Hi! Leo Famulari <l...@famulari.name> skribis:
> On Sun, Oct 02, 2016 at 02:50:34PM -0400, Leo Famulari wrote: >> On Sun, Oct 02, 2016 at 03:38:58PM +0200, Ludovic Courtès wrote: >> > We could wait an additional day for libarchive if it’s more convenient, >> > but maybe not longer than that. >> > >> > What do you think would be the most convenient approach? >> >> I will send a patch that cherry-picks what I think are the most >> important bug fixes. I can't guess when libarchive 3.2.2 will be >> released. > > I've attached a patch. > > It cherry-picks some fixes for some filesystem attacks and two overflows > that can be triggered with "crafted" input. The details are in the patch > files. > > I understand if this approach of cherry-picking a handful of commits is > not acceptable. It's hard to judge the full impact of taking only these > changes, some of which a quite significant, without being familiar with > the libarchive code. > > That's the reason why I've been waiting for a new upstream release. But > I figured I should at least try to get these bug fixes into the next > release of Guix :) Sounds reasonable. :-) > From 042d5a7df4962c3b81fbfefa0027b6f1cf356b5f Mon Sep 17 00:00:00 2001 > From: Leo Famulari <l...@famulari.name> > Date: Sun, 2 Oct 2016 15:58:06 -0400 > Subject: [PATCH] gnu: libarchive: Fix several security issues. > > * gnu/packages/backup.scm (libarchive)[replacement]: New field. > (libarchive/fixed): New variable. > * gnu/packages/patches/libarchive-7zip-heap-overflow.patch, > gnu/packages/patches/libarchive-fix-symlink-check.patch, > gnu/packages/patches/libarchive-fix-filesystem-attacks.patch, > gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch: New files. > * gnu/local.mk (dist_patch_DATA): Add them. Don’t they have a CVE assigned? If so, please make sure to name them accordingly. Otherwise LGTM. I won’t pretend to have a precise understanding of the impact of these bugs, but clearly they can be triggered with specially-crafted input, which sounds bad. So better have these fixes. Thank you! Ludo’.
