Bug#1068106: bookworm-pu: package libarchive/3.6.2-1+deb12u1

[Jonathan Wiltshire]

Control: tag -1 confirmed

Hi,

On Sat, Mar 30, 2024 at 08:51:10PM +0200, Peter Pentchev wrote:
> [ Reason ]
> Revert a change made by the same person that smuggled
> the backdoor into xz. See #1068047 for more details.

Please go ahead. However I wonder if you also want to wait for a patch for
https://github.com/libarchive/libarchive/issues/2107 and include that? If
so please un-confirm this bug and provide an updated debdiff when ready.

Thanks,

-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

Bug#1068106: bookworm-pu: package libarchive/3.6.2-1+deb12u1

[Peter Pentchev]

On Sat, Mar 30, 2024 at 08:51:10PM +0200, Peter Pentchev wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm
> X-Debbugs-Cc: libarch...@packages.debian.org, r...@debian.org
> Control: affects -1 + src:libarchive
> User: release.debian@packages.debian.org
> Usertags: pu
> 
> [ Reason ]
> Revert a change made by the same person that smuggled
> the backdoor into xz. See #1068047 for more details.
> 
> [ Impact ]
> In the discussion in the upstream bugtracker, the consensus is that
> the reverted change may not really introduce any vulnerability, but
> still some concerns were expressed regarding some unlikely scenarios.
> It might be a safer bet to revert it, just in case.

Right, so it seems that I was a bit impatient filing this bug, right
after I got the "processing" e-mail from the archive for libarchive-3.7.2-2
in unstable, but before I got the "accepted" one... and before I had
noticed the d-d-a e-mail about the paused archive processing.

So yeah, this is still a pre-upload approval request, but it will
apparently need to wait until 3.7.2-2 makes it into unstable :)

Thanks in advance, and sorry for the bother!

G'luck,
Peter

-- 
Peter Pentchev  r...@ringlet.net r...@debian.org p...@storpool.com
PGP key:http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115  C354 651E EFB0 2527 DF13


signature.asc
Description: PGP signature

Bug#1068106: bookworm-pu: package libarchive/3.6.2-1+deb12u1

[Peter Pentchev]

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: libarch...@packages.debian.org, r...@debian.org
Control: affects -1 + src:libarchive
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
Revert a change made by the same person that smuggled
the backdoor into xz. See #1068047 for more details.

[ Impact ]
In the discussion in the upstream bugtracker, the consensus is that
the reverted change may not really introduce any vulnerability, but
still some concerns were expressed regarding some unlikely scenarios.
It might be a safer bet to revert it, just in case.

[ Tests ]
None yet.

[ Risks ]
The change reverting the previous one is straightforward, limited to
a specific piece of code (specific error logging in
the bsdtar(1) command-line tool), and changes the source code back to
using the same error reporting functions that are used elsewhere
throughout the bsdtar and libarchive source code. Thus, IMHO the risks
are negligible, if any.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Introduce a patch that uses libarchive's own error reporting functions
instead of unchecked fprintf().
diff -Nru libarchive-3.6.2/debian/changelog libarchive-3.6.2/debian/changelog
--- libarchive-3.6.2/debian/changelog   2022-12-24 23:17:29.0 +0200
+++ libarchive-3.6.2/debian/changelog   2024-03-30 20:36:47.0 +0200
@@ -1,3 +1,9 @@
+libarchive (3.6.2-1+deb12u1) bookworm; urgency=medium
+
+  * Add the robust-error-reporting upstream patch. Closes: #1068047
+
+ -- Peter Pentchev   Sat, 30 Mar 2024 20:36:47 +0200
+
 libarchive (3.6.2-1) unstable; urgency=medium
 
   [ Debian Janitor ]
diff -Nru libarchive-3.6.2/debian/patches/robust-error-reporting.patch 
libarchive-3.6.2/debian/patches/robust-error-reporting.patch
--- libarchive-3.6.2/debian/patches/robust-error-reporting.patch
1970-01-01 02:00:00.0 +0200
+++ libarchive-3.6.2/debian/patches/robust-error-reporting.patch
2024-03-30 20:31:38.0 +0200
@@ -0,0 +1,20 @@
+Description: tar: make error reporting more robust and use correct errno
+Debian-Bug: https://bugs.debian.org/1068047
+Origin: upstream, 
https://github.com/libarchive/libarchive/commit/6110e9c82d8ba830c3440f36b990483ceaaea52c
+Author: Ed Maste 
+Last-Update: 2024-03-30
+
+--- a/tar/read.c
 b/tar/read.c
+@@ -372,8 +372,9 @@
+   if (r != ARCHIVE_OK) {
+   if (!bsdtar->verbose)
+   safe_fprintf(stderr, "%s", 
archive_entry_pathname(entry));
+-  fprintf(stderr, ": %s: ", 
archive_error_string(a));
+-  fprintf(stderr, "%s", strerror(errno));
++  safe_fprintf(stderr, ": %s: %s",
++  archive_error_string(a),
++  strerror(archive_errno(a)));
+   if (!bsdtar->verbose)
+   fprintf(stderr, "\n");
+   bsdtar->return_value = 1;
diff -Nru libarchive-3.6.2/debian/patches/series 
libarchive-3.6.2/debian/patches/series
--- libarchive-3.6.2/debian/patches/series  2022-12-24 23:17:29.0 
+0200
+++ libarchive-3.6.2/debian/patches/series  2024-03-30 20:31:52.0 
+0200
@@ -1,2 +1,3 @@
 typos.patch
 iconv-pkgconfig.patch
+robust-error-reporting.patch


signature.asc
Description: PGP signature