gnu: libarchive: Fix a potential security issue.

https://github.com/libarchive/libarchive/pull/2101

* gnu/packages/backup.scm (libarchive)[replacement]: New field.
(libarchive/fixed): New variable.
* gnu/packages/patches/libarchive-remove-potential-backdoor.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.

Change-Id: I939e9b842b10d1a78125da4a4599c38d9c037079

gnu/local.mk

@@ -1575,6 +1575,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/liba52-use-mtune-not-mcpu.patch		\
   %D%/packages/patches/libaio-32bit-test.patch                  \
   %D%/packages/patches/libaio-riscv-test5.patch			\
+  %D%/packages/patches/libarchive-remove-potential-backdoor.patch	\
   %D%/packages/patches/libbase-fix-includes.patch		\
   %D%/packages/patches/libbase-use-own-logging.patch		\
   %D%/packages/patches/libbonobo-activation-test-race.patch	\

gnu/packages/backup.scm

@@ -259,6 +259,7 @@ backups (called chunks) to allow easy burning to CD/DVD.")
 (define-public libarchive
   (package
     (name "libarchive")
+    (replacement libarchive/fixed)
     (version "3.6.1")
     (source
      (origin
@@ -347,6 +348,25 @@ random access nor for in-place modification.  This package provides the
 @command{bsdcat}, @command{bsdcpio} and @command{bsdtar} commands.")
     (license license:bsd-2)))
 
+(define-public libarchive/fixed
+ (hidden-package
+  (package
+    (inherit libarchive)
+    (version "3.6.1")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (list (string-append "https://libarchive.org/downloads/libarchive-"
+                                 version ".tar.xz")
+                  (string-append "https://github.com/libarchive/libarchive"
+                                 "/releases/download/v" version "/libarchive-"
+                                 version ".tar.xz")))
+       (patches (search-patches "libarchive-remove-potential-backdoor.patch"))
+       (sha256
+        (base32
+         "1rj8q5v26lxxr8x4b4nqbrj7p06qvl91hb8cdxi3xx3qp771lhas")))))))
+
+
 (define-public rdup
   (package
     (name "rdup")

gnu/packages/patches/libarchive-remove-potential-backdoor.patch

@@ -0,0 +1,47 @@
+Remove code added by 'JiaT75', the malicious actor that backdoored `xz`:
+
+https://github.com/libarchive/libarchive/pull/2101
+
+At libarchive, they are reviewing all code contributed by this actor:
+
+https://github.com/libarchive/libarchive/issues/2103
+
+See the original disclosure and subsequent discussion for more
+information about this incident:
+
+https://seclists.org/oss-sec/2024/q1/268
+
+Patch copied from upstream source repository:
+
+https://github.com/libarchive/libarchive/pull/2101/commits/e200fd8abfb4cf895a1cab4d89b67e6eefe83942
+
+From 6110e9c82d8ba830c3440f36b990483ceaaea52c Mon Sep 17 00:00:00 2001
+From: Ed Maste <emaste@freebsd.org>
+Date: Fri, 29 Mar 2024 18:02:06 -0400
+Subject: [PATCH] tar: make error reporting more robust and use correct errno
+ (#2101)
+
+As discussed in #1609.
+---
+ tar/read.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/tar/read.c b/tar/read.c
+index af3d3f42..a7f14a07 100644
+--- a/tar/read.c
++++ b/tar/read.c
+@@ -371,8 +371,9 @@ read_archive(struct bsdtar *bsdtar, char mode, struct archive *writer)
+ 			if (r != ARCHIVE_OK) {
+ 				if (!bsdtar->verbose)
+ 					safe_fprintf(stderr, "%s", archive_entry_pathname(entry));
+-				fprintf(stderr, ": %s: ", archive_error_string(a));
+-				fprintf(stderr, "%s", strerror(errno));
++				safe_fprintf(stderr, ": %s: %s",
++				    archive_error_string(a),
++				    strerror(archive_errno(a)));
+ 				if (!bsdtar->verbose)
+ 					fprintf(stderr, "\n");
+ 				bsdtar->return_value = 1;
+-- 
+2.41.0
+