From patchwork Sun Mar 31 20:44:50 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leo Famulari X-Patchwork-Id: 2415 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 9409F27BBE2; Sun, 31 Mar 2024 21:50:40 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id EF53127BBEB for ; Sun, 31 Mar 2024 21:50:35 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rr27u-0002P2-SS; Sun, 31 Mar 2024 16:50:02 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rr27s-0002O0-Fk for guix-patches@gnu.org; Sun, 31 Mar 2024 16:50:00 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rr27s-0000Wc-6n for guix-patches@gnu.org; Sun, 31 Mar 2024 16:50:00 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1rr27u-0000om-T5 for guix-patches@gnu.org; Sun, 31 Mar 2024 16:50:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#70114] [PATCH 0/1] Xz backdoor / JiaT75 cleanup for libarchive Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 31 Mar 2024 20:50:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 70114 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 70114@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.17119181492943 (code B ref -1); Sun, 31 Mar 2024 20:50:02 +0000 Received: (at submit) by debbugs.gnu.org; 31 Mar 2024 20:49:09 +0000 Received: from localhost ([127.0.0.1]:48602 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rr272-0000lK-Fi for submit@debbugs.gnu.org; Sun, 31 Mar 2024 16:49:09 -0400 Received: from lists.gnu.org ([2001:470:142::17]:41284) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rr26z-0000jp-EY for submit@debbugs.gnu.org; Sun, 31 Mar 2024 16:49:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rr26q-0002BL-Nu for guix-patches@gnu.org; Sun, 31 Mar 2024 16:48:57 -0400 Received: from fhigh5-smtp.messagingengine.com ([103.168.172.156]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rr26n-0008Ff-Q2 for guix-patches@gnu.org; Sun, 31 Mar 2024 16:48:56 -0400 Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailfhigh.nyi.internal (Postfix) with ESMTP id DC47B11400E5; Sun, 31 Mar 2024 16:48:49 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Sun, 31 Mar 2024 16:48:49 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-transfer-encoding:content-type:date:date:from:from :in-reply-to:message-id:mime-version:reply-to:subject:subject:to :to; s=mesmtp; t=1711918129; x=1712004529; bh=DnYXIjCGsfYZc6O3Ha Og72mNV0oVf/gFyoA8E9cNzuo=; b=2E0s57XoUh+j0viRcdGN7TtzF4ky2Czt3z mROnlxmGa/cYI53A+u1v+0skJbU1/OB0EIZHe7kpI+t059Hema3sKmKe+TGm8IxG DYUeip/n5AMplIVFk39mIuvBnb1x5Gw6o3L4B42EWLHdpL1GxsQUDodqPrHoFQJm N8uyNW9qo= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:date:feedback-id:feedback-id:from:from:in-reply-to :message-id:mime-version:reply-to:subject:subject:to:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; t=1711918129; x=1712004529; bh=DnYXIjCGsfYZc6O3HaOg72mNV0oV f/gFyoA8E9cNzuo=; b=UmvEuFu99kILG+NgnvBFwt6JzPqD7Zu4D5n2dfHLMGHi PDVzHafqXVE2T46ahSD4FGTDBjastrjjrT2Fy3+3vZp+vh6v40WAgt4bToUSONz0 wU3qHWCn1GTOFk8j2kDvCBYb+W24R3QrjCIZKENKcwnwoT3n8zvKWOe4LNtpxg7D YHs66FW7GJSrcRHxtEK1YK0KGZX+nbzMYXWBPt0EM1afz/x/S1bLPxj0CSruJvY9 MYVbKkdW4psMVIc2u+t2zgIFOIGPoKnc+TuE/o6tSHq3Umb14N4/mb0HjgTJ9TmF dTc98RWjM+44l819rPxDJR0XmRJljz6kHs0xCcLtvw== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledruddvkedgudefvdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhephffvufffkffoggfgsedtkeertd ertddtnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghr ihdrnhgrmhgvqeenucggtffrrghtthgvrhhnpeegveeftdeggfevgefghfefudelgfduie dtkefhgeegveehfeejheeuffefheevieenucffohhmrghinhepghhithhhuhgsrdgtohhm necuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheplhgvoh esfhgrmhhulhgrrhhirdhnrghmvg X-ME-Proxy: Feedback-ID: i819c4023:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA for ; Sun, 31 Mar 2024 16:48:49 -0400 (EDT) From: Leo Famulari Date: Sun, 31 Mar 2024 16:44:50 -0400 Message-ID: X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Received-SPF: pass client-ip=103.168.172.156; envelope-from=leo@famulari.name; helo=fhigh5-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches The malicious actor that attacked Xz was also active in the libarchive codebase: https://github.com/libarchive/libarchive/issues/2103 This patch cherry-picks a fix for a potential vulnerability added by this entity. The patch file includes annotations. Please test with packages that directly use libarchive! For example: ------ $ ./pre-inst-env guix package -s . | recsel -e '(dependencies ~ "libarchive")' -p name,synopsis,location name: dwarfs synopsis: Fast high compression read-only file system location: gnu/packages/file-systems.scm:2106:2 name: patool synopsis: Portable archive file manager location: gnu/packages/patool.scm:37:2 name: gnome-boxes synopsis: View, access, and manage remote and virtual systems location: gnu/packages/gnome.scm:12554:2 name: proot synopsis: Unprivileged chroot, bind mount, and binfmt_misc location: gnu/packages/linux.scm:8449:2 name: geary synopsis: GNOME email application built around conversations location: gnu/packages/gnome.scm:12630:2 name: tesseract-ocr synopsis: Optical character recognition engine location: gnu/packages/ocr.scm:104:2 name: tesseract-ocr synopsis: Optical character recognition engine location: gnu/packages/ocr.scm:192:2 name: reprepro synopsis: Debian package repository producer location: gnu/packages/debian.scm:610:2 name: libjami synopsis: Jami core library and daemon location: gnu/packages/jami.scm:85:2 name: diffoscope synopsis: Compare files, archives, and directories in depth location: gnu/packages/diffoscope.scm:75:2 name: geeqie synopsis: Lightweight GTK+ based image viewer location: gnu/packages/image-viewers.scm:235:2 name: samba synopsis: The standard Windows interoperability suite of programs for GNU and Unix location: gnu/packages/samba.scm:296:2 name: gpaste synopsis: Clipboard management system for GNOME Shell location: gnu/packages/gnome-xyz.scm:1012:2 name: libextractor synopsis: Library to extract meta-data from media files location: gnu/packages/gnunet.scm:87:2 name: unrar-free synopsis: Extract files from RAR archives location: gnu/packages/compression.scm:2813:2 name: archivemount synopsis: Tool for mounting archive files with FUSE location: gnu/packages/linux.scm:4034:2 name: rpm synopsis: The RPM Package Manager location: gnu/packages/package-management.scm:934:2 name: nix synopsis: The Nix package manager location: gnu/packages/package-management.scm:804:2 name: gvfs synopsis: Userspace virtual file system for GIO location: gnu/packages/gnome.scm:7000:2 name: claws-mail synopsis: GTK-based Email client location: gnu/packages/mail.scm:1753:2 name: kbackup synopsis: Backup program with an easy-to-use interface location: gnu/packages/kde-utils.scm:438:2 name: cmake-minimal-cross synopsis: Cross-platform build system location: gnu/packages/cmake.scm:411:2 name: scilab synopsis: Software for engineers and scientists location: gnu/packages/maths.scm:9708:2 name: pixz synopsis: Parallel indexing implementation of LZMA location: gnu/packages/compression.scm:1037:2 name: cmake-minimal synopsis: Cross-platform build system location: gnu/packages/cmake.scm:263:2 name: python-fsspec synopsis: File-system specification location: gnu/packages/python-xyz.scm:27706:2 name: libostree synopsis: Operating system and container binary deployment and upgrades location: gnu/packages/package-management.scm:1958:2 name: cmake synopsis: Cross-platform build system location: gnu/packages/cmake.scm:346:2 name: meandmyshadow synopsis: Puzzle/platform game location: gnu/packages/games.scm:1788:2 name: reprotest synopsis: Build software and check it for reproducibility location: gnu/packages/diffoscope.scm:247:2 name: gimp-next synopsis: GNU Image Manipulation Program location: gnu/packages/gimp.scm:415:2 name: rdup synopsis: Provide a list of files to backup location: /home/leo/work/guix/gnu/packages/backup.scm:370:2 name: irods-client-icommands synopsis: Data management software location: gnu/packages/irods.scm:170:2 name: nestopia-ue synopsis: Nintendo Entertainment System (NES/Famicom) emulator location: gnu/packages/emulators.scm:1363:2 name: avogadrolibs synopsis: Libraries for chemistry, bioinformatics, and related areas location: gnu/packages/chemistry.scm:74:2 name: swi-prolog synopsis: ISO/Edinburgh-style Prolog interpreter location: gnu/packages/prolog.scm:88:2 name: evince synopsis: GNOME's document viewer location: gnu/packages/gnome.scm:2669:2 name: singularity synopsis: Container platform location: gnu/packages/linux.scm:5245:2 name: pqiv synopsis: Powerful image viewer with minimal UI location: gnu/packages/image-viewers.scm:896:2 name: python-libarchive-c synopsis: Python interface to libarchive location: gnu/packages/python-xyz.scm:16283:2 name: python-conda-package-handling synopsis: Create and extract conda packages of various formats location: gnu/packages/package-management.scm:1105:2 name: opencpn synopsis: Chart plotter and marine GPS navigation software location: gnu/packages/geo.scm:2473:2 name: midori synopsis: Lightweight graphical web browser location: gnu/packages/web-browsers.scm:106:2 name: appstream-glib synopsis: Library for reading and writing AppStream metadata location: gnu/packages/glib.scm:1346:2 name: libgxps synopsis: GObject-based library for handling and rendering XPS documents location: gnu/packages/gnome.scm:2069:2 name: libticalcs2 synopsis: Support library for TI calculators location: gnu/packages/emulators.scm:1747:2 name: irods synopsis: Data management software location: gnu/packages/irods.scm:48:2 name: ardour synopsis: Digital audio workstation location: gnu/packages/audio.scm:775:2 name: libtifiles2 synopsis: File functions library for TI calculators location: gnu/packages/emulators.scm:1712:2 name: flatpak synopsis: System for building, distributing, and running sandboxed desktop applications location: gnu/packages/package-management.scm:2011:2 name: epic5 synopsis: Epic5 IRC Client location: gnu/packages/irc.scm:669:2 name: file-roller synopsis: Graphical archive manager for GNOME location: gnu/packages/gnome.scm:7628:2 name: rpi-imager synopsis: Raspberry Pi Imaging Utility location: gnu/packages/raspberry-pi.scm:467:2 name: fwupd synopsis: Daemon to allow session software to update firmware location: gnu/packages/firmware.scm:211:2 name: totem-pl-parser synopsis: Library to parse and save media playlists for GNOME location: gnu/packages/gnome.scm:6075:1 name: osinfo-db-tools synopsis: Tools for managing the osinfo database location: gnu/packages/virtualization.scm:2691:2 name: ark synopsis: Graphical archiving tool location: gnu/packages/kde-utils.scm:54:2 name: vlc synopsis: Audio and video framework location: gnu/packages/video.scm:2365:2 name: fpm synopsis: Package building and mangling tool location: gnu/packages/package-management.scm:2118:2 name: hydrogen synopsis: Drum machine location: gnu/packages/music.scm:869:2 name: gnome-autoar synopsis: Archives integration support for GNOME location: gnu/packages/gnome.scm:9531:2 name: python-py7zr synopsis: 7-zip in Python location: gnu/packages/python-compression.scm:444:2 name: zathura-cb synopsis: Comic book support for zathura (libarchive backend) location: gnu/packages/pdf.scm:516:2 name: python-rarfile synopsis: RAR archive reader for Python location: gnu/packages/python-xyz.scm:19616:2 name: epiphany synopsis: GNOME web browser location: gnu/packages/gnome.scm:7160:2 name: gnome-arcade synopsis: Minimal MAME frontend location: gnu/packages/emulators.scm:1962:2 name: zeal synopsis: Offline documentation browser inspired by Dash location: gnu/packages/documentation.scm:412:4 name: pcsxr synopsis: PlayStation emulator location: gnu/packages/emulators.scm:2057:4 name: atril synopsis: Document viewer for Mate location: gnu/packages/mate.scm:683:2 ------ Leo Famulari (1): gnu: libarchive: Fix a potential security issue. gnu/local.mk | 1 + gnu/packages/backup.scm | 19 ++++++++ ...libarchive-remove-potential-backdoor.patch | 47 +++++++++++++++++++ 3 files changed, 67 insertions(+) create mode 100644 gnu/packages/patches/libarchive-remove-potential-backdoor.patch base-commit: 4d79a9cd6b5f0d8c5afbab0c6b70ae42740d5470