GNU bug report logs

#70113 [PATCH 1/1] gnu: libarchive: Fix a potential security issue.

PackageSource(s)Maintainer(s)
guix-patches PTS Buildd Popcon
Full log

Message #10 received at 70113@debbugs.gnu.org (full text, mbox, reply):

Received: (at 70113) by debbugs.gnu.org; 31 Mar 2024 20:51:28 +0000
From debbugs-submit-bounces@debbugs.gnu.org Sun Mar 31 16:51:28 2024
Received: from localhost ([127.0.0.1]:48619 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1rr29H-0000uW-Od
	for submit@debbugs.gnu.org; Sun, 31 Mar 2024 16:51:28 -0400
Received: from fhigh5-smtp.messagingengine.com ([103.168.172.156]:49541)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1rr29G-0000uF-5G
 for 70113@debbugs.gnu.org; Sun, 31 Mar 2024 16:51:26 -0400
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45])
 by mailfhigh.nyi.internal (Postfix) with ESMTP id 3E42E11400E8;
 Sun, 31 Mar 2024 16:51:18 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
 by compute5.internal (MEProxy); Sun, 31 Mar 2024 16:51:18 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=cc:content-type:content-type:date:date:from:from:in-reply-to
 :message-id:mime-version:reply-to:subject:subject:to:to; s=
 mesmtp; t=1711918278; x=1712004678; bh=9DwvR2HV133xw0mk0v/jDEcj3
 rHH3uSfyAFk+1qwBE4=; b=xo+sQ6wgR1G1uIInFyNZ09DKvlBSwHq+YgLPyaGeK
 Bcs59nSqAtCO3PITjyjupfBUFrfxWa59pkDm2peCOGJ5wK3bbK+BznxiYuZwmoBw
 q2Aty/gp3hfaFDYpss0Ul5aWs7/CW2fTe8GQOsffmyFuxgEKXfI99h+mQsWT6rEV
 Ms=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:content-type:date:date
 :feedback-id:feedback-id:from:from:in-reply-to:message-id
 :mime-version:reply-to:subject:subject:to:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=
 1711918278; x=1712004678; bh=9DwvR2HV133xw0mk0v/jDEcj3rHH3uSfyAF
 k+1qwBE4=; b=A8A6hfE3fmdNKvrHeLUnf0ssP4Sztr06J4grvpGuByE+OV8NUAT
 Tsx9b3nynpD6eukQ8rTOjzE2Q2M09nxwc63n2S2wvMY3M51Ee9URkD4dfElwXLTV
 YMf0nAOtBMu2B7hZ4a9PIfvEMIQYpb18Ui1iWrwRVBwFnfEStXZPXQSyXs9oG3D4
 3gYORf9Q8yFe6ooUMHcIDAwGnnSmBeJ5p32iHs7SRKJ/KY1EcPmhfsX4+2viHnKU
 xxCH4shNjkT1SM2SQmqbW00I+BxU4dhnlp/7E9TA4dzmEy5Eb/ifer5dZ0sCDl25
 UrFsSdKiH+DccWa/b9u6NjnZdc5B8nsP27w==
X-ME-Sender: <xms:xswJZoz8kPRd67VjPFK30J09rd8mkjWDKnKlbXIeN6uG_OXsUqQZPw>
 <xme:xswJZsRrp-WbJYlr4I5PqNoLXKSmInzBShInXTr09OyQ9jMcs5j7DC56nvJHM5OGi
 _NZqcxRUNg-Qv3VpQ>
X-ME-Received: <xmr:xswJZqVSK3ulO73yWH0QdpNEz7ZdBbwToTPQ687j1gFZdI0GtSSXpAMqAgebc0TrlRICIpGjEx8BLlnj-umrqGJK>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledruddvkedgudeffecutefuodetggdotefrod
 ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh
 necuuegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfggtggusehgtderre
 dttddvnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghr
 ihdrnhgrmhgvqeenucggtffrrghtthgvrhhnpeeiieefleekgfdvkeelvdevudffgeelte
 fftedvvdelvddufefgudfhveduvdegveenucffohhmrghinhepghhithhhuhgsrdgtohhm
 necuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheplhgvoh
 esfhgrmhhulhgrrhhirdhnrghmvg
X-ME-Proxy: <xmx:xswJZmjaseiVSHRfN3zYT1m2zw3L8-65tzOGnFtBU1tvq_jDwGRqqQ>
 <xmx:xswJZqAyF6K0j-_0FXVhAIiHsXLDuvTV_dWEcsaVbkk2dJ6Gc6c6Rw>
 <xmx:xswJZnLqwsfR-uLN8Wzwf99EqIeTeooV2nrgq6BLT4Z_bF2M7X7-2A>
 <xmx:xswJZhDQVZzOGlvoOPAe6Sl_U9ML4yjB9Nh7Hn9lVMv6M2Uel8AhmA>
 <xmx:xswJZtPzWbu7ad4fjUdvpvX1a8SNS4dN9SHPBamfd2L4PIqjKL3wmA>
Feedback-ID: i819c4023:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA for
 <70113@debbugs.gnu.org>; Sun, 31 Mar 2024 16:51:17 -0400 (EDT)
Date: Sun, 31 Mar 2024 16:51:16 -0400
From: Leo Famulari <leo@famulari.name>
To: 70113@debbugs.gnu.org
Subject: SECURITY: Xz backdoor / JiaT75 cleanup for libarchive
Message-ID: <ZgnMxDxsDkjr-mEa@jasmine.lan>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="AH2PtxUB8NLoEAvi"
Content-Disposition: inline
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 70113
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

[Message part 1 (text/plain, inline)]
The malicious actor that attacked Xz was also active in the libarchive
codebase:

https://github.com/libarchive/libarchive/issues/2103

This patch cherry-picks a fix for a potential vulnerability added by
this entity. The patch file includes annotations.

Please test with packages that directly use libarchive! For example:

------
$ ./pre-inst-env guix package -s . | recsel -e '(dependencies ~ "libarchive")' -p name,synopsis,location 
name: dwarfs
synopsis: Fast high compression read-only file system  
location: gnu/packages/file-systems.scm:2106:2

name: patool
synopsis: Portable archive file manager  
location: gnu/packages/patool.scm:37:2

name: gnome-boxes
synopsis: View, access, and manage remote and virtual systems  
location: gnu/packages/gnome.scm:12554:2

name: proot
synopsis: Unprivileged chroot, bind mount, and binfmt_misc  
location: gnu/packages/linux.scm:8449:2

name: geary
synopsis: GNOME email application built around conversations  
location: gnu/packages/gnome.scm:12630:2

name: tesseract-ocr
synopsis: Optical character recognition engine  
location: gnu/packages/ocr.scm:104:2

name: tesseract-ocr
synopsis: Optical character recognition engine  
location: gnu/packages/ocr.scm:192:2

name: reprepro
synopsis: Debian package repository producer  
location: gnu/packages/debian.scm:610:2

name: libjami
synopsis: Jami core library and daemon  
location: gnu/packages/jami.scm:85:2

name: diffoscope
synopsis: Compare files, archives, and directories in depth  
location: gnu/packages/diffoscope.scm:75:2

name: geeqie
synopsis: Lightweight GTK+ based image viewer  
location: gnu/packages/image-viewers.scm:235:2

name: samba
synopsis: The standard Windows interoperability suite of programs for GNU and Unix  
location: gnu/packages/samba.scm:296:2

name: gpaste
synopsis: Clipboard management system for GNOME Shell  
location: gnu/packages/gnome-xyz.scm:1012:2

name: libextractor
synopsis: Library to extract meta-data from media files  
location: gnu/packages/gnunet.scm:87:2

name: unrar-free
synopsis: Extract files from RAR archives  
location: gnu/packages/compression.scm:2813:2

name: archivemount
synopsis: Tool for mounting archive files with FUSE  
location: gnu/packages/linux.scm:4034:2

name: rpm
synopsis: The RPM Package Manager  
location: gnu/packages/package-management.scm:934:2

name: nix
synopsis: The Nix package manager  
location: gnu/packages/package-management.scm:804:2

name: gvfs
synopsis: Userspace virtual file system for GIO  
location: gnu/packages/gnome.scm:7000:2

name: claws-mail
synopsis: GTK-based Email client  
location: gnu/packages/mail.scm:1753:2

name: kbackup
synopsis: Backup program with an easy-to-use interface  
location: gnu/packages/kde-utils.scm:438:2

name: cmake-minimal-cross
synopsis: Cross-platform build system  
location: gnu/packages/cmake.scm:411:2

name: scilab
synopsis: Software for engineers and scientists  
location: gnu/packages/maths.scm:9708:2

name: pixz
synopsis: Parallel indexing implementation of LZMA  
location: gnu/packages/compression.scm:1037:2

name: cmake-minimal
synopsis: Cross-platform build system  
location: gnu/packages/cmake.scm:263:2

name: python-fsspec
synopsis: File-system specification  
location: gnu/packages/python-xyz.scm:27706:2

name: libostree
synopsis: Operating system and container binary deployment and upgrades  
location: gnu/packages/package-management.scm:1958:2

name: cmake
synopsis: Cross-platform build system  
location: gnu/packages/cmake.scm:346:2

name: meandmyshadow
synopsis: Puzzle/platform game  
location: gnu/packages/games.scm:1788:2

name: reprotest
synopsis: Build software and check it for reproducibility  
location: gnu/packages/diffoscope.scm:247:2

name: gimp-next
synopsis: GNU Image Manipulation Program  
location: gnu/packages/gimp.scm:415:2

name: rdup
synopsis: Provide a list of files to backup  
location: /home/leo/work/guix/gnu/packages/backup.scm:370:2

name: irods-client-icommands
synopsis: Data management software  
location: gnu/packages/irods.scm:170:2

name: nestopia-ue
synopsis: Nintendo Entertainment System (NES/Famicom) emulator  
location: gnu/packages/emulators.scm:1363:2

name: avogadrolibs
synopsis: Libraries for chemistry, bioinformatics, and related areas  
location: gnu/packages/chemistry.scm:74:2

name: swi-prolog
synopsis: ISO/Edinburgh-style Prolog interpreter  
location: gnu/packages/prolog.scm:88:2

name: evince
synopsis: GNOME's document viewer  
location: gnu/packages/gnome.scm:2669:2

name: singularity
synopsis: Container platform  
location: gnu/packages/linux.scm:5245:2

name: pqiv
synopsis: Powerful image viewer with minimal UI  
location: gnu/packages/image-viewers.scm:896:2

name: python-libarchive-c
synopsis: Python interface to libarchive  
location: gnu/packages/python-xyz.scm:16283:2

name: python-conda-package-handling
synopsis: Create and extract conda packages of various formats  
location: gnu/packages/package-management.scm:1105:2

name: opencpn
synopsis: Chart plotter and marine GPS navigation software  
location: gnu/packages/geo.scm:2473:2

name: midori
synopsis: Lightweight graphical web browser  
location: gnu/packages/web-browsers.scm:106:2

name: appstream-glib
synopsis: Library for reading and writing AppStream metadata  
location: gnu/packages/glib.scm:1346:2

name: libgxps
synopsis: GObject-based library for handling and rendering XPS documents  
location: gnu/packages/gnome.scm:2069:2

name: libticalcs2
synopsis: Support library for TI calculators  
location: gnu/packages/emulators.scm:1747:2

name: irods
synopsis: Data management software  
location: gnu/packages/irods.scm:48:2

name: ardour
synopsis: Digital audio workstation  
location: gnu/packages/audio.scm:775:2

name: libtifiles2
synopsis: File functions library for TI calculators  
location: gnu/packages/emulators.scm:1712:2

name: flatpak
synopsis: System for building, distributing, and running sandboxed desktop applications  
location: gnu/packages/package-management.scm:2011:2

name: epic5
synopsis: Epic5 IRC Client  
location: gnu/packages/irc.scm:669:2

name: file-roller
synopsis: Graphical archive manager for GNOME  
location: gnu/packages/gnome.scm:7628:2

name: rpi-imager
synopsis: Raspberry Pi Imaging Utility  
location: gnu/packages/raspberry-pi.scm:467:2

name: fwupd
synopsis: Daemon to allow session software to update firmware  
location: gnu/packages/firmware.scm:211:2

name: totem-pl-parser
synopsis: Library to parse and save media playlists for GNOME  
location: gnu/packages/gnome.scm:6075:1

name: osinfo-db-tools
synopsis: Tools for managing the osinfo database  
location: gnu/packages/virtualization.scm:2691:2

name: ark
synopsis: Graphical archiving tool  
location: gnu/packages/kde-utils.scm:54:2

name: vlc
synopsis: Audio and video framework  
location: gnu/packages/video.scm:2365:2

name: fpm
synopsis: Package building and mangling tool  
location: gnu/packages/package-management.scm:2118:2

name: hydrogen
synopsis: Drum machine  
location: gnu/packages/music.scm:869:2

name: gnome-autoar
synopsis: Archives integration support for GNOME  
location: gnu/packages/gnome.scm:9531:2

name: python-py7zr
synopsis: 7-zip in Python  
location: gnu/packages/python-compression.scm:444:2

name: zathura-cb
synopsis: Comic book support for zathura (libarchive backend)  
location: gnu/packages/pdf.scm:516:2

name: python-rarfile
synopsis: RAR archive reader for Python  
location: gnu/packages/python-xyz.scm:19616:2

name: epiphany
synopsis: GNOME web browser  
location: gnu/packages/gnome.scm:7160:2

name: gnome-arcade
synopsis: Minimal MAME frontend  
location: gnu/packages/emulators.scm:1962:2

name: zeal
synopsis: Offline documentation browser inspired by Dash  
location: gnu/packages/documentation.scm:412:4

name: pcsxr
synopsis: PlayStation emulator  
location: gnu/packages/emulators.scm:2057:4

name: atril
synopsis: Document viewer for Mate  
location: gnu/packages/mate.scm:683:2
------

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 06:39:36 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.