diff mbox series

[bug#74283] gnu: libarchive: Graft to 3.7.7. [security fixes]

Message ID 1ca0c3d9b6423645ebdfda7efbc9376477b07943.1731168409.git.liliana.prikler@gmail.com
State New
Headers show
Series [bug#74283] gnu: libarchive: Graft to 3.7.7. [security fixes] | expand

Commit Message

Liliana Marie Prikler Nov. 9, 2024, 2:27 p.m. UTC
* gnu/packages/backup.scm (libarchive): Add replacement with libarchive/fixed.
(libarchive/fixed): New variable.

Fixes: Out of bounds access in ZIP files [CVE-2024-37407].
Fixes: Out of bounds access in RAR files [CVE-2024-48957, CVE-2024-48958].
Fixes: Race condition in multi-threaded systems [CVE-2023-30571].
Fixes: NULL pointer dereference [CVE-2022-36227].
---
 gnu/packages/backup.scm | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)


base-commit: 2a6d96425eea57dc6dd48a2bec16743046e32e06
prerequisite-patch-id: ecae21ac778a87cc06da1605938183a6d068b4e0
prerequisite-patch-id: 556d0786c44ebcc378f5a35ba582d6b3c98d44a2
prerequisite-patch-id: 13d32cd5a82d8f7092c058d31369dbeda68dc472
prerequisite-patch-id: 9e85b59d6e53ffb000d6e3f9fe2d317190a9cd97
prerequisite-patch-id: df8a3ab92c9a09f631eb1d4fd109813ba6a79ab9
prerequisite-patch-id: dcffb45b7cd5a54797227bb7b92c528dddd5c7a2

Comments

Maxim Cournoyer Nov. 12, 2024, 11:32 a.m. UTC | #1
Hi,

Liliana Marie Prikler <liliana.prikler@gmail.com> writes:

> * gnu/packages/backup.scm (libarchive): Add replacement with libarchive/fixed.
> (libarchive/fixed): New variable.
>
> Fixes: Out of bounds access in ZIP files [CVE-2024-37407].
> Fixes: Out of bounds access in RAR files [CVE-2024-48957, CVE-2024-48958].
> Fixes: Race condition in multi-threaded systems [CVE-2023-30571].
> Fixes: NULL pointer dereference [CVE-2022-36227].

Pushed with a6dab6e915!  Thank you.
Maxim Cournoyer Nov. 13, 2024, 2:56 a.m. UTC | #2
Hi Liliana,

Liliana Marie Prikler <liliana.prikler@gmail.com> writes:

> * gnu/packages/backup.scm (libarchive): Add replacement with libarchive/fixed.
> (libarchive/fixed): New variable.
>
> Fixes: Out of bounds access in ZIP files [CVE-2024-37407].
> Fixes: Out of bounds access in RAR files [CVE-2024-48957, CVE-2024-48958].
> Fixes: Race condition in multi-threaded systems [CVE-2023-30571].
> Fixes: NULL pointer dereference [CVE-2022-36227].

Seems serious.

> ---
>  gnu/packages/backup.scm | 17 +++++++++++++++++
>  1 file changed, 17 insertions(+)
>
> diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm
> index 0973c5ddca..22c1ef64e9 100644
> --- a/gnu/packages/backup.scm
> +++ b/gnu/packages/backup.scm
> @@ -262,6 +262,7 @@ (define-public hdup
>  (define-public libarchive
>    (package
>      (name "libarchive")
> +    (replacement libarchive/fixed)
>      (version "3.6.1")
>      (source
>       (origin
> @@ -351,6 +352,22 @@ (define-public libarchive
>  @command{bsdcat}, @command{bsdcpio} and @command{bsdtar} commands.")
>      (license license:bsd-2)))
>  
> +(define-public libarchive/fixed

The replacement doesn't need to be exposed itself to users/api.  I'd
drop the '-public' part.

I've pushed it already, but will adjust to drop the public part later.
diff mbox series

Patch

diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm
index 0973c5ddca..22c1ef64e9 100644
--- a/gnu/packages/backup.scm
+++ b/gnu/packages/backup.scm
@@ -262,6 +262,7 @@  (define-public hdup
 (define-public libarchive
   (package
     (name "libarchive")
+    (replacement libarchive/fixed)
     (version "3.6.1")
     (source
      (origin
@@ -351,6 +352,22 @@  (define-public libarchive
 @command{bsdcat}, @command{bsdcpio} and @command{bsdtar} commands.")
     (license license:bsd-2)))
 
+(define-public libarchive/fixed
+  (package
+    (inherit libarchive)
+    (version "3.7.7")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (list (string-append "https://libarchive.org/downloads/libarchive-"
+                                 version ".tar.xz")
+                  (string-append "https://github.com/libarchive/libarchive"
+                                 "/releases/download/v" version "/libarchive-"
+                                 version ".tar.xz")))
+       (sha256
+        (base32
+         "1vps57mrpqmrk4zayh5g5amqfq7031s5zzkkxsm7r71rqf1wv6l7"))))))
+
 (define-public rdup
   (package
     (name "rdup")