GNU bug report logs

#47422 tar is vulnerable to CVE-2021-20193

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #22 received at 47422@debbugs.gnu.org (full text, mbox, reply):

Received: (at 47422) by debbugs.gnu.org; 5 Nov 2021 16:50:47 +0000
From debbugs-submit-bounces@debbugs.gnu.org Fri Nov 05 12:50:47 2021
Received: from localhost ([127.0.0.1]:46993 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1mj2QQ-0005T7-RJ
	for submit@debbugs.gnu.org; Fri, 05 Nov 2021 12:50:47 -0400
Received: from michel.telenet-ops.be ([195.130.137.88]:57716)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maximedevos@telenet.be>) id 1mj2QO-0005SV-HK
 for 47422@debbugs.gnu.org; Fri, 05 Nov 2021 12:50:45 -0400
Received: from ptr-bvsjgyhxw7psv60dyze.18120a2.ip6.access.telenet.be
 ([IPv6:2a02:1811:8c09:9d00:3c5f:2eff:feb0:ba5a])
 by michel.telenet-ops.be with bizsmtp
 id Egqi260074UW6Th06gqigK; Fri, 05 Nov 2021 17:50:42 +0100
Message-ID: <82db7b68b4e9cc3037122cc45678f04eac97d810.camel@telenet.be>
Subject: Re: bug#47422: tar is vulnerable to CVE-2021-20193
From: Maxime Devos <maximedevos@telenet.be>
To: Leo Famulari <leo@famulari.name>, 47422@debbugs.gnu.org
Date: Fri, 05 Nov 2021 16:50:42 +0000
In-Reply-To: <YYVakIUhmYGjGLvW@jasmine.lan>
References: <520e2097011aae1bfd9c20278e27e25813517b42.camel@zaclys.net>
 <ysdJZxCdgMKsc9Tq-LKYLg_OgwwdXBljXBYTzfupOKMOshTTI34ijmXx0D8acxWF7OYW9NFXOLFLOVuV-NT-T3IyIjxCU0RboaItON_XjFY=@protonmail.com>
 <YYVakIUhmYGjGLvW@jasmine.lan>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.38.3-1 
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21;
 t=1636131042; bh=yCyF1w6Xs71+jLIb7jV8bSyrCIRA2IQxZ0SrBP3CyAE=;
 h=Subject:From:To:Date:In-Reply-To:References;
 b=odl4LV/wlP/J/eJf3Dpu0JCGUpanleNvEs1WS+Y1WY28RVZ/p7yz1DL5fn+oebQhD
 MMnpMusWxAB+g7F5QoinRI+sU5nnlyrU4aOXcXYSbDdfMQC6dSSHUHaKOQ/cOH5Hnw
 nqweYYvWkPU3iP2+Tbi/5M6Ud7KO5wO/yqqwfkhK3QDF0Mp088WoLHtmv/ROmiLhqe
 0zu0AX4eZgCOUfO/cgN1Nju1oL74XLjB+MG22SnuH5dLlVmImCWkCyfg8IOfObRWuP
 t3e5ZzZ637FD2JNp/lqdSFmNA8YoYv8XFIKLBpM5XL/DbPa8MPW89T5myIjf+NAcZe
 8Zzty+Ib84VVg==
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 47422
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

Leo Famulari schreef op vr 05-11-2021 om 12:23 [-0400]:
> On Fri, Nov 05, 2021 at 05:14:13AM +0000, phodina via Bug reports for
> GNU Guix wrote:
> > here's patch for the master branch as I'm not sure what is the
> > roadmap for merging core-updates into master.
> > 
> > The obvious downside is that the update triggers large rebuild of
> > core packages :-/
> 
> [...]
>
> "This flaw allows an attacker who can submit a crafted input file to
> tar
> to cause uncontrolled consumption of memory. The highest threat from
> this vulnerability is to system availability."
>
> [...]
> 
> For use of tar by Guix users, we could add a new package 'tar-1.34'
> and
> arrange so that `guix install tar` selects it instead of tar@1.32,
> and
> so that whatever tar is provided by default on Guix System [1] is
> tar-1.34.

I don't think this is sufficient, because some packages keep
references to 'tar', e.g. 'hdup'. A solution would be registering
the updated tar as a replacement of the somewhat vulnerable tar:

(define-public tar
  (package
    (name "tar")
    (version "1.32")
    (replacement tar/fixed)
    ...))

(define-public tar/fixed
  (package
    (inherit tar)
    (version "1.34")
    (source ...)))

Greetings,
Maxime.
-- 
not hacking on guix for a while, only occassionally looking at IRC logs
and bug reports.  E-mails are unsigned until backup is located.

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 10:22:47 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.