(address . guix-patches@gnu.org)
* gnu/packages/backup.scm (libarchive): Add replacement with libarchive/fixed.
(libarchive/fixed): New variable.
Fixes: Out of bounds access in ZIP files [CVE-2024-37407].
Fixes: Out of bounds access in RAR files [CVE-2024-48957, CVE-2024-48958].
Fixes: Race condition in multi-threaded systems [CVE-2023-30571].
Fixes: NULL pointer dereference [CVE-2022-36227].
---
gnu/packages/backup.scm | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
Toggle diff (45 lines)
diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm
index 0973c5ddca..22c1ef64e9 100644
--- a/gnu/packages/backup.scm
+++ b/gnu/packages/backup.scm
@@ -262,6 +262,7 @@ (define-public hdup
(define-public libarchive
(package
(name "libarchive")
+ (replacement libarchive/fixed)
(version "3.6.1")
(source
(origin
@@ -351,6 +352,22 @@ (define-public libarchive
@command{bsdcat}, @command{bsdcpio} and @command{bsdtar} commands.")
(license license:bsd-2)))
+(define-public libarchive/fixed
+ (package
+ (inherit libarchive)
+ (version "3.7.7")
+ (source
+ (origin
+ (method url-fetch)
+ (uri (list (string-append "https://libarchive.org/downloads/libarchive-"
+ version ".tar.xz")
+ (string-append "https://github.com/libarchive/libarchive"
+ "/releases/download/v" version "/libarchive-"
+ version ".tar.xz")))
+ (sha256
+ (base32
+ "1vps57mrpqmrk4zayh5g5amqfq7031s5zzkkxsm7r71rqf1wv6l7"))))))
+
(define-public rdup
(package
(name "rdup")
base-commit: 2a6d96425eea57dc6dd48a2bec16743046e32e06
prerequisite-patch-id: ecae21ac778a87cc06da1605938183a6d068b4e0
prerequisite-patch-id: 556d0786c44ebcc378f5a35ba582d6b3c98d44a2
prerequisite-patch-id: 13d32cd5a82d8f7092c058d31369dbeda68dc472
prerequisite-patch-id: 9e85b59d6e53ffb000d6e3f9fe2d317190a9cd97
prerequisite-patch-id: df8a3ab92c9a09f631eb1d4fd109813ba6a79ab9
prerequisite-patch-id: dcffb45b7cd5a54797227bb7b92c528dddd5c7a2
--
2.46.0