[PATCH] gnu: libarchive: Replace with libarchive 3.3.3 and fix CVE-2018-{1000877, 1000878, 1000880}.

  • Done
  • quality assurance status badge
Details
3 participants
  • Alex Vong
  • Leo Famulari
  • Ludovic Courtès
Owner
unassigned
Submitted by
Alex Vong
Severity
normal
A
A
Alex Vong wrote on 5 Jan 2019 16:56
(address . guix-patches@gnu.org)
87pntbw120.fsf@gmail.com
Tags: security

Hello guix,

The following patch fixes all CVEs in libarchive. Since updating
libarchive would cause > 3000 rebuilds, we graft instead.
Attachment: 0001-gnu-libarchive-Replace-with-libarchive-3.3.3-and-fix.patch
Cheers,
Alex
-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXDDTpwAKCRBh71Au9gJS
8nLRAQC+OYAjLWLK9qYlY6/SI9b2+9wU/aEyxt1Tkykv6FSL9wEA9tQriX64sSlH
47hMZx3nnnRcIgtegTOpcqmt9INdbAY=
=lE/M
-----END PGP SIGNATURE-----

L
L
Leo Famulari wrote on 6 Jan 2019 19:16
(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 33988@debbugs.gnu.org)
20190106181638.GA18341@jasmine.lan
On Sat, Jan 05, 2019 at 11:56:23PM +0800, Alex Vong wrote:
Toggle quote (22 lines)
> Tags: security
>
> Hello guix,
>
> The following patch fixes all CVEs in libarchive. Since updating
> libarchive would cause > 3000 rebuilds, we graft instead.
>

> From c8f1c64de45c7a1fefed69d902164f3577aac817 Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Sat, 5 Jan 2019 23:20:41 +0800
> Subject: [PATCH] gnu: libarchive: Replace with libarchive 3.3.3 and fix
> CVE-2018-{1000877,1000878,1000880}.
>
> * gnu/packages/backup.scm (libarchive)[source, home-page]: Use HTTPS.
> [replacement]: New field.
> (libarchive-3.3.3): New variable.
> * gnu/packages/patches/libarchive-CVE-2018-1000877.patch,
> gnu/packages/patches/libarchive-CVE-2018-1000878.patch,
> gnu/packages/patches/libarchive-CVE-2018-1000880.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Add them.

Thanks, this works for me. Please push! :)
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlwyRgIACgkQJkb6MLrK
fwhaIA//c2/eVCJTsWSFtB2r8RMx6JCwiB7VuKbzQhpuFPXTiTF2lSI2gQWC0ATc
4VSbk2XLmNOeAV4I4LZF9r4pA1rjlWbQh9aSCoEGxMWfmkMfsWABoal0XsLcYccb
SxmtWsTOYiZ+qgt6y6ef7odnnmBLikzcWg+Vr2xqqMmyoxiYKK7HdxNx3/KarTZk
5waonSqi+9wf+ES9V30XeKDGwdyf55mVkyRsQ+QibwPJ7UoHFhfSJs12gRxNxloW
6DTSbRVgra0Aebd9g0qvYjxvkQCT6PuSI5mucq9/StNjSuWpNa55Ao/agv1xt+/h
wPidDx92CjY8fQoy0RBvbseMhadGILlJSlEi1pfFR9NGnxN96IWlpENR6hpReDSF
DNXsYf4U+Rv0BUfIx2vpC/kjmCq4vmwJOhXd8DKfjIkOPITyp9VjVnZZxKKn3HWe
ruA2cQ9BqHfglFVQiBM7ilFGoDe22w7WNBh6t1u3upQUdgUATI+AuZqQF1nz2tdI
U+9rIkXUXS5PO3/pfMBANVvNWgDCXId6il+YsM4A9FLDwL9RW7lS07+eFsDi6A8n
H97PdOGnDlFbJ/aedm19mjFAqTEXLqlwyBP0BWlJfXfZ6sjQOW7WjHHO2Xabcgdu
rWuVJ3EEa24kbfuyIZi5PHkrjln4Ewvur7EBcUFlbTNQgeHJ98I=
=Ojun
-----END PGP SIGNATURE-----


A
A
Alex Vong wrote on 6 Jan 2019 22:53
(address . 33988-done@debbugs.gnu.org)
87va31pi5s.fsf@gmail.com
Leo Famulari <leo@famulari.name> writes:

Toggle quote (25 lines)
> On Sat, Jan 05, 2019 at 11:56:23PM +0800, Alex Vong wrote:
>> Tags: security
>>
>> Hello guix,
>>
>> The following patch fixes all CVEs in libarchive. Since updating
>> libarchive would cause > 3000 rebuilds, we graft instead.
>>
>
>> From c8f1c64de45c7a1fefed69d902164f3577aac817 Mon Sep 17 00:00:00 2001
>> From: Alex Vong <alexvong1995@gmail.com>
>> Date: Sat, 5 Jan 2019 23:20:41 +0800
>> Subject: [PATCH] gnu: libarchive: Replace with libarchive 3.3.3 and fix
>> CVE-2018-{1000877,1000878,1000880}.
>>
>> * gnu/packages/backup.scm (libarchive)[source, home-page]: Use HTTPS.
>> [replacement]: New field.
>> (libarchive-3.3.3): New variable.
>> * gnu/packages/patches/libarchive-CVE-2018-1000877.patch,
>> gnu/packages/patches/libarchive-CVE-2018-1000878.patch,
>> gnu/packages/patches/libarchive-CVE-2018-1000880.patch: New files.
>> * gnu/local.mk (dist_patch_DATA): Add them.
>
> Thanks, this works for me. Please push! :)

Thanks for the review.
Pushed as c824dedf711dc4aa33e005fa291a3aec58a9e2e2!
-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXDJ4zwAKCRBh71Au9gJS
8vZKAQCjIVLlMfl65jaNPVJRWlfoSDZULV0s5xl2u7w/tPxOowD/Xe/0qcImW8qX
AqjC6gr53MxWxLYK5C7pU1NG5fUGuQM=
=TZlY
-----END PGP SIGNATURE-----

Closed
L
L
Ludovic Courtès wrote on 7 Jan 2019 10:27
(name . Alex Vong)(address . alexvong1995@gmail.com)
8736q4g6lr.fsf@gnu.org
Hi Alex,

Alex Vong <alexvong1995@gmail.com> skribis:

Toggle quote (14 lines)
> From c8f1c64de45c7a1fefed69d902164f3577aac817 Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Sat, 5 Jan 2019 23:20:41 +0800
> Subject: [PATCH] gnu: libarchive: Replace with libarchive 3.3.3 and fix
> CVE-2018-{1000877,1000878,1000880}.
>
> * gnu/packages/backup.scm (libarchive)[source, home-page]: Use HTTPS.
> [replacement]: New field.
> (libarchive-3.3.3): New variable.
> * gnu/packages/patches/libarchive-CVE-2018-1000877.patch,
> gnu/packages/patches/libarchive-CVE-2018-1000878.patch,
> gnu/packages/patches/libarchive-CVE-2018-1000880.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Add them.

LGTM, thank you!

Ludo’.
?
Your comment

This issue is archived.

To comment on this conversation send an email to 33988@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 33988
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch