[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#47422: tar is vulnerable to CVE-2021-20193
From: |
Maxime Devos |
Subject: |
bug#47422: tar is vulnerable to CVE-2021-20193 |
Date: |
Fri, 05 Nov 2021 16:50:42 +0000 |
User-agent: |
Evolution 3.38.3-1 |
Leo Famulari schreef op vr 05-11-2021 om 12:23 [-0400]:
> On Fri, Nov 05, 2021 at 05:14:13AM +0000, phodina via Bug reports for
> GNU Guix wrote:
> > here's patch for the master branch as I'm not sure what is the
> > roadmap for merging core-updates into master.
> >
> > The obvious downside is that the update triggers large rebuild of
> > core packages :-/
>
> [...]
>
> "This flaw allows an attacker who can submit a crafted input file to
> tar
> to cause uncontrolled consumption of memory. The highest threat from
> this vulnerability is to system availability."
>
> [...]
>
> For use of tar by Guix users, we could add a new package 'tar-1.34'
> and
> arrange so that `guix install tar` selects it instead of tar@1.32,
> and
> so that whatever tar is provided by default on Guix System [1] is
> tar-1.34.
I don't think this is sufficient, because some packages keep
references to 'tar', e.g. 'hdup'. A solution would be registering
the updated tar as a replacement of the somewhat vulnerable tar:
(define-public tar
(package
(name "tar")
(version "1.32")
(replacement tar/fixed)
...))
(define-public tar/fixed
(package
(inherit tar)
(version "1.34")
(source ...)))
Greetings,
Maxime.
--
not hacking on guix for a while, only occassionally looking at IRC logs
and bug reports. E-mails are unsigned until backup is located.