Message ID | 1ca0c3d9b6423645ebdfda7efbc9376477b07943.1731168409.git.liliana.prikler@gmail.com |
---|---|
State | New |
Headers | show |
Series | [bug#74283] gnu: libarchive: Graft to 3.7.7. [security fixes] | expand |
Hi, Liliana Marie Prikler <liliana.prikler@gmail.com> writes: > * gnu/packages/backup.scm (libarchive): Add replacement with libarchive/fixed. > (libarchive/fixed): New variable. > > Fixes: Out of bounds access in ZIP files [CVE-2024-37407]. > Fixes: Out of bounds access in RAR files [CVE-2024-48957, CVE-2024-48958]. > Fixes: Race condition in multi-threaded systems [CVE-2023-30571]. > Fixes: NULL pointer dereference [CVE-2022-36227]. Pushed with a6dab6e915! Thank you.
Hi Liliana, Liliana Marie Prikler <liliana.prikler@gmail.com> writes: > * gnu/packages/backup.scm (libarchive): Add replacement with libarchive/fixed. > (libarchive/fixed): New variable. > > Fixes: Out of bounds access in ZIP files [CVE-2024-37407]. > Fixes: Out of bounds access in RAR files [CVE-2024-48957, CVE-2024-48958]. > Fixes: Race condition in multi-threaded systems [CVE-2023-30571]. > Fixes: NULL pointer dereference [CVE-2022-36227]. Seems serious. > --- > gnu/packages/backup.scm | 17 +++++++++++++++++ > 1 file changed, 17 insertions(+) > > diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm > index 0973c5ddca..22c1ef64e9 100644 > --- a/gnu/packages/backup.scm > +++ b/gnu/packages/backup.scm > @@ -262,6 +262,7 @@ (define-public hdup > (define-public libarchive > (package > (name "libarchive") > + (replacement libarchive/fixed) > (version "3.6.1") > (source > (origin > @@ -351,6 +352,22 @@ (define-public libarchive > @command{bsdcat}, @command{bsdcpio} and @command{bsdtar} commands.") > (license license:bsd-2))) > > +(define-public libarchive/fixed The replacement doesn't need to be exposed itself to users/api. I'd drop the '-public' part. I've pushed it already, but will adjust to drop the public part later.
diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm index 0973c5ddca..22c1ef64e9 100644 --- a/gnu/packages/backup.scm +++ b/gnu/packages/backup.scm @@ -262,6 +262,7 @@ (define-public hdup (define-public libarchive (package (name "libarchive") + (replacement libarchive/fixed) (version "3.6.1") (source (origin @@ -351,6 +352,22 @@ (define-public libarchive @command{bsdcat}, @command{bsdcpio} and @command{bsdtar} commands.") (license license:bsd-2))) +(define-public libarchive/fixed + (package + (inherit libarchive) + (version "3.7.7") + (source + (origin + (method url-fetch) + (uri (list (string-append "https://libarchive.org/downloads/libarchive-" + version ".tar.xz") + (string-append "https://github.com/libarchive/libarchive" + "/releases/download/v" version "/libarchive-" + version ".tar.xz"))) + (sha256 + (base32 + "1vps57mrpqmrk4zayh5g5amqfq7031s5zzkkxsm7r71rqf1wv6l7")))))) + (define-public rdup (package (name "rdup")