GNU bug report logs

#47422 tar is vulnerable to CVE-2021-20193

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #25 received at 47422@debbugs.gnu.org (full text, mbox, reply):

Received: (at 47422) by debbugs.gnu.org; 5 Nov 2021 20:18:05 +0000
From debbugs-submit-bounces@debbugs.gnu.org Fri Nov 05 16:18:05 2021
Received: from localhost ([127.0.0.1]:47346 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1mj5f3-0000Iw-3y
	for submit@debbugs.gnu.org; Fri, 05 Nov 2021 16:18:05 -0400
Received: from world.peace.net ([64.112.178.59]:33012)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mhw@netris.org>) id 1mj5f1-0000IQ-6W
 for 47422@debbugs.gnu.org; Fri, 05 Nov 2021 16:18:03 -0400
Received: from mhw by world.peace.net with esmtpsa
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
 (envelope-from <mhw@netris.org>)
 id 1mj5eu-0000eS-4i; Fri, 05 Nov 2021 16:17:56 -0400
From: Mark H Weaver <mhw@netris.org>
To: Maxime Devos <maximedevos@telenet.be>, Leo Famulari <leo@famulari.name>,
 47422@debbugs.gnu.org
Subject: Re: bug#47422: tar is vulnerable to CVE-2021-20193
In-Reply-To: <82db7b68b4e9cc3037122cc45678f04eac97d810.camel@telenet.be>
References: <520e2097011aae1bfd9c20278e27e25813517b42.camel@zaclys.net>
 <ysdJZxCdgMKsc9Tq-LKYLg_OgwwdXBljXBYTzfupOKMOshTTI34ijmXx0D8acxWF7OYW9NFXOLFLOVuV-NT-T3IyIjxCU0RboaItON_XjFY=@protonmail.com>
 <YYVakIUhmYGjGLvW@jasmine.lan>
 <82db7b68b4e9cc3037122cc45678f04eac97d810.camel@telenet.be>
Date: Fri, 05 Nov 2021 16:15:55 -0400
Message-ID: <8735oauzmx.fsf@netris.org>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 47422
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi Maxime,

Maxime Devos <maximedevos@telenet.be> writes:

> Leo Famulari schreef op vr 05-11-2021 om 12:23 [-0400]:
>> For use of tar by Guix users, we could add a new package 'tar-1.34'
>> and arrange so that `guix install tar` selects it instead of
>> tar@1.32, and so that whatever tar is provided by default on Guix
>> System [1] is tar-1.34.
>
> I don't think this is sufficient, because some packages keep
> references to 'tar', e.g. 'hdup'. A solution would be registering
> the updated tar as a replacement of the somewhat vulnerable tar:

I think this is the better approach.  Leo's analysis is correct, but
there are a few problems:

(1) I guess that most Guix users don't install 'tar' manually, but
    rather depend on the fact that 'tar' is included in %base-packages,
    which references 'tar' by its variable name.

(2) Even for users who explicitly ask for 'tar', if they reference it by
    its variable name, they would still get the vulnerable version.
    That includes users (such as myself) who manage their profiles
    declaratively, i.e. using "guix package --manifest".

(3) As Maxime pointed out, it's possible that some packages might retain
    a reference to 'tar' to be used at runtime.

However, someone would need to test to make sure that after grafting
'tar', they can successfully rebuild their system and boot into it.
Hopefully the code in 'commencement' deals properly with a grafted
'tar', but that should be checked.

I won't be able to work on this today, so hopefully someone else can
take care of it.  Otherwise, I'll do it tomorrow.

      Thanks!
        Mark

-- 
Disinformation flourishes because many people care deeply about injustice
but very few check the facts.  Ask me about <https://stallmansupport.org>.

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 09:59:17 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.