[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
libarchive security fixes (was Re: Core-updates timeline)
|
From: |
Leo Famulari |
|
Subject: |
libarchive security fixes (was Re: Core-updates timeline) |
|
Date: |
Sun, 2 Oct 2016 16:14:04 -0400 |
|
User-agent: |
Mutt/1.7.0 (2016-08-17) |
On Sun, Oct 02, 2016 at 02:50:34PM -0400, Leo Famulari wrote:
> On Sun, Oct 02, 2016 at 03:38:58PM +0200, Ludovic Courtès wrote:
> > We could wait an additional day for libarchive if it’s more convenient,
> > but maybe not longer than that.
> >
> > What do you think would be the most convenient approach?
>
> I will send a patch that cherry-picks what I think are the most
> important bug fixes. I can't guess when libarchive 3.2.2 will be
> released.
I've attached a patch.
It cherry-picks some fixes for some filesystem attacks and two overflows
that can be triggered with "crafted" input. The details are in the patch
files.
I understand if this approach of cherry-picking a handful of commits is
not acceptable. It's hard to judge the full impact of taking only these
changes, some of which a quite significant, without being familiar with
the libarchive code.
That's the reason why I've been waiting for a new upstream release. But
I figured I should at least try to get these bug fixes into the next
release of Guix :)
0001-gnu-libarchive-Fix-several-security-issues.patch
Description: Text document
signature.asc
Description: PGP signature