Your message dated Sun, 31 Mar 2024 10:46:58 +0000
with message-id <e1rqsii-004ykk...@fasolo.debian.org>
and subject line Bug#1068047: fixed in libarchive 3.7.2-2
has caused the Debian Bug report #1068047,
regarding Suspicious commit merged in 2021 from account responsible for xz
backdoor
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1068047: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068047
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libarchive13t64
Version: 3.7.2-1.1
Severity: important
X-Debbugs-Cc: r...@debian.org
So far it looks like no one has been able to figure out an obvious way
for this to be exploitable, but I wanted to make sure that you were
aware of this upstream issue:
https://github.com/libarchive/libarchive/pull/1609
The author of this commit is the same GitHub account that was used to
create the xz backdoor. Upstream has merged a revert of this change at:
https://github.com/libarchive/libarchive/pull/2101
It may be worth expediting getting this change into Debian in case the
potential attacker knows something that we don't. However, I don't have
any reason to currently believe that this is a security vulnerability,
so I've kept the severity at important and not applied the security tag.
-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'unstable-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.7.9-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libarchive13t64 depends on:
ii libacl1 2.3.2-1
ii libbz2-1.0 1.0.8-5.1
ii libc6 2.37-15.1
ii liblz4-1 1.9.4-1+b2
ii liblzma5 5.6.1+really5.4.5-1
ii libnettle8t64 3.9.1-2.2
ii libxml2 2.9.14+dfsg-1.3+b2
ii libzstd1 1.5.5+dfsg2-2
ii zlib1g 1:1.3.dfsg-3.1
libarchive13t64 recommends no packages.
Versions of packages libarchive13t64 suggests:
pn lrzip <none>
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: libarchive
Source-Version: 3.7.2-2
Done: Peter Pentchev <r...@debian.org>
We believe that the bug you reported is fixed in the latest version of
libarchive, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1068...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Peter Pentchev <r...@debian.org> (supplier of updated libarchive package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 30 Mar 2024 20:11:06 +0200
Source: libarchive
Architecture: source
Version: 3.7.2-2
Distribution: unstable
Urgency: medium
Maintainer: Peter Pentchev <r...@debian.org>
Changed-By: Peter Pentchev <r...@debian.org>
Closes: 1068047
Changes:
libarchive (3.7.2-2) unstable; urgency=medium
.
[ Luca Boccassi ]
* libarchive-dev: depend on -dev packages in an attempt to
fix pkg-config --static --libs
Addresses: 1056317; more work needed on libarchive's own
configure tests
.
[ Peter Pentchev ]
* Acknowledge Lukas Märdian 64-bit-time_t-related NMU. Thanks!
* Add the year 2024 to my debian/* copyright notice.
* Re-sort the dependencies lists in the debian/control file.
* Switch the pkg-config dependency over to pkgconf.
* Add the robust-error-reporting upstream patch. Closes: #1068047
Checksums-Sha1:
a9840b89785c21b07962f5560890a62b70f17b54 2714 libarchive_3.7.2-2.dsc
d8a0948b6814ee525e85ec44003af28470f84f15 27352 libarchive_3.7.2-2.debian.tar.xz
Checksums-Sha256:
9fd4fe779a50bf73660bf59b3af0c6c8cbe32bcb48b4b8922eb23cd90d9bde9c 2714
libarchive_3.7.2-2.dsc
cb596068a92fe55060ea5e46a5da8c9e9cd37b03a17bff7bc3cea62baa1c455e 27352
libarchive_3.7.2-2.debian.tar.xz
Files:
dec84a91f32a212810d5a4072bc0fb15 2714 libs optional libarchive_3.7.2-2.dsc
a09a0817264db40619efeacb80a8d304 27352 libs optional
libarchive_3.7.2-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCgAuFiEELuenpRf8EkzxFcNUZR7vsCUn3xMFAmYIWTYQHHJvYW1AZGVi
aWFuLm9yZwAKCRBlHu+wJSffE/3WD/0Y9dKqonT5upiqkcr2XIRTlKXOoPgQvh+T
PGC1Ku2432+Bc4nXDKwVNSqXWyhKOOEogWQ7RBxIDkfd4CXF9OwVM1lBepctQWjL
Bzqm4GoYxbi02Fe6YN2+YPn0LhF7jDpGrYHFdOYI4rZaWgt5N+lVpZNV8i/GExEd
ijALmgTRNSI+HBaG0RWohvMdnYEHGeUZJWrClfte9WKMSf3fg6Lj9j0738Lrt34K
UCBYQEIzhBtH1uHuLWoKI9meoXg9tz42HmoBXLupc9QxMj0yeE/U48FL9W/9Cqtn
MmB9ZhO7pK/lVxFdJ+VnN4jF28FcQWFfhlLUjXfrvWMn6VV6aVxBOx0kEwJgi1wB
TwOvedMnq7zCKxx87ZcnGg9Pa6ZPBwMdLx5fYFzp6ea/EDA4XgnNIpCUjrUpc0yp
3auB9q/FoXet7IcVpl5s14M6b8A4trRrfIaRYRBLEUbBrIXH0krfVaqfGfWrjpKi
qMsFWeEuCnHs1lQIkXHF6MH7r37FHZu0pK+ly77jXE3SJEMbD7oACwWoX9gqT0rV
0keIAtpcK+oVl+/IlLocxU6+oEBzNVD1OJyAYLf082viktRg7pOoZB3Hz1+/vr1U
zpUvnQec9Axy1QBgFZu7EoiqgFPUkO8oqQS2PD0LcGdt2QoRB+xb7PeNyeO5wb8D
mCVlcBLsfQ==
=8jUg
-----END PGP SIGNATURE-----
pgpY1JDXwqVOv.pgp
Description: PGP signature
--- End Message ---
