apteryx pushed a commit to branch master
in repository guix.
commit a6dab6e9156db469c65fb5334df8cc8735ca6897
Author: Liliana Marie Prikler <[email protected]>
AuthorDate: Sat Nov 9 15:27:49 2024 +0100
gnu: libarchive: Graft to 3.7.7. [security fixes]
* gnu/packages/backup.scm (libarchive): Add replacement with
libarchive/fixed.
(libarchive/fixed): New variable.
Fixes: Out of bounds access in ZIP files [CVE-2024-37407].
Fixes: Out of bounds access in RAR files [CVE-2024-48957, CVE-2024-48958].
Fixes: Race condition in multi-threaded systems [CVE-2023-30571].
Fixes: NULL pointer dereference [CVE-2022-36227].
Signed-off-by: Maxim Cournoyer <[email protected]>
---
gnu/packages/backup.scm | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm
index 0973c5ddca..22c1ef64e9 100644
--- a/gnu/packages/backup.scm
+++ b/gnu/packages/backup.scm
@@ -262,6 +262,7 @@ backups (called chunks) to allow easy burning to CD/DVD.")
(define-public libarchive
(package
(name "libarchive")
+ (replacement libarchive/fixed)
(version "3.6.1")
(source
(origin
@@ -351,6 +352,22 @@ random access nor for in-place modification. This package
provides the
@command{bsdcat}, @command{bsdcpio} and @command{bsdtar} commands.")
(license license:bsd-2)))
+(define-public libarchive/fixed
+ (package
+ (inherit libarchive)
+ (version "3.7.7")
+ (source
+ (origin
+ (method url-fetch)
+ (uri (list (string-append "https://libarchive.org/downloads/libarchive-";
+ version ".tar.xz")
+ (string-append "https://github.com/libarchive/libarchive";
+ "/releases/download/v" version "/libarchive-"
+ version ".tar.xz")))
+ (sha256
+ (base32
+ "1vps57mrpqmrk4zayh5g5amqfq7031s5zzkkxsm7r71rqf1wv6l7"))))))
+
(define-public rdup
(package
(name "rdup")
