Message ID | 7a74261a419e9127887bc9ea096294e42156cce1.1711917891.git.leo@famulari.name |
---|---|
State | New |
Headers | show |
Series | Xz backdoor / JiaT75 cleanup for libarchive | expand |
The malicious actor that attacked Xz was also active in the libarchive codebase: https://github.com/libarchive/libarchive/issues/2103 This patch cherry-picks a fix for a potential vulnerability added by this entity. The patch file includes annotations. Please test with packages that directly use libarchive! For example: ------ $ ./pre-inst-env guix package -s . | recsel -e '(dependencies ~ "libarchive")' -p name,synopsis,location name: dwarfs synopsis: Fast high compression read-only file system location: gnu/packages/file-systems.scm:2106:2 name: patool synopsis: Portable archive file manager location: gnu/packages/patool.scm:37:2 name: gnome-boxes synopsis: View, access, and manage remote and virtual systems location: gnu/packages/gnome.scm:12554:2 name: proot synopsis: Unprivileged chroot, bind mount, and binfmt_misc location: gnu/packages/linux.scm:8449:2 name: geary synopsis: GNOME email application built around conversations location: gnu/packages/gnome.scm:12630:2 name: tesseract-ocr synopsis: Optical character recognition engine location: gnu/packages/ocr.scm:104:2 name: tesseract-ocr synopsis: Optical character recognition engine location: gnu/packages/ocr.scm:192:2 name: reprepro synopsis: Debian package repository producer location: gnu/packages/debian.scm:610:2 name: libjami synopsis: Jami core library and daemon location: gnu/packages/jami.scm:85:2 name: diffoscope synopsis: Compare files, archives, and directories in depth location: gnu/packages/diffoscope.scm:75:2 name: geeqie synopsis: Lightweight GTK+ based image viewer location: gnu/packages/image-viewers.scm:235:2 name: samba synopsis: The standard Windows interoperability suite of programs for GNU and Unix location: gnu/packages/samba.scm:296:2 name: gpaste synopsis: Clipboard management system for GNOME Shell location: gnu/packages/gnome-xyz.scm:1012:2 name: libextractor synopsis: Library to extract meta-data from media files location: gnu/packages/gnunet.scm:87:2 name: unrar-free synopsis: Extract files from RAR archives location: gnu/packages/compression.scm:2813:2 name: archivemount synopsis: Tool for mounting archive files with FUSE location: gnu/packages/linux.scm:4034:2 name: rpm synopsis: The RPM Package Manager location: gnu/packages/package-management.scm:934:2 name: nix synopsis: The Nix package manager location: gnu/packages/package-management.scm:804:2 name: gvfs synopsis: Userspace virtual file system for GIO location: gnu/packages/gnome.scm:7000:2 name: claws-mail synopsis: GTK-based Email client location: gnu/packages/mail.scm:1753:2 name: kbackup synopsis: Backup program with an easy-to-use interface location: gnu/packages/kde-utils.scm:438:2 name: cmake-minimal-cross synopsis: Cross-platform build system location: gnu/packages/cmake.scm:411:2 name: scilab synopsis: Software for engineers and scientists location: gnu/packages/maths.scm:9708:2 name: pixz synopsis: Parallel indexing implementation of LZMA location: gnu/packages/compression.scm:1037:2 name: cmake-minimal synopsis: Cross-platform build system location: gnu/packages/cmake.scm:263:2 name: python-fsspec synopsis: File-system specification location: gnu/packages/python-xyz.scm:27706:2 name: libostree synopsis: Operating system and container binary deployment and upgrades location: gnu/packages/package-management.scm:1958:2 name: cmake synopsis: Cross-platform build system location: gnu/packages/cmake.scm:346:2 name: meandmyshadow synopsis: Puzzle/platform game location: gnu/packages/games.scm:1788:2 name: reprotest synopsis: Build software and check it for reproducibility location: gnu/packages/diffoscope.scm:247:2 name: gimp-next synopsis: GNU Image Manipulation Program location: gnu/packages/gimp.scm:415:2 name: rdup synopsis: Provide a list of files to backup location: /home/leo/work/guix/gnu/packages/backup.scm:370:2 name: irods-client-icommands synopsis: Data management software location: gnu/packages/irods.scm:170:2 name: nestopia-ue synopsis: Nintendo Entertainment System (NES/Famicom) emulator location: gnu/packages/emulators.scm:1363:2 name: avogadrolibs synopsis: Libraries for chemistry, bioinformatics, and related areas location: gnu/packages/chemistry.scm:74:2 name: swi-prolog synopsis: ISO/Edinburgh-style Prolog interpreter location: gnu/packages/prolog.scm:88:2 name: evince synopsis: GNOME's document viewer location: gnu/packages/gnome.scm:2669:2 name: singularity synopsis: Container platform location: gnu/packages/linux.scm:5245:2 name: pqiv synopsis: Powerful image viewer with minimal UI location: gnu/packages/image-viewers.scm:896:2 name: python-libarchive-c synopsis: Python interface to libarchive location: gnu/packages/python-xyz.scm:16283:2 name: python-conda-package-handling synopsis: Create and extract conda packages of various formats location: gnu/packages/package-management.scm:1105:2 name: opencpn synopsis: Chart plotter and marine GPS navigation software location: gnu/packages/geo.scm:2473:2 name: midori synopsis: Lightweight graphical web browser location: gnu/packages/web-browsers.scm:106:2 name: appstream-glib synopsis: Library for reading and writing AppStream metadata location: gnu/packages/glib.scm:1346:2 name: libgxps synopsis: GObject-based library for handling and rendering XPS documents location: gnu/packages/gnome.scm:2069:2 name: libticalcs2 synopsis: Support library for TI calculators location: gnu/packages/emulators.scm:1747:2 name: irods synopsis: Data management software location: gnu/packages/irods.scm:48:2 name: ardour synopsis: Digital audio workstation location: gnu/packages/audio.scm:775:2 name: libtifiles2 synopsis: File functions library for TI calculators location: gnu/packages/emulators.scm:1712:2 name: flatpak synopsis: System for building, distributing, and running sandboxed desktop applications location: gnu/packages/package-management.scm:2011:2 name: epic5 synopsis: Epic5 IRC Client location: gnu/packages/irc.scm:669:2 name: file-roller synopsis: Graphical archive manager for GNOME location: gnu/packages/gnome.scm:7628:2 name: rpi-imager synopsis: Raspberry Pi Imaging Utility location: gnu/packages/raspberry-pi.scm:467:2 name: fwupd synopsis: Daemon to allow session software to update firmware location: gnu/packages/firmware.scm:211:2 name: totem-pl-parser synopsis: Library to parse and save media playlists for GNOME location: gnu/packages/gnome.scm:6075:1 name: osinfo-db-tools synopsis: Tools for managing the osinfo database location: gnu/packages/virtualization.scm:2691:2 name: ark synopsis: Graphical archiving tool location: gnu/packages/kde-utils.scm:54:2 name: vlc synopsis: Audio and video framework location: gnu/packages/video.scm:2365:2 name: fpm synopsis: Package building and mangling tool location: gnu/packages/package-management.scm:2118:2 name: hydrogen synopsis: Drum machine location: gnu/packages/music.scm:869:2 name: gnome-autoar synopsis: Archives integration support for GNOME location: gnu/packages/gnome.scm:9531:2 name: python-py7zr synopsis: 7-zip in Python location: gnu/packages/python-compression.scm:444:2 name: zathura-cb synopsis: Comic book support for zathura (libarchive backend) location: gnu/packages/pdf.scm:516:2 name: python-rarfile synopsis: RAR archive reader for Python location: gnu/packages/python-xyz.scm:19616:2 name: epiphany synopsis: GNOME web browser location: gnu/packages/gnome.scm:7160:2 name: gnome-arcade synopsis: Minimal MAME frontend location: gnu/packages/emulators.scm:1962:2 name: zeal synopsis: Offline documentation browser inspired by Dash location: gnu/packages/documentation.scm:412:4 name: pcsxr synopsis: PlayStation emulator location: gnu/packages/emulators.scm:2057:4 name: atril synopsis: Document viewer for Mate location: gnu/packages/mate.scm:683:2 ------
Hi Leo, On Sun, Mar 31, 2024 at 04:44 PM, Leo Famulari wrote: > https://github.com/libarchive/libarchive/pull/2101 > > * gnu/packages/backup.scm (libarchive)[replacement]: New field. > (libarchive/fixed): New variable. > * gnu/packages/patches/libarchive-remove-potential-backdoor.patch: New file. > * gnu/local.mk (dist_patch_DATA): Add it. > Overall changes look good, but I have not had a chance to try it locally (building or dependents). [...] > +(define-public libarchive/fixed > + (package > + (inherit libarchive) > + (version "3.6.1") > + (source > + (origin > + (method url-fetch) > + (uri (list (string-append "https://libarchive.org/downloads/libarchive-" > + version ".tar.xz") > + (string-append "https://github.com/libarchive/libarchive" > + "/releases/download/v" version "/libarchive-" > + version ".tar.xz"))) In light of the xz backdoor, perhaps we should just do a git checkout of the v3.6.1 tag rather than the tarballs? Assuming that works, of course. I haven't had a chance to look at potential ABI changes, but perhaps at least v3.6.2 is graftable? That also lists a security update (as well as later versions). Or, if it is easier and this is tested on your end, let's push this and do an upgrade to the latest on a branch. I would volunteer mesa-updates, but Cuirass has been stuck all day not building anything, so I don't know what will end up being quickest (which branch or a new one). Thanks for the quick work! John
On Tue, Apr 02, 2024 at 03:23:44AM +0000, John Kehayias via Guix-patches via wrote: > Hi Leo, > > On Sun, Mar 31, 2024 at 04:44 PM, Leo Famulari wrote: > > > https://github.com/libarchive/libarchive/pull/2101 > > > > * gnu/packages/backup.scm (libarchive)[replacement]: New field. > > (libarchive/fixed): New variable. > > * gnu/packages/patches/libarchive-remove-potential-backdoor.patch: New file. > > * gnu/local.mk (dist_patch_DATA): Add it. > > > > Overall changes look good, but I have not had a chance to try it locally > (building or dependents). > This looks like what I was going to suggest > [...] > > > +(define-public libarchive/fixed > > + (package > > + (inherit libarchive) > > + (version "3.6.1") > > + (source > > + (origin > > + (method url-fetch) > > + (uri (list (string-append "https://libarchive.org/downloads/libarchive-" > > + version ".tar.xz") > > + (string-append "https://github.com/libarchive/libarchive" > > + "/releases/download/v" version "/libarchive-" > > + version ".tar.xz"))) > > In light of the xz backdoor, perhaps we should just do a git checkout of > the v3.6.1 tag rather than the tarballs? Assuming that works, of course. In this case it was just the patch which didn't do (just) what the commit message said. IMO applying this patch will make us safe from this potential JiaT75 backdoor, no bootstrapping from source needed. > I haven't had a chance to look at potential ABI changes, but perhaps at > least v3.6.2 is graftable? That also lists a security update (as well as > later versions). > > Or, if it is easier and this is tested on your end, let's push this and > do an upgrade to the latest on a branch. I would volunteer mesa-updates, > but Cuirass has been stuck all day not building anything, so I don't > know what will end up being quickest (which branch or a new one). If it turns out that we need to move forward a bit to guard against other CVEs then this patch should be forward compatible, considering it was just added to the libarchive repository. > Thanks for the quick work! > John Indeed. Thanks!
Hello, John Kehayias via Guix-patches via <guix-patches@gnu.org> writes: >> +(define-public libarchive/fixed >> + (package >> + (inherit libarchive) >> + (version "3.6.1") >> + (source >> + (origin >> + (method url-fetch) >> + (uri (list (string-append "https://libarchive.org/downloads/libarchive-" >> + version ".tar.xz") >> + (string-append "https://github.com/libarchive/libarchive" >> + "/releases/download/v" version "/libarchive-" >> + version ".tar.xz"))) > > In light of the xz backdoor, perhaps we should just do a git checkout of > the v3.6.1 tag rather than the tarballs? Assuming that works, of course. Not having followed the details, I believe the git checkout contained an incomplete part of the malicious code too, from what Joshua Branson (I guess the sender is him?) cites from Phoronix <https://lists.gnu.org/archive/html/guix-devel/2024-04/msg00002.html>: jbranso@dismail.de writes: > The malicious injection present in the xz versions 5.6.0 and 5.6.1 > libraries is obfuscated and only included in full in the download package > - the Git distribution lacks the M4 macro that triggers the build > of the malicious code. The second-stage artifacts are present in > the Git repository for the injection during the build time, in > case the malicious M4 macro is present. It doesn’t look like avoiding tarballs gives us more verified code. Regards, Florian
On Tue, Apr 02, 2024 at 03:23:44AM +0000, John Kehayias wrote: > Overall changes look good, but I have not had a chance to try it locally > (building or dependents). I successfully tested with the file-roller package, which depends directly on libarchive and no other related packages. I think it's a reasonable basic test case. I agree it's a good idea to look into a more comprehensive update to libarchive, but I just wanted to get this patch in ASAP. Pushed as 629614c7a3f9283306939402f1ff46914f327c21
Hello, On Tue, Apr 02, 2024 at 03:45 PM, pelzflorian (Florian Pelz) wrote: > Hello, > > John Kehayias via Guix-patches via <guix-patches@gnu.org> writes: >>> +(define-public libarchive/fixed >>> + (package >>> + (inherit libarchive) >>> + (version "3.6.1") >>> + (source >>> + (origin >>> + (method url-fetch) >>> + (uri (list (string-append "<https://libarchive.org/downloads/libarchive>-" >>> + version ".tar.xz") >>> + (string-append "<https://github.com/libarchive/libarchive>" >>> + "/releases/download/v" version "/libarchive-" >>> + version ".tar.xz"))) >> >> In light of the xz backdoor, perhaps we should just do a git checkout of >> the v3.6.1 tag rather than the tarballs? Assuming that works, of course. > > Not having followed the details, I believe the git checkout contained an > incomplete part of the malicious code too, from what Joshua Branson (I > guess the sender is him?) cites from Phoronix > <https://lists.gnu.org/archive/html/guix-devel/2024-04/msg00002.html>: > > jbranso@dismail.de writes: >> The malicious injection present in the xz versions 5.6.0 and 5.6.1 >> libraries is obfuscated and only included in full in the download package >> - the Git distribution lacks the M4 macro that triggers the build >> of the malicious code. The second-stage artifacts are present in >> the Git repository for the injection during the build time, in >> case the malicious M4 macro is present. > > It doesn’t look like avoiding tarballs gives us more verified code. > Well, it removes one step where something can be added. From what I understand release tarballs don't match a git checkout as often build artifacts (from autotools) are added, so it is just another potential attack vector. Indeed, it was only part of the attack here, but I do believe there is general support for trying to favor git checkouts when we can (there is overhead and I think issues for parts in bootstrapping, to get git). Certainly not perfect, but gets us to "just" the source. One can still do things with access of course. Thanks Leo for the quick work here and pushing the patch, much appreciated! John
diff --git a/gnu/local.mk b/gnu/local.mk index f2b480bded..68c6851402 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1575,6 +1575,7 @@ dist_patch_DATA = \ %D%/packages/patches/liba52-use-mtune-not-mcpu.patch \ %D%/packages/patches/libaio-32bit-test.patch \ %D%/packages/patches/libaio-riscv-test5.patch \ + %D%/packages/patches/libarchive-remove-potential-backdoor.patch \ %D%/packages/patches/libbase-fix-includes.patch \ %D%/packages/patches/libbase-use-own-logging.patch \ %D%/packages/patches/libbonobo-activation-test-race.patch \ diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm index 604102bc7b..5dfdfe7dd4 100644 --- a/gnu/packages/backup.scm +++ b/gnu/packages/backup.scm @@ -259,6 +259,7 @@ (define-public hdup (define-public libarchive (package (name "libarchive") + (replacement libarchive/fixed) (version "3.6.1") (source (origin @@ -347,6 +348,24 @@ (define-public libarchive @command{bsdcat}, @command{bsdcpio} and @command{bsdtar} commands.") (license license:bsd-2))) +(define-public libarchive/fixed + (package + (inherit libarchive) + (version "3.6.1") + (source + (origin + (method url-fetch) + (uri (list (string-append "https://libarchive.org/downloads/libarchive-" + version ".tar.xz") + (string-append "https://github.com/libarchive/libarchive" + "/releases/download/v" version "/libarchive-" + version ".tar.xz"))) + (patches (search-patches "libarchive-remove-potential-backdoor.patch")) + (sha256 + (base32 + "1rj8q5v26lxxr8x4b4nqbrj7p06qvl91hb8cdxi3xx3qp771lhas")))))) + + (define-public rdup (package (name "rdup") diff --git a/gnu/packages/patches/libarchive-remove-potential-backdoor.patch b/gnu/packages/patches/libarchive-remove-potential-backdoor.patch new file mode 100644 index 0000000000..2b9a9e2ffe --- /dev/null +++ b/gnu/packages/patches/libarchive-remove-potential-backdoor.patch @@ -0,0 +1,47 @@ +Remove code added by 'JiaT75', the malicious actor that backdoored `xz`: + +https://github.com/libarchive/libarchive/pull/2101 + +At libarchive, they are reviewing all code contributed by this actor: + +https://github.com/libarchive/libarchive/issues/2103 + +See the original disclosure and subsequent discussion for more +information about this incident: + +https://seclists.org/oss-sec/2024/q1/268 + +Patch copied from upstream source repository: + +https://github.com/libarchive/libarchive/pull/2101/commits/e200fd8abfb4cf895a1cab4d89b67e6eefe83942 + +From 6110e9c82d8ba830c3440f36b990483ceaaea52c Mon Sep 17 00:00:00 2001 +From: Ed Maste <emaste@freebsd.org> +Date: Fri, 29 Mar 2024 18:02:06 -0400 +Subject: [PATCH] tar: make error reporting more robust and use correct errno + (#2101) + +As discussed in #1609. +--- + tar/read.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/tar/read.c b/tar/read.c +index af3d3f42..a7f14a07 100644 +--- a/tar/read.c ++++ b/tar/read.c +@@ -371,8 +371,9 @@ read_archive(struct bsdtar *bsdtar, char mode, struct archive *writer) + if (r != ARCHIVE_OK) { + if (!bsdtar->verbose) + safe_fprintf(stderr, "%s", archive_entry_pathname(entry)); +- fprintf(stderr, ": %s: ", archive_error_string(a)); +- fprintf(stderr, "%s", strerror(errno)); ++ safe_fprintf(stderr, ": %s: %s", ++ archive_error_string(a), ++ strerror(archive_errno(a))); + if (!bsdtar->verbose) + fprintf(stderr, "\n"); + bsdtar->return_value = 1; +-- +2.41.0 +