Re: libarchive security fixes (was Re: Core-updates timeline)

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: libarchive security fixes (was Re: Core-updates timeline)

From:	Ludovic Courtès
Subject:	Re: libarchive security fixes (was Re: Core-updates timeline)
Date:	Mon, 03 Oct 2016 18:10:10 +0200
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)

Hi!

Leo Famulari <address@hidden> skribis:

> On Sun, Oct 02, 2016 at 02:50:34PM -0400, Leo Famulari wrote:
>> On Sun, Oct 02, 2016 at 03:38:58PM +0200, Ludovic Courtès wrote:
>> > We could wait an additional day for libarchive if it’s more convenient,
>> > but maybe not longer than that.
>> > 
>> > What do you think would be the most convenient approach?
>> 
>> I will send a patch that cherry-picks what I think are the most
>> important bug fixes. I can't guess when libarchive 3.2.2 will be
>> released.
>
> I've attached a patch.
>
> It cherry-picks some fixes for some filesystem attacks and two overflows
> that can be triggered with "crafted" input. The details are in the patch
> files.
>
> I understand if this approach of cherry-picking a handful of commits is
> not acceptable. It's hard to judge the full impact of taking only these
> changes, some of which a quite significant, without being familiar with
> the libarchive code.
>
> That's the reason why I've been waiting for a new upstream release. But
> I figured I should at least try to get these bug fixes into the next
> release of Guix :)

Sounds reasonable.  :-)

> From 042d5a7df4962c3b81fbfefa0027b6f1cf356b5f Mon Sep 17 00:00:00 2001
> From: Leo Famulari <address@hidden>
> Date: Sun, 2 Oct 2016 15:58:06 -0400
> Subject: [PATCH] gnu: libarchive: Fix several security issues.
>
> * gnu/packages/backup.scm (libarchive)[replacement]: New field.
> (libarchive/fixed): New variable.
> * gnu/packages/patches/libarchive-7zip-heap-overflow.patch,
> gnu/packages/patches/libarchive-fix-symlink-check.patch,
> gnu/packages/patches/libarchive-fix-filesystem-attacks.patch,
> gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Add them.

Don’t they have a CVE assigned?  If so, please make sure to name them
accordingly.  Otherwise LGTM.

I won’t pretend to have a precise understanding of the impact of these
bugs, but clearly they can be triggered with specially-crafted input,
which sounds bad.  So better have these fixes.

Thank you!

Ludo’.

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [PATCH 2/2] gnu: perl: Enable threading support., Ludovic Courtès, 2016/10/01
- Core-updates timeline (was: Re: [PATCH 2/2] gnu: perl: Enable threading support.), Leo Famulari, 2016/10/01
  - Re: Core-updates timeline, Ludovic Courtès, 2016/10/02
    - Re: Core-updates timeline, Leo Famulari, 2016/10/02
    - libarchive security fixes (was Re: Core-updates timeline), Leo Famulari, 2016/10/02
    - Re: libarchive security fixes (was Re: Core-updates timeline), Ludovic Courtès <=
    - Re: libarchive security fixes (was Re: Core-updates timeline), Leo Famulari, 2016/10/03
    - Re: Core-updates timeline, Ludovic Courtès, 2016/10/07

Prev by Date: Re: Boostrap tar cannot exec xz
Next by Date: Re: Python: inputs vs. propagated inputs
Previous by thread: libarchive security fixes (was Re: Core-updates timeline)
Next by thread: Re: libarchive security fixes (was Re: Core-updates timeline)
Index(es):
- Date
- Thread