GNU bug report logs

#33988 [PATCH] gnu: libarchive: Replace with libarchive 3.3.3 and fix CVE-2018-{1000877, 1000878, 1000880}.

PackageSource(s)Maintainer(s)
guix-patches PTS Buildd Popcon
Full log

Message #13 received at 33988-done@debbugs.gnu.org (full text, mbox, reply):

Received: (at 33988-done) by debbugs.gnu.org; 6 Jan 2019 21:53:39 +0000
From debbugs-submit-bounces@debbugs.gnu.org Sun Jan 06 16:53:39 2019
Received: from localhost ([127.0.0.1]:47393 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1ggGMV-0000sN-7R
	for submit@debbugs.gnu.org; Sun, 06 Jan 2019 16:53:39 -0500
Received: from mail-pg1-f195.google.com ([209.85.215.195]:44442)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <alexvong1995@gmail.com>) id 1ggGMS-0000s9-RX
 for 33988-done@debbugs.gnu.org; Sun, 06 Jan 2019 16:53:38 -0500
Received: by mail-pg1-f195.google.com with SMTP id t13so19814247pgr.11
 for <33988-done@debbugs.gnu.org>; Sun, 06 Jan 2019 13:53:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:cc:subject:in-reply-to:references:user-agent:date
 :message-id:mime-version;
 bh=ftAEvYHkRvU69SuWr3VaHPz+f6nb8X6UB3B9lP6vBE0=;
 b=CwGlYzZ+4YlcAfo0bbRWj7UP6xPF9YE5GPWYg+OuhC1WaZMbOy7HTQ36zNkopalVdM
 Dd6nkc0a5Pa19Yf7iGmkt3i2RudOu6jymgGTV6rsse6nx+eNOgdDAGMhyDNlqeumh3Ak
 YNXmO98pqsiQIkmzxc6mohYMT8iHDVveBHj0JMGa6z/vfRHHM/rPqHsy6mfhn+bb9uIT
 keKKzXGnW4jkSdI0PB+oQufs7Z8VDi5zcg5TqNRMU7v7Sxu3rHUHZGP702NfeuoZ0SHu
 AK1FurVqxtkfxOgHptV8vOeBgrkFa+dAGPeVzGC6bqImt7DLBHxywlTjRgXvjIF8ICbT
 0QKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:cc:subject:in-reply-to:references
 :user-agent:date:message-id:mime-version;
 bh=ftAEvYHkRvU69SuWr3VaHPz+f6nb8X6UB3B9lP6vBE0=;
 b=AaI/pm3AJyQZ7FfSZ/F+s4LBXcqemwCfjC7W0rUodg53XeRI4YZIPu07Q2AJi4fd8n
 xPGg/22xVk4Og6Wab4P0zVp7tR6IfJ4WJFH453WGTUL8d/JqtZ5XZ/5qS0Uxgam3p85L
 ZNYaV4QC0Yg1uYfQ2oJp8XjiOAMZBn19QUwo7DxkFsRJUizL7xlEfiV21dIfwWIFwpJS
 O/B5/pAal5y8CNAeWoM5VbyHYtAHElq1sGTqCNa7Nporq/nj3X68bqnOC3a8I9euigX0
 Q75z2YvU3tHIG2MJSF1NKd4sAnj8LIRR8QhrMnlRL1v2oFVnkbQvtG4D3Mk+Z1O0TYsO
 2kWQ==
X-Gm-Message-State: AJcUukfOUgpvixbuEEAzlKkbRIHqfGxDDaTF0nO8isRjcPY+sH1BeKgv
 ZvatUVJW6eH9ZleulxdD2Zs=
X-Google-Smtp-Source: ALg8bN4FgGQxiexNctqnrPnNCukLTK0EhfpehlH78Wt6ofVZ2S5Ks58yXmNzPjAxoa43lnX0WshU5w==
X-Received: by 2002:a63:1c61:: with SMTP id c33mr54669684pgm.354.1546811610766; 
 Sun, 06 Jan 2019 13:53:30 -0800 (PST)
Received: from debian (n058152176055.netvigator.com. [58.152.176.55])
 by smtp.gmail.com with ESMTPSA id a17sm83424371pgm.26.2019.01.06.13.53.29
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Sun, 06 Jan 2019 13:53:30 -0800 (PST)
From: Alex Vong <alexvong1995@gmail.com>
To: 33988-done@debbugs.gnu.org
Subject: Re: [bug#33988] [PATCH] gnu: libarchive: Replace with libarchive
 3.3.3 and fix CVE-2018-{1000877, 1000878, 1000880}.
In-Reply-To: <20190106181638.GA18341@jasmine.lan> (Leo Famulari's message of
 "Sun, 6 Jan 2019 13:16:38 -0500")
References: <87pntbw120.fsf@gmail.com> <20190106181638.GA18341@jasmine.lan>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
Date: Mon, 07 Jan 2019 05:53:19 +0800
Message-ID: <87va31pi5s.fsf@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha256; protocol="application/pgp-signature"
X-Spam-Score: 0.2 (/)
X-Debbugs-Envelope-To: 33988-done
Cc: alexvong1995@gmail.com, Leo Famulari <leo@famulari.name>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.8 (/)

[Message part 1 (text/plain, inline)]
Leo Famulari <leo@famulari.name> writes:

> On Sat, Jan 05, 2019 at 11:56:23PM +0800, Alex Vong wrote:
>> Tags: security
>> 
>> Hello guix,
>> 
>> The following patch fixes all CVEs in libarchive. Since updating
>> libarchive would cause > 3000 rebuilds, we graft instead.
>> 
>
>> From c8f1c64de45c7a1fefed69d902164f3577aac817 Mon Sep 17 00:00:00 2001
>> From: Alex Vong <alexvong1995@gmail.com>
>> Date: Sat, 5 Jan 2019 23:20:41 +0800
>> Subject: [PATCH] gnu: libarchive: Replace with libarchive 3.3.3 and fix
>>  CVE-2018-{1000877,1000878,1000880}.
>> 
>> * gnu/packages/backup.scm (libarchive)[source, home-page]: Use HTTPS.
>> [replacement]: New field.
>> (libarchive-3.3.3): New variable.
>> * gnu/packages/patches/libarchive-CVE-2018-1000877.patch,
>> gnu/packages/patches/libarchive-CVE-2018-1000878.patch,
>> gnu/packages/patches/libarchive-CVE-2018-1000880.patch: New files.
>> * gnu/local.mk (dist_patch_DATA): Add them.
>
> Thanks, this works for me. Please push! :)

Thanks for the review.
Pushed as c824dedf711dc4aa33e005fa291a3aec58a9e2e2!

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 11:44:45 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.