[PATCH] gnu: libarchive: Graft to 3.7.7. [security fixes]

  • Done
  • quality assurance status badge
Details
2 participants
  • Liliana Marie Prikler
  • Maxim Cournoyer
Owner
unassigned
Submitted by
Liliana Marie Prikler
Severity
normal
L
L
Liliana Marie Prikler wrote on 9 Nov 15:27 +0100
(address . guix-patches@gnu.org)
1ca0c3d9b6423645ebdfda7efbc9376477b07943.1731168409.git.liliana.prikler@gmail.com
* gnu/packages/backup.scm (libarchive): Add replacement with libarchive/fixed.
(libarchive/fixed): New variable.

Fixes: Out of bounds access in ZIP files [CVE-2024-37407].
Fixes: Out of bounds access in RAR files [CVE-2024-48957, CVE-2024-48958].
Fixes: Race condition in multi-threaded systems [CVE-2023-30571].
Fixes: NULL pointer dereference [CVE-2022-36227].
---
gnu/packages/backup.scm | 17 +++++++++++++++++
1 file changed, 17 insertions(+)

Toggle diff (45 lines)
diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm
index 0973c5ddca..22c1ef64e9 100644
--- a/gnu/packages/backup.scm
+++ b/gnu/packages/backup.scm
@@ -262,6 +262,7 @@ (define-public hdup
(define-public libarchive
(package
(name "libarchive")
+ (replacement libarchive/fixed)
(version "3.6.1")
(source
(origin
@@ -351,6 +352,22 @@ (define-public libarchive
@command{bsdcat}, @command{bsdcpio} and @command{bsdtar} commands.")
(license license:bsd-2)))
+(define-public libarchive/fixed
+ (package
+ (inherit libarchive)
+ (version "3.7.7")
+ (source
+ (origin
+ (method url-fetch)
+ (uri (list (string-append "https://libarchive.org/downloads/libarchive-"
+ version ".tar.xz")
+ (string-append "https://github.com/libarchive/libarchive"
+ "/releases/download/v" version "/libarchive-"
+ version ".tar.xz")))
+ (sha256
+ (base32
+ "1vps57mrpqmrk4zayh5g5amqfq7031s5zzkkxsm7r71rqf1wv6l7"))))))
+
(define-public rdup
(package
(name "rdup")

base-commit: 2a6d96425eea57dc6dd48a2bec16743046e32e06
prerequisite-patch-id: ecae21ac778a87cc06da1605938183a6d068b4e0
prerequisite-patch-id: 556d0786c44ebcc378f5a35ba582d6b3c98d44a2
prerequisite-patch-id: 13d32cd5a82d8f7092c058d31369dbeda68dc472
prerequisite-patch-id: 9e85b59d6e53ffb000d6e3f9fe2d317190a9cd97
prerequisite-patch-id: df8a3ab92c9a09f631eb1d4fd109813ba6a79ab9
prerequisite-patch-id: dcffb45b7cd5a54797227bb7b92c528dddd5c7a2
--
2.46.0
M
M
Maxim Cournoyer wrote on 12 Nov 12:32 +0100
(name . Liliana Marie Prikler)(address . liliana.prikler@gmail.com)(address . 74283-done@debbugs.gnu.org)
878qto661p.fsf@gmail.com
Hi,

Liliana Marie Prikler <liliana.prikler@gmail.com> writes:

Toggle quote (8 lines)
> * gnu/packages/backup.scm (libarchive): Add replacement with libarchive/fixed.
> (libarchive/fixed): New variable.
>
> Fixes: Out of bounds access in ZIP files [CVE-2024-37407].
> Fixes: Out of bounds access in RAR files [CVE-2024-48957, CVE-2024-48958].
> Fixes: Race condition in multi-threaded systems [CVE-2023-30571].
> Fixes: NULL pointer dereference [CVE-2022-36227].

Pushed with a6dab6e915! Thank you.

--
Thanks,
Maxim
Closed
M
M
Maxim Cournoyer wrote on 13 Nov 03:56 +0100
(name . Liliana Marie Prikler)(address . liliana.prikler@gmail.com)(address . 74283-done@debbugs.gnu.org)
877c97265l.fsf@gmail.com
Hi Liliana,

Liliana Marie Prikler <liliana.prikler@gmail.com> writes:

Toggle quote (8 lines)
> * gnu/packages/backup.scm (libarchive): Add replacement with libarchive/fixed.
> (libarchive/fixed): New variable.
>
> Fixes: Out of bounds access in ZIP files [CVE-2024-37407].
> Fixes: Out of bounds access in RAR files [CVE-2024-48957, CVE-2024-48958].
> Fixes: Race condition in multi-threaded systems [CVE-2023-30571].
> Fixes: NULL pointer dereference [CVE-2022-36227].

Seems serious.

Toggle quote (22 lines)
> ---
> gnu/packages/backup.scm | 17 +++++++++++++++++
> 1 file changed, 17 insertions(+)
>
> diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm
> index 0973c5ddca..22c1ef64e9 100644
> --- a/gnu/packages/backup.scm
> +++ b/gnu/packages/backup.scm
> @@ -262,6 +262,7 @@ (define-public hdup
> (define-public libarchive
> (package
> (name "libarchive")
> + (replacement libarchive/fixed)
> (version "3.6.1")
> (source
> (origin
> @@ -351,6 +352,22 @@ (define-public libarchive
> @command{bsdcat}, @command{bsdcpio} and @command{bsdtar} commands.")
> (license license:bsd-2)))
>
> +(define-public libarchive/fixed

The replacement doesn't need to be exposed itself to users/api. I'd
drop the '-public' part.

I've pushed it already, but will adjust to drop the public part later.

--
Thanks,
Maxim
Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 74283@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 74283
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch