From 629614c7a3f9283306939402f1ff46914f327c21 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Sun, 31 Mar 2024 16:28:43 -0400 Subject: gnu: libarchive: Fix a potential security issue. https://github.com/libarchive/libarchive/pull/2101 * gnu/packages/backup.scm (libarchive)[replacement]: New field. (libarchive/fixed): New variable. * gnu/packages/patches/libarchive-remove-potential-backdoor.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. Change-Id: I939e9b842b10d1a78125da4a4599c38d9c037079 --- gnu/local.mk | 1 + gnu/packages/backup.scm | 20 +++++++++ .../libarchive-remove-potential-backdoor.patch | 47 ++++++++++++++++++++++ 3 files changed, 68 insertions(+) create mode 100644 gnu/packages/patches/libarchive-remove-potential-backdoor.patch (limited to 'gnu') diff --git a/gnu/local.mk b/gnu/local.mk index f2b480bded..68c6851402 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1575,6 +1575,7 @@ dist_patch_DATA = \ %D%/packages/patches/liba52-use-mtune-not-mcpu.patch \ %D%/packages/patches/libaio-32bit-test.patch \ %D%/packages/patches/libaio-riscv-test5.patch \ + %D%/packages/patches/libarchive-remove-potential-backdoor.patch \ %D%/packages/patches/libbase-fix-includes.patch \ %D%/packages/patches/libbase-use-own-logging.patch \ %D%/packages/patches/libbonobo-activation-test-race.patch \ diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm index 4fa39b741c..affd659fad 100644 --- a/gnu/packages/backup.scm +++ b/gnu/packages/backup.scm @@ -259,6 +259,7 @@ backups (called chunks) to allow easy burning to CD/DVD.") (define-public libarchive (package (name "libarchive") + (replacement libarchive/fixed) (version "3.6.1") (source (origin @@ -347,6 +348,25 @@ random access nor for in-place modification. This package provides the @command{bsdcat}, @command{bsdcpio} and @command{bsdtar} commands.") (license license:bsd-2))) +(define-public libarchive/fixed + (hidden-package + (package + (inherit libarchive) + (version "3.6.1") + (source + (origin + (method url-fetch) + (uri (list (string-append "https://libarchive.org/downloads/libarchive-" + version ".tar.xz") + (string-append "https://github.com/libarchive/libarchive" + "/releases/download/v" version "/libarchive-" + version ".tar.xz"))) + (patches (search-patches "libarchive-remove-potential-backdoor.patch")) + (sha256 + (base32 + "1rj8q5v26lxxr8x4b4nqbrj7p06qvl91hb8cdxi3xx3qp771lhas"))))))) + + (define-public rdup (package (name "rdup") diff --git a/gnu/packages/patches/libarchive-remove-potential-backdoor.patch b/gnu/packages/patches/libarchive-remove-potential-backdoor.patch new file mode 100644 index 0000000000..2b9a9e2ffe --- /dev/null +++ b/gnu/packages/patches/libarchive-remove-potential-backdoor.patch @@ -0,0 +1,47 @@ +Remove code added by 'JiaT75', the malicious actor that backdoored `xz`: + +https://github.com/libarchive/libarchive/pull/2101 + +At libarchive, they are reviewing all code contributed by this actor: + +https://github.com/libarchive/libarchive/issues/2103 + +See the original disclosure and subsequent discussion for more +information about this incident: + +https://seclists.org/oss-sec/2024/q1/268 + +Patch copied from upstream source repository: + +https://github.com/libarchive/libarchive/pull/2101/commits/e200fd8abfb4cf895a1cab4d89b67e6eefe83942 + +From 6110e9c82d8ba830c3440f36b990483ceaaea52c Mon Sep 17 00:00:00 2001 +From: Ed Maste +Date: Fri, 29 Mar 2024 18:02:06 -0400 +Subject: [PATCH] tar: make error reporting more robust and use correct errno + (#2101) + +As discussed in #1609. +--- + tar/read.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/tar/read.c b/tar/read.c +index af3d3f42..a7f14a07 100644 +--- a/tar/read.c ++++ b/tar/read.c +@@ -371,8 +371,9 @@ read_archive(struct bsdtar *bsdtar, char mode, struct archive *writer) + if (r != ARCHIVE_OK) { + if (!bsdtar->verbose) + safe_fprintf(stderr, "%s", archive_entry_pathname(entry)); +- fprintf(stderr, ": %s: ", archive_error_string(a)); +- fprintf(stderr, "%s", strerror(errno)); ++ safe_fprintf(stderr, ": %s: %s", ++ archive_error_string(a), ++ strerror(archive_errno(a))); + if (!bsdtar->verbose) + fprintf(stderr, "\n"); + bsdtar->return_value = 1; +-- +2.41.0 + -- cgit v1.2.3