From debbugs-submit-bounces@debbugs.gnu.org Fri Nov 05 12:23:59 2021 Received: (at submit) by debbugs.gnu.org; 5 Nov 2021 16:23:59 +0000 Received: from localhost ([127.0.0.1]:46898 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mj20V-0004jJ-6A for submit@debbugs.gnu.org; Fri, 05 Nov 2021 12:23:59 -0400 Received: from lists.gnu.org ([209.51.188.17]:49986) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mj20T-0004jB-Dt for submit@debbugs.gnu.org; Fri, 05 Nov 2021 12:23:57 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:59642) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mj20R-0004jS-F3 for bug-guix@gnu.org; Fri, 05 Nov 2021 12:23:55 -0400 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:46825) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mj20N-0000up-Jh for bug-guix@gnu.org; Fri, 05 Nov 2021 12:23:53 -0400 Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id B19C85C017F; Fri, 5 Nov 2021 12:23:46 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute6.internal (MEProxy); Fri, 05 Nov 2021 12:23:46 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=8612R0upZa2i/BMkL070JalT IV/CZWvmBIXOrxC6Wv4=; b=MyfW1P9liRG9RHV71VLpzUKHJbXpE3MosAtCmTf5 IHo2RcHMh+wrIRC3bOsKcCbK32H96yedbzcjo2D5gAqoWhjwRXwe960fok1hxESR 4OOX/w0c/cFkxvTjmLZTvyj9NVbI4fs7PK4dWNfcwBMDZ7RS7GndIsKg63/omhOT Ch0= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=8612R0 upZa2i/BMkL070JalTIV/CZWvmBIXOrxC6Wv4=; b=fDRUv+UfWPDN9d1tCImrmU OIThKJWL6OKC62Sj/fg7JXMEYgld8fn5YnZ9pPghrUzChFCQpxUmqlO5xAe/zUhB oFoVuSmZgOyv8RPVDHMk/rdMkGcV4hX5kNvq846SNzbqJBm9CZVB7zoRVRCZtJpT AAnVnTXBBFVvW+1CdsC+trCABMTNENiChU1d2aYeE8y0YdC1AU8vmSlWUwgVNvFM cDuADDkXYVj6Sn9mAi+imJQbEs/nIOCoaDdRPOr6u6PEwesBpcDE/zjiBczOK6lg exb5TAZpfOCluPXeJQRHjZTUNH/tjaxb86oyo93pquEOYKg5gyX9KFYYb2wuTQSw == X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvuddrtdeigdekhecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpeffhffvuffkfhggtggujgesthdtrodttddtvdenucfhrhhomhepnfgvohcuhfgr mhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhirdhnrghmvgeqnecuggftrfgrthhtvg hrnhepffeivdduiefhgeelheefvdejgfdtffegvedtleethfffvdeugedtgedtteethedu necuffhomhgrihhnpehmihhtrhgvrdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenuc frrghrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgrrhhirdhnrghmvg X-ME-Proxy: Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri, 5 Nov 2021 12:23:46 -0400 (EDT) Date: Fri, 5 Nov 2021 12:23:44 -0400 From: Leo Famulari To: phodina via Bug reports for GNU Guix Subject: Re: bug#47422: tar is vulnerable to CVE-2021-20193 Message-ID: References: <520e2097011aae1bfd9c20278e27e25813517b42.camel@zaclys.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Received-SPF: pass client-ip=66.111.4.28; envelope-from=leo@famulari.name; helo=out4-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit Cc: "47422@debbugs.gnu.org" <47422@debbugs.gnu.org> X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) On Fri, Nov 05, 2021 at 05:14:13AM +0000, phodina via Bug reports for GNU Guix wrote: > here's patch for the master branch as I'm not sure what is the roadmap for merging core-updates into master. > > The obvious downside is that the update triggers large rebuild of core packages :-/ Right, it's not feasible to apply this patch on the master branch, for that reason. And, it would not only require rebuilding core packages, but every single package, if I understand correctly. For Guix's internal use of tar, it seems that CVE-2021-20193 [0] is not a problem: "This flaw allows an attacker who can submit a crafted input file to tar to cause uncontrolled consumption of memory. The highest threat from this vulnerability is to system availability." When tar is used by Guix to unpack an upstream tarball, a Guix developer has already tested that it's possible to unpack the tarball without making the system unavailable. And Guix checks the source hash before unpacking the tarball. Does this evaluation seem correct? For use of tar by Guix users, we could add a new package 'tar-1.34' and arrange so that `guix install tar` selects it instead of tar@1.32, and so that whatever tar is provided by default on Guix System [1] is tar-1.34. And we would also take care to properly undo this workaround on the core-updates branch. [0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20193 [1] I *think* that is handled by ((gnu system) %base-packages-utils)