GNU bug report logs

#47422 tar is vulnerable to CVE-2021-20193

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #28 received at 47422@debbugs.gnu.org (full text, mbox, reply):

Received: (at 47422) by debbugs.gnu.org; 6 Nov 2021 18:15:00 +0000
From debbugs-submit-bounces@debbugs.gnu.org Sat Nov 06 14:15:00 2021
Received: from localhost ([127.0.0.1]:50522 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1mjQDT-0003rG-PH
	for submit@debbugs.gnu.org; Sat, 06 Nov 2021 14:14:59 -0400
Received: from world.peace.net ([64.112.178.59]:34534)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mhw@netris.org>) id 1mjQDR-0003r2-QS
 for 47422@debbugs.gnu.org; Sat, 06 Nov 2021 14:14:58 -0400
Received: from mhw by world.peace.net with esmtpsa
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
 (envelope-from <mhw@netris.org>)
 id 1mjQDL-0004Bj-Dh; Sat, 06 Nov 2021 14:14:51 -0400
From: Mark H Weaver <mhw@netris.org>
To: Maxime Devos <maximedevos@telenet.be>, Leo Famulari <leo@famulari.name>,
 47422@debbugs.gnu.org
Subject: Re: bug#47422: tar is vulnerable to CVE-2021-20193
In-Reply-To: <8735oauzmx.fsf@netris.org>
References: <520e2097011aae1bfd9c20278e27e25813517b42.camel@zaclys.net>
 <ysdJZxCdgMKsc9Tq-LKYLg_OgwwdXBljXBYTzfupOKMOshTTI34ijmXx0D8acxWF7OYW9NFXOLFLOVuV-NT-T3IyIjxCU0RboaItON_XjFY=@protonmail.com>
 <YYVakIUhmYGjGLvW@jasmine.lan>
 <82db7b68b4e9cc3037122cc45678f04eac97d810.camel@telenet.be>
 <8735oauzmx.fsf@netris.org>
Date: Sat, 06 Nov 2021 14:12:52 -0400
Message-ID: <8735o9b1a8.fsf@netris.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 47422
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

[Message part 1 (text/plain, inline)]
Hi,

Here's a proposed fix, which I've tested on my own system.
Are there any objections to pushing this to 'master'?

      Thanks,
        Mark


[0001-gnu-tar-Replace-with-1.34-fixes-CVE-2021-20193.patch (text/x-patch, inline)]
From 5737b91e9979c7df2a76b033f38871c2326ab0f1 Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Sat, 6 Nov 2021 05:52:24 -0400
Subject: [PATCH] gnu: tar: Replace with 1.34 [fixes CVE-2021-20193].

* gnu/packages/base.scm (tar)[replacement]: New field.
(tar-1.34): New variable.
---
 gnu/packages/base.scm | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index ea2e102c15..77731d3720 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -180,6 +180,7 @@ implementation offers several extensions over the standard utility.")
   (package
    (name "tar")
    (version "1.32")
+   (replacement tar-1.34)
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/tar/tar-"
@@ -234,6 +235,21 @@ standard utility.")
    (license gpl3+)
    (home-page "https://www.gnu.org/software/tar/")))
 
+(define-public tar-1.34  ; fixes CVE-2021-20193
+  (package
+    (inherit tar)
+    (version "1.34")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "mirror://gnu/tar/tar-"
+                                  version ".tar.xz"))
+              (sha256
+               (base32
+                "0a0x87anh9chbi2cgcyy7pmnm5hzk4yd1w2j8gm1wplwhwkbvgk3"))
+              (patches
+               (search-patches "tar-skip-unreliable-tests.patch"
+                               "tar-remove-wholesparse-check.patch"))))))
+
 (define-public patch
   (package
    (name "patch")
-- 
2.31.1


[Message part 3 (text/plain, inline)]
-- 
Disinformation flourishes because many people care deeply about injustice
but very few check the facts.  Ask me about <https://stallmansupport.org>.

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 09:59:09 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.