guix/gnu/packages/patches/libarchive-remove-potential...

Remove code added by 'JiaT75', the malicious actor that backdoored `xz`:

https://github.com/libarchive/libarchive/pull/2101

At libarchive, they are reviewing all code contributed by this actor:

https://github.com/libarchive/libarchive/issues/2103

See the original disclosure and subsequent discussion for more
information about this incident:

https://seclists.org/oss-sec/2024/q1/268

Patch copied from upstream source repository:

https://github.com/libarchive/libarchive/pull/2101/commits/e200fd8abfb4cf895a1cab4d89b67e6eefe83942

From 6110e9c82d8ba830c3440f36b990483ceaaea52c Mon Sep 17 00:00:00 2001
From: Ed Maste <emaste@freebsd.org>
Date: Fri, 29 Mar 2024 18:02:06 -0400
Subject: [PATCH] tar: make error reporting more robust and use correct errno
 (#2101)

As discussed in #1609.
---
 tar/read.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/tar/read.c b/tar/read.c
index af3d3f42..a7f14a07 100644
--- a/tar/read.c
+++ b/tar/read.c
@@ -371,8 +371,9 @@ read_archive(struct bsdtar *bsdtar, char mode, struct archive *writer)
 			if (r != ARCHIVE_OK) {
 				if (!bsdtar->verbose)
 					safe_fprintf(stderr, "%s", archive_entry_pathname(entry));
-				fprintf(stderr, ": %s: ", archive_error_string(a));
-				fprintf(stderr, "%s", strerror(errno));
+				safe_fprintf(stderr, ": %s: %s",
+				    archive_error_string(a),
+				    strerror(archive_errno(a)));
 				if (!bsdtar->verbose)
 					fprintf(stderr, "\n");
 				bsdtar->return_value = 1;
-- 
2.41.0
gnu: libarchive: Fix a potential security issue. https://github.com/libarchive/libarchive/pull/2101 * gnu/packages/backup.scm (libarchive)[replacement]: New field. (libarchive/fixed): New variable. * gnu/packages/patches/libarchive-remove-potential-backdoor.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. Change-Id: I939e9b842b10d1a78125da4a4599c38d9c037079 2024-03-31 20:28:43 +00:00			Remove code added by 'JiaT75', the malicious actor that backdoored `xz`:

			`https://github.com/libarchive/libarchive/pull/2101`

			`At libarchive, they are reviewing all code contributed by this actor:`

			`https://github.com/libarchive/libarchive/issues/2103`

			`See the original disclosure and subsequent discussion for more`
			`information about this incident:`

			`https://seclists.org/oss-sec/2024/q1/268`

			`Patch copied from upstream source repository:`

			`https://github.com/libarchive/libarchive/pull/2101/commits/e200fd8abfb4cf895a1cab4d89b67e6eefe83942`

			`From 6110e9c82d8ba830c3440f36b990483ceaaea52c Mon Sep 17 00:00:00 2001`
			`From: Ed Maste <emaste@freebsd.org>`
			`Date: Fri, 29 Mar 2024 18:02:06 -0400`
			`Subject: [PATCH] tar: make error reporting more robust and use correct errno`
			`(#2101)`

			`As discussed in #1609.`
			`---`
			`tar/read.c \| 5 +++--`
			`1 file changed, 3 insertions(+), 2 deletions(-)`

			`diff --git a/tar/read.c b/tar/read.c`
			`index af3d3f42..a7f14a07 100644`
			`--- a/tar/read.c`
			`+++ b/tar/read.c`
			`@@ -371,8 +371,9 @@ read_archive(struct bsdtar bsdtar, char mode, struct archive writer)`
			`if (r != ARCHIVE_OK) {`
			`if (!bsdtar->verbose)`
			`safe_fprintf(stderr, "%s", archive_entry_pathname(entry));`
			`- fprintf(stderr, ": %s: ", archive_error_string(a));`
			`- fprintf(stderr, "%s", strerror(errno));`
			`+ safe_fprintf(stderr, ": %s: %s",`
			`+ archive_error_string(a),`
			`+ strerror(archive_errno(a)));`
			`if (!bsdtar->verbose)`
			`fprintf(stderr, "\n");`
			`bsdtar->return_value = 1;`
			`--`
			`2.41.0`