tar: make error reporting more robust and use correct errno #2101
Conversation
|
Beat me to it. I'm very glad to see someone more qualified take this on @emaste ... thank you for your hard work on FreeBSD |
|
One more note: this is particular usage is probably fine because bsdtar is a utility rather than part of the library component of libarchive, but you unfortunately can't use strerror() in libraries (or threaded applications) because it's not threadsafe. Awkward workarounds are generally required like this or this. So beware: it's one of those tempting APIs that's almost impossible to use correctly except in single-threaded programs. |
|
Are there plans to backport this fix to older releases? |
That may well be the case (I don't know much about coding tbh), but it's highly suspicious, because it was added in #1609, created by a known bad actor (JiaT75 recently snuck a backdoor into XZ, over a series of commits, after contributing for over a year and eventually becoming a co-maintainer) Once again, I don't know much about coding, and I definitely don't understand the specific change. I do wonder though whether it could have set the stage for an obfuscated attempt to insert malware (EDIT: or a vulnerability that a malicious program could then exploit) |
Pretty unlikely; would too hard to abuse it. |
| archive_error_string(a), | ||
| strerror(archive_errno(a))); |
There was a problem hiding this comment.
These changes have mixed whitespace. Someone should probably replace the new added spaces with tabs.
There was a problem hiding this comment.
this follows FreeBSD style(9): tabs are 8, 2nd level indent is 4 spaces.
https://man.freebsd.org/cgi/man.cgi?query=style&sektion=9
|
Are there OS-level patches going to be issued to distribute these corrections to the general public? |
…sdtar_1561 Added error text to warning when untaring with bsdtar
|
hell yeah |
|
Thanks @emaste for the quick fix. Will there be a new release with this fix included soon? |
libarchive/libarchive#2101 * gnu/packages/backup.scm (libarchive)[replacement]: New field. (libarchive/fixed): New variable. * gnu/packages/patches/libarchive-remove-potential-backdoor.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. Change-Id: I939e9b842b10d1a78125da4a4599c38d9c037079
l/imagemagick-7.1.1_30-x86_64-1.txz: Upgraded.
l/libarchive-3.7.3-x86_64-1.txz: Upgraded.
This update fixes a security issue:
Fix possible vulnerability in tar error reporting introduced in f27c173
by JiaT75.
For more information, see:
libarchive/libarchive@f27c173
libarchive/libarchive#2101
(* Security fix *)
n/net-snmp-5.9.4-x86_64-3.txz: Rebuilt.
[PATCH] Add Linux 6.7 compatibility parsing /proc/net/snmp.
Thanks to walecha.
n/rsync-3.3.0-x86_64-1.txz: Upgraded.
x/xorg-sgml-doctools-1.12.1-x86_64-1.txz: Upgraded.
xap/gimp-2.10.36-x86_64-3.txz: Rebuilt.
[PATCH] QuitDialog: disconnect signal handler on dialog destroy.
This fixes a crash on quit.
Thanks to USUARIONUEVO.
xap/xlockmore-5.77-x86_64-1.txz: Upgraded.
As discussed in #1609.