#70114 [PATCH 0/1] Xz backdoor / JiaT75 cleanup for libarchive

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

Received: (at submit) by debbugs.gnu.org; 31 Mar 2024 20:49:09 +0000
From debbugs-submit-bounces@debbugs.gnu.org Sun Mar 31 16:49:09 2024
Received: from localhost ([127.0.0.1]:48602 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1rr272-0000lK-Fi
	for submit@debbugs.gnu.org; Sun, 31 Mar 2024 16:49:09 -0400
Received: from lists.gnu.org ([2001:470:142::17]:41284)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1rr26z-0000jp-EY
 for submit@debbugs.gnu.org; Sun, 31 Mar 2024 16:49:06 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <leo@famulari.name>) id 1rr26q-0002BL-Nu
 for guix-patches@gnu.org; Sun, 31 Mar 2024 16:48:57 -0400
Received: from fhigh5-smtp.messagingengine.com ([103.168.172.156])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <leo@famulari.name>) id 1rr26n-0008Ff-Q2
 for guix-patches@gnu.org; Sun, 31 Mar 2024 16:48:56 -0400
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41])
 by mailfhigh.nyi.internal (Postfix) with ESMTP id DC47B11400E5;
 Sun, 31 Mar 2024 16:48:49 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
 by compute1.internal (MEProxy); Sun, 31 Mar 2024 16:48:49 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=cc:content-transfer-encoding:content-type:date:date:from:from
 :in-reply-to:message-id:mime-version:reply-to:subject:subject:to
 :to; s=mesmtp; t=1711918129; x=1712004529; bh=DnYXIjCGsfYZc6O3Ha
 Og72mNV0oVf/gFyoA8E9cNzuo=; b=2E0s57XoUh+j0viRcdGN7TtzF4ky2Czt3z
 mROnlxmGa/cYI53A+u1v+0skJbU1/OB0EIZHe7kpI+t059Hema3sKmKe+TGm8IxG
 DYUeip/n5AMplIVFk39mIuvBnb1x5Gw6o3L4B42EWLHdpL1GxsQUDodqPrHoFQJm
 N8uyNW9qo=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-transfer-encoding:content-type
 :date:date:feedback-id:feedback-id:from:from:in-reply-to
 :message-id:mime-version:reply-to:subject:subject:to:to
 :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=
 fm2; t=1711918129; x=1712004529; bh=DnYXIjCGsfYZc6O3HaOg72mNV0oV
 f/gFyoA8E9cNzuo=; b=UmvEuFu99kILG+NgnvBFwt6JzPqD7Zu4D5n2dfHLMGHi
 PDVzHafqXVE2T46ahSD4FGTDBjastrjjrT2Fy3+3vZp+vh6v40WAgt4bToUSONz0
 wU3qHWCn1GTOFk8j2kDvCBYb+W24R3QrjCIZKENKcwnwoT3n8zvKWOe4LNtpxg7D
 YHs66FW7GJSrcRHxtEK1YK0KGZX+nbzMYXWBPt0EM1afz/x/S1bLPxj0CSruJvY9
 MYVbKkdW4psMVIc2u+t2zgIFOIGPoKnc+TuE/o6tSHq3Umb14N4/mb0HjgTJ9TmF
 dTc98RWjM+44l819rPxDJR0XmRJljz6kHs0xCcLtvw==
X-ME-Sender: <xms:McwJZprk82nt-EQTZb9WdV71A-qnlfLGfkNmiqTXFGRBhfsniNQyzw>
 <xme:McwJZrrNKM44ttxmYb0SF36Q_opKte58ebvoYqk9G7aoLDHo8P7wn1EQpAv_hXVRV
 oitck2l-IaV0_STXw>
X-ME-Received: <xmr:McwJZmMMDVszlf5bxpYHjt0tBvOXRkt6nexgdbeASnc9VPwGgzKJdFJ0ZWfVW0SEubbxRZZ405-cX4u5l_9d-lyuFvA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledruddvkedgudefvdcutefuodetggdotefrod
 ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh
 necuuegrihhlohhuthemuceftddtnecunecujfgurhephffvufffkffoggfgsedtkeertd
 ertddtnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghr
 ihdrnhgrmhgvqeenucggtffrrghtthgvrhhnpeegveeftdeggfevgefghfefudelgfduie
 dtkefhgeegveehfeejheeuffefheevieenucffohhmrghinhepghhithhhuhgsrdgtohhm
 necuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheplhgvoh
 esfhgrmhhulhgrrhhirdhnrghmvg
X-ME-Proxy: <xmx:McwJZk6k1gdsSF7feP1RObEkZgMfm6lApPjmHTuBvjkmsDvPjPqnrg>
 <xmx:McwJZo7NLYa747wHQmqhi16PUlOte5mYFIUzKA9nkxJ84CJZybpdCg>
 <xmx:McwJZsi1_GtDuj41an0n4ZXPTmeSCp3_mlDowHunbcVYNyQJ8YgrVw>
 <xmx:McwJZq6n6HyCdx8frff7AMOJLFgho85O42ZIbYTSXbGQCecSIMYs3A>
 <xmx:McwJZoG-42J2GQ15oCF6KwpY8NCSSCtl-ji5wpXgicG8Ho4SBrwVHA>
Feedback-ID: i819c4023:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA for
 <guix-patches@gnu.org>; Sun, 31 Mar 2024 16:48:49 -0400 (EDT)
From: Leo Famulari <leo@famulari.name>
To: guix-patches@gnu.org
Subject: [PATCH 0/1] Xz backdoor / JiaT75 cleanup for libarchive
Date: Sun, 31 Mar 2024 16:44:50 -0400
Message-ID: <cover.1711917891.git.leo@famulari.name>
X-Mailer: git-send-email 2.41.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=103.168.172.156; envelope-from=leo@famulari.name;
 helo=fhigh5-smtp.messagingengine.com
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 0.9 (/)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.1 (/)

The malicious actor that attacked Xz was also active in the libarchive
codebase:

https://github.com/libarchive/libarchive/issues/2103

This patch cherry-picks a fix for a potential vulnerability added by
this entity. The patch file includes annotations.

Please test with packages that directly use libarchive! For example:

------
$ ./pre-inst-env guix package -s . | recsel -e '(dependencies ~ "libarchive")' -p name,synopsis,location 
name: dwarfs
synopsis: Fast high compression read-only file system  
location: gnu/packages/file-systems.scm:2106:2

name: patool
synopsis: Portable archive file manager  
location: gnu/packages/patool.scm:37:2

name: gnome-boxes
synopsis: View, access, and manage remote and virtual systems  
location: gnu/packages/gnome.scm:12554:2

name: proot
synopsis: Unprivileged chroot, bind mount, and binfmt_misc  
location: gnu/packages/linux.scm:8449:2

name: geary
synopsis: GNOME email application built around conversations  
location: gnu/packages/gnome.scm:12630:2

name: tesseract-ocr
synopsis: Optical character recognition engine  
location: gnu/packages/ocr.scm:104:2

name: tesseract-ocr
synopsis: Optical character recognition engine  
location: gnu/packages/ocr.scm:192:2

name: reprepro
synopsis: Debian package repository producer  
location: gnu/packages/debian.scm:610:2

name: libjami
synopsis: Jami core library and daemon  
location: gnu/packages/jami.scm:85:2

name: diffoscope
synopsis: Compare files, archives, and directories in depth  
location: gnu/packages/diffoscope.scm:75:2

name: geeqie
synopsis: Lightweight GTK+ based image viewer  
location: gnu/packages/image-viewers.scm:235:2

name: samba
synopsis: The standard Windows interoperability suite of programs for GNU and Unix  
location: gnu/packages/samba.scm:296:2

name: gpaste
synopsis: Clipboard management system for GNOME Shell  
location: gnu/packages/gnome-xyz.scm:1012:2

name: libextractor
synopsis: Library to extract meta-data from media files  
location: gnu/packages/gnunet.scm:87:2

name: unrar-free
synopsis: Extract files from RAR archives  
location: gnu/packages/compression.scm:2813:2

name: archivemount
synopsis: Tool for mounting archive files with FUSE  
location: gnu/packages/linux.scm:4034:2

name: rpm
synopsis: The RPM Package Manager  
location: gnu/packages/package-management.scm:934:2

name: nix
synopsis: The Nix package manager  
location: gnu/packages/package-management.scm:804:2

name: gvfs
synopsis: Userspace virtual file system for GIO  
location: gnu/packages/gnome.scm:7000:2

name: claws-mail
synopsis: GTK-based Email client  
location: gnu/packages/mail.scm:1753:2

name: kbackup
synopsis: Backup program with an easy-to-use interface  
location: gnu/packages/kde-utils.scm:438:2

name: cmake-minimal-cross
synopsis: Cross-platform build system  
location: gnu/packages/cmake.scm:411:2

name: scilab
synopsis: Software for engineers and scientists  
location: gnu/packages/maths.scm:9708:2

name: pixz
synopsis: Parallel indexing implementation of LZMA  
location: gnu/packages/compression.scm:1037:2

name: cmake-minimal
synopsis: Cross-platform build system  
location: gnu/packages/cmake.scm:263:2

name: python-fsspec
synopsis: File-system specification  
location: gnu/packages/python-xyz.scm:27706:2

name: libostree
synopsis: Operating system and container binary deployment and upgrades  
location: gnu/packages/package-management.scm:1958:2

name: cmake
synopsis: Cross-platform build system  
location: gnu/packages/cmake.scm:346:2

name: meandmyshadow
synopsis: Puzzle/platform game  
location: gnu/packages/games.scm:1788:2

name: reprotest
synopsis: Build software and check it for reproducibility  
location: gnu/packages/diffoscope.scm:247:2

name: gimp-next
synopsis: GNU Image Manipulation Program  
location: gnu/packages/gimp.scm:415:2

name: rdup
synopsis: Provide a list of files to backup  
location: /home/leo/work/guix/gnu/packages/backup.scm:370:2

name: irods-client-icommands
synopsis: Data management software  
location: gnu/packages/irods.scm:170:2

name: nestopia-ue
synopsis: Nintendo Entertainment System (NES/Famicom) emulator  
location: gnu/packages/emulators.scm:1363:2

name: avogadrolibs
synopsis: Libraries for chemistry, bioinformatics, and related areas  
location: gnu/packages/chemistry.scm:74:2

name: swi-prolog
synopsis: ISO/Edinburgh-style Prolog interpreter  
location: gnu/packages/prolog.scm:88:2

name: evince
synopsis: GNOME's document viewer  
location: gnu/packages/gnome.scm:2669:2

name: singularity
synopsis: Container platform  
location: gnu/packages/linux.scm:5245:2

name: pqiv
synopsis: Powerful image viewer with minimal UI  
location: gnu/packages/image-viewers.scm:896:2

name: python-libarchive-c
synopsis: Python interface to libarchive  
location: gnu/packages/python-xyz.scm:16283:2

name: python-conda-package-handling
synopsis: Create and extract conda packages of various formats  
location: gnu/packages/package-management.scm:1105:2

name: opencpn
synopsis: Chart plotter and marine GPS navigation software  
location: gnu/packages/geo.scm:2473:2

name: midori
synopsis: Lightweight graphical web browser  
location: gnu/packages/web-browsers.scm:106:2

name: appstream-glib
synopsis: Library for reading and writing AppStream metadata  
location: gnu/packages/glib.scm:1346:2

name: libgxps
synopsis: GObject-based library for handling and rendering XPS documents  
location: gnu/packages/gnome.scm:2069:2

name: libticalcs2
synopsis: Support library for TI calculators  
location: gnu/packages/emulators.scm:1747:2

name: irods
synopsis: Data management software  
location: gnu/packages/irods.scm:48:2

name: ardour
synopsis: Digital audio workstation  
location: gnu/packages/audio.scm:775:2

name: libtifiles2
synopsis: File functions library for TI calculators  
location: gnu/packages/emulators.scm:1712:2

name: flatpak
synopsis: System for building, distributing, and running sandboxed desktop applications  
location: gnu/packages/package-management.scm:2011:2

name: epic5
synopsis: Epic5 IRC Client  
location: gnu/packages/irc.scm:669:2

name: file-roller
synopsis: Graphical archive manager for GNOME  
location: gnu/packages/gnome.scm:7628:2

name: rpi-imager
synopsis: Raspberry Pi Imaging Utility  
location: gnu/packages/raspberry-pi.scm:467:2

name: fwupd
synopsis: Daemon to allow session software to update firmware  
location: gnu/packages/firmware.scm:211:2

name: totem-pl-parser
synopsis: Library to parse and save media playlists for GNOME  
location: gnu/packages/gnome.scm:6075:1

name: osinfo-db-tools
synopsis: Tools for managing the osinfo database  
location: gnu/packages/virtualization.scm:2691:2

name: ark
synopsis: Graphical archiving tool  
location: gnu/packages/kde-utils.scm:54:2

name: vlc
synopsis: Audio and video framework  
location: gnu/packages/video.scm:2365:2

name: fpm
synopsis: Package building and mangling tool  
location: gnu/packages/package-management.scm:2118:2

name: hydrogen
synopsis: Drum machine  
location: gnu/packages/music.scm:869:2

name: gnome-autoar
synopsis: Archives integration support for GNOME  
location: gnu/packages/gnome.scm:9531:2

name: python-py7zr
synopsis: 7-zip in Python  
location: gnu/packages/python-compression.scm:444:2

name: zathura-cb
synopsis: Comic book support for zathura (libarchive backend)  
location: gnu/packages/pdf.scm:516:2

name: python-rarfile
synopsis: RAR archive reader for Python  
location: gnu/packages/python-xyz.scm:19616:2

name: epiphany
synopsis: GNOME web browser  
location: gnu/packages/gnome.scm:7160:2

name: gnome-arcade
synopsis: Minimal MAME frontend  
location: gnu/packages/emulators.scm:1962:2

name: zeal
synopsis: Offline documentation browser inspired by Dash  
location: gnu/packages/documentation.scm:412:4

name: pcsxr
synopsis: PlayStation emulator  
location: gnu/packages/emulators.scm:2057:4

name: atril
synopsis: Document viewer for Mate  
location: gnu/packages/mate.scm:683:2
------

Leo Famulari (1):
  gnu: libarchive: Fix a potential security issue.

 gnu/local.mk                                  |  1 +
 gnu/packages/backup.scm                       | 19 ++++++++
 ...libarchive-remove-potential-backdoor.patch | 47 +++++++++++++++++++
 3 files changed, 67 insertions(+)
 create mode 100644 gnu/packages/patches/libarchive-remove-potential-backdoor.patch


base-commit: 4d79a9cd6b5f0d8c5afbab0c6b70ae42740d5470
-- 
2.41.0

Send a report that this bug log contains spam.