~ruther/guix-local

94d671f673d184691cb13d36203e109c13cd4859 — Leo Famulari 8 years ago 5a7deb1 
gnu: libarchive: Replace with libarchive 3.3.2 and fix CVE-2017-14166.

* gnu/packages/backup.scm (libarchive)[replacement]: New field.
(libarchive-3.3.2): New variable.
* gnu/packages/patches/libarchive-CVE-2017-14166.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
patch browse .tar.gz 
3 files changed, 51 insertions(+), 4 deletions(-)

M gnu/local.mk
M gnu/packages/backup.scm
A gnu/packages/patches/libarchive-CVE-2017-14166.patch

M gnu/local.mk => gnu/local.mk +1 -0
@@ 752,6 752,7 @@ dist_patch_DATA =						\
  %D%/packages/patches/liba52-link-with-libm.patch		\
  %D%/packages/patches/liba52-set-soname.patch			\
  %D%/packages/patches/liba52-use-mtune-not-mcpu.patch		\
  %D%/packages/patches/libarchive-CVE-2017-14166.patch		\
  %D%/packages/patches/libbase-fix-includes.patch		\
  %D%/packages/patches/libbase-use-own-logging.patch		\
  %D%/packages/patches/libbonobo-activation-test-race.patch	\


M gnu/packages/backup.scm => gnu/packages/backup.scm +5 -4
@@ 184,6 184,7 @@ backups (called chunks) to allow easy burning to CD/DVD.")
(define-public libarchive
  (package
    (name "libarchive")
    (replacement libarchive-3.3.2)
    (version "3.3.1")
    (source
     (origin


@@ 239,19 240,19 @@ archive.  In particular, note that there is currently no built-in support for
random access nor for in-place modification.")
    (license license:bsd-2)))

(define libarchive-3.3.1
(define libarchive-3.3.2
  (package
    (inherit libarchive)
    (name "libarchive")
    (version "3.3.1")
    (version "3.3.2")
    (source
     (origin
       (method url-fetch)
       (uri (string-append "http://libarchive.org/downloads/libarchive-"
                           version ".tar.gz"))
       (patches (search-patches "libarchive-CVE-2017-14166.patch"))
       (sha256
        (base32
         "1rr40hxlm9vy5z2zb5w7pyfkgd1a4s061qapm83s19accb8mpji9"))))))
         "1km0mzfl6in7l5vz9kl09a88ajx562rw93ng9h2jqavrailvsbgd"))))))

(define-public rdup
  (package


A gnu/packages/patches/libarchive-CVE-2017-14166.patch => gnu/packages/patches/libarchive-CVE-2017-14166.patch +45 -0
@@ 0,0 1,45 @@
Fix CVE-2017-14166:

https://github.com/libarchive/libarchive/issues/935
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14166

Patch copied from upstream source repository:

https://github.com/libarchive/libarchive/commit/fa7438a0ff4033e4741c807394a9af6207940d71

From fa7438a0ff4033e4741c807394a9af6207940d71 Mon Sep 17 00:00:00 2001
From: Joerg Sonnenberger <joerg@bec.de>
Date: Tue, 5 Sep 2017 18:12:19 +0200
Subject: [PATCH] Do something sensible for empty strings to make fuzzers
 happy.

---
 libarchive/archive_read_support_format_xar.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libarchive/archive_read_support_format_xar.c b/libarchive/archive_read_support_format_xar.c
index 7a22beb9d..93eeacc5e 100644
--- a/libarchive/archive_read_support_format_xar.c
+++ b/libarchive/archive_read_support_format_xar.c
@@ -1040,6 +1040,9 @@ atol10(const char *p, size_t char_cnt)
 	uint64_t l;
 	int digit;
 
+	if (char_cnt == 0)
+		return (0);
+
 	l = 0;
 	digit = *p - '0';
 	while (digit >= 0 && digit < 10  && char_cnt-- > 0) {
@@ -1054,7 +1057,10 @@ atol8(const char *p, size_t char_cnt)
 {
 	int64_t l;
 	int digit;
-        
+
+	if (char_cnt == 0)
+		return (0);
+
 	l = 0;
 	while (char_cnt-- > 0) {
 		if (*p >= '0' && *p <= '7')