggle quote (25 lines)
> On Sat, Jan 05, 2019 at 11:56:23PM +0800, Alex Vong wrote:
>> Tags: security
>>
>> Hello guix,
>>
>> The following patch fixes all CVEs in libarchive. Since updating
>> libarchive would cause > 3000 rebuilds, we graft instead.
>>
>
>> From c8f1c64de45c7a1fefed69d902164f3577aac817 Mon Sep 17 00:00:00 2001
>> From: Alex Vong <alexvong1995@gmail.com>
>> Date: Sat, 5 Jan 2019 23:20:41 +0800
>> Subject: [PATCH] gnu: libarchive: Replace with libarchive 3.3.3 and fix
>> CVE-2018-{1000877,1000878,1000880}.
>>
>> * gnu/packages/backup.scm (libarchive)[source, home-page]: Use HTTPS.
>> [replacement]: New field.
>> (libarchive-3.3.3): New variable.
>> * gnu/packages/patches/libarchive-CVE-2018-1000877.patch,
>> gnu/packages/patches/libarchive-CVE-2018-1000878.patch,
>> gnu/packages/patches/libarchive-CVE-2018-1000880.patch: New files.
>> * gnu/local.mk (dist_patch_DATA): Add them.
>
> Thanks, this works for me. Please push! :)

Thanks for the review.
Pushed as c824dedf711dc4aa33e005fa291a3aec58a9e2e2!
-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXDJ4zwAKCRBh71Au9gJS
8vZKAQCjIVLlMfl65jaNPVJRWlfoSDZULV0s5xl2u7w/tPxOowD/Xe/0qcImW8qX
AqjC6gr53MxWxLYK5C7pU1NG5fUGuQM=
=TZlY
-----END PGP SIGNATURE-----

Closed
L
L
Ludovic Courtès wrote on 7 Jan 2019 10:27
(name . Alex Vong)(address . alexvong1995@gmail.com)
8736q4g6lr.fsf@gnu.org
Hi Alex,

Alex Vong <alexvong1995@gmail.com> skribis:

Toggle quote (14 lines)
> From c8f1c64de45c7a1fefed69d902164f3577aac817 Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Sat, 5 Jan 2019 23:20:41 +0800
> Subject: [PATCH] gnu: libarchive: Replace with libarchive 3.3.3 and fix
> CVE-2018-{1000877,1000878,1000880}.
>
> * gnu/packages/backup.scm (libarchive)[source, home-page]: Use HTTPS.
> [replacement]: New field.
> (libarchive-3.3.3): New variable.
> * gnu/packages/patches/libarchive-CVE-2018-1000877.patch,
> gnu/packages/patches/libarchive-CVE-2018-1000878.patch,
> gnu/packages/patches/libarchive-CVE-2018-1000880.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Add them.

LGTM, thank you!

Ludo’.
?