Leo Famulari schreef op vr 05-11-2021 om 12:23 [-0400]: > On Fri, Nov 05, 2021 at 05:14:13AM +0000, phodina via Bug reports for > GNU Guix wrote: > > here's patch for the master branch as I'm not sure what is the > > roadmap for merging core-updates into master. > > > > The obvious downside is that the update triggers large rebuild of > > core packages :-/ > > [...] > > "This flaw allows an attacker who can submit a crafted input file to > tar > to cause uncontrolled consumption of memory. The highest threat from > this vulnerability is to system availability." > > [...] > > For use of tar by Guix users, we could add a new package 'tar-1.34' > and > arrange so that `guix install tar` selects it instead of tar@1.32, > and > so that whatever tar is provided by default on Guix System [1] is > tar-1.34.
I don't think this is sufficient, because some packages keep references to 'tar', e.g. 'hdup'. A solution would be registering the updated tar as a replacement of the somewhat vulnerable tar: (define-public tar (package (name "tar") (version "1.32") (replacement tar/fixed) ...)) (define-public tar/fixed (package (inherit tar) (version "1.34") (source ...))) Greetings, Maxime. -- not hacking on guix for a while, only occassionally looking at IRC logs and bug reports. E-mails are unsigned until backup is located.