Leo Famulari writes: > On Sat, Jan 05, 2019 at 11:56:23PM +0800, Alex Vong wrote: >> Tags: security >> >> Hello guix, >> >> The following patch fixes all CVEs in libarchive. Since updating >> libarchive would cause > 3000 rebuilds, we graft instead. >> > >> From c8f1c64de45c7a1fefed69d902164f3577aac817 Mon Sep 17 00:00:00 2001 >> From: Alex Vong >> Date: Sat, 5 Jan 2019 23:20:41 +0800 >> Subject: [PATCH] gnu: libarchive: Replace with libarchive 3.3.3 and fix >> CVE-2018-{1000877,1000878,1000880}. >> >> * gnu/packages/backup.scm (libarchive)[source, home-page]: Use HTTPS. >> [replacement]: New field. >> (libarchive-3.3.3): New variable. >> * gnu/packages/patches/libarchive-CVE-2018-1000877.patch, >> gnu/packages/patches/libarchive-CVE-2018-1000878.patch, >> gnu/packages/patches/libarchive-CVE-2018-1000880.patch: New files. >> * gnu/local.mk (dist_patch_DATA): Add them. > > Thanks, this works for me. Please push! :) Thanks for the review. Pushed as c824dedf711dc4aa33e005fa291a3aec58a9e2e2!