mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-12-24 21:38:07 -05:00
gnu: libarchive: Fix a potential security issue.
https://github.com/libarchive/libarchive/pull/2101 * gnu/packages/backup.scm (libarchive)[replacement]: New field. (libarchive/fixed): New variable. * gnu/packages/patches/libarchive-remove-potential-backdoor.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. Change-Id: I939e9b842b10d1a78125da4a4599c38d9c037079
This commit is contained in:
parent
9b560fee23
commit
629614c7a3
3 changed files with 68 additions and 0 deletions
|
@ -1575,6 +1575,7 @@ dist_patch_DATA = \
|
|||
%D%/packages/patches/liba52-use-mtune-not-mcpu.patch \
|
||||
%D%/packages/patches/libaio-32bit-test.patch \
|
||||
%D%/packages/patches/libaio-riscv-test5.patch \
|
||||
%D%/packages/patches/libarchive-remove-potential-backdoor.patch \
|
||||
%D%/packages/patches/libbase-fix-includes.patch \
|
||||
%D%/packages/patches/libbase-use-own-logging.patch \
|
||||
%D%/packages/patches/libbonobo-activation-test-race.patch \
|
||||
|
|
|
@ -259,6 +259,7 @@ (define-public hdup
|
|||
(define-public libarchive
|
||||
(package
|
||||
(name "libarchive")
|
||||
(replacement libarchive/fixed)
|
||||
(version "3.6.1")
|
||||
(source
|
||||
(origin
|
||||
|
@ -347,6 +348,25 @@ (define-public libarchive
|
|||
@command{bsdcat}, @command{bsdcpio} and @command{bsdtar} commands.")
|
||||
(license license:bsd-2)))
|
||||
|
||||
(define-public libarchive/fixed
|
||||
(hidden-package
|
||||
(package
|
||||
(inherit libarchive)
|
||||
(version "3.6.1")
|
||||
(source
|
||||
(origin
|
||||
(method url-fetch)
|
||||
(uri (list (string-append "https://libarchive.org/downloads/libarchive-"
|
||||
version ".tar.xz")
|
||||
(string-append "https://github.com/libarchive/libarchive"
|
||||
"/releases/download/v" version "/libarchive-"
|
||||
version ".tar.xz")))
|
||||
(patches (search-patches "libarchive-remove-potential-backdoor.patch"))
|
||||
(sha256
|
||||
(base32
|
||||
"1rj8q5v26lxxr8x4b4nqbrj7p06qvl91hb8cdxi3xx3qp771lhas")))))))
|
||||
|
||||
|
||||
(define-public rdup
|
||||
(package
|
||||
(name "rdup")
|
||||
|
|
|
@ -0,0 +1,47 @@
|
|||
Remove code added by 'JiaT75', the malicious actor that backdoored `xz`:
|
||||
|
||||
https://github.com/libarchive/libarchive/pull/2101
|
||||
|
||||
At libarchive, they are reviewing all code contributed by this actor:
|
||||
|
||||
https://github.com/libarchive/libarchive/issues/2103
|
||||
|
||||
See the original disclosure and subsequent discussion for more
|
||||
information about this incident:
|
||||
|
||||
https://seclists.org/oss-sec/2024/q1/268
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
|
||||
https://github.com/libarchive/libarchive/pull/2101/commits/e200fd8abfb4cf895a1cab4d89b67e6eefe83942
|
||||
|
||||
From 6110e9c82d8ba830c3440f36b990483ceaaea52c Mon Sep 17 00:00:00 2001
|
||||
From: Ed Maste <emaste@freebsd.org>
|
||||
Date: Fri, 29 Mar 2024 18:02:06 -0400
|
||||
Subject: [PATCH] tar: make error reporting more robust and use correct errno
|
||||
(#2101)
|
||||
|
||||
As discussed in #1609.
|
||||
---
|
||||
tar/read.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/tar/read.c b/tar/read.c
|
||||
index af3d3f42..a7f14a07 100644
|
||||
--- a/tar/read.c
|
||||
+++ b/tar/read.c
|
||||
@@ -371,8 +371,9 @@ read_archive(struct bsdtar *bsdtar, char mode, struct archive *writer)
|
||||
if (r != ARCHIVE_OK) {
|
||||
if (!bsdtar->verbose)
|
||||
safe_fprintf(stderr, "%s", archive_entry_pathname(entry));
|
||||
- fprintf(stderr, ": %s: ", archive_error_string(a));
|
||||
- fprintf(stderr, "%s", strerror(errno));
|
||||
+ safe_fprintf(stderr, ": %s: %s",
|
||||
+ archive_error_string(a),
|
||||
+ strerror(archive_errno(a)));
|
||||
if (!bsdtar->verbose)
|
||||
fprintf(stderr, "\n");
|
||||
bsdtar->return_value = 1;
|
||||
--
|
||||
2.41.0
|
||||
|
Loading…
Reference in a new issue