bug#47422: tar is vulnerable to CVE-2021-20193

bug-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#47422: tar is vulnerable to CVE-2021-20193

From:	Mark H Weaver
Subject:	bug#47422: tar is vulnerable to CVE-2021-20193
Date:	Sat, 06 Nov 2021 14:12:52 -0400

Hi,

Here's a proposed fix, which I've tested on my own system.
Are there any objections to pushing this to 'master'?

      Thanks,
        Mark

>From 5737b91e9979c7df2a76b033f38871c2326ab0f1 Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Sat, 6 Nov 2021 05:52:24 -0400
Subject: [PATCH] gnu: tar: Replace with 1.34 [fixes CVE-2021-20193].

* gnu/packages/base.scm (tar)[replacement]: New field.
(tar-1.34): New variable.
---
 gnu/packages/base.scm | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index ea2e102c15..77731d3720 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -180,6 +180,7 @@ implementation offers several extensions over the standard 
utility.")
   (package
    (name "tar")
    (version "1.32")
+   (replacement tar-1.34)
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/tar/tar-"
@@ -234,6 +235,21 @@ standard utility.")
    (license gpl3+)
    (home-page "https://www.gnu.org/software/tar/";)))
 
+(define-public tar-1.34  ; fixes CVE-2021-20193
+  (package
+    (inherit tar)
+    (version "1.34")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "mirror://gnu/tar/tar-"
+                                  version ".tar.xz"))
+              (sha256
+               (base32
+                "0a0x87anh9chbi2cgcyy7pmnm5hzk4yd1w2j8gm1wplwhwkbvgk3"))
+              (patches
+               (search-patches "tar-skip-unreliable-tests.patch"
+                               "tar-remove-wholesparse-check.patch"))))))
+
 (define-public patch
   (package
    (name "patch")
-- 
2.31.1

-- 
Disinformation flourishes because many people care deeply about injustice
but very few check the facts.  Ask me about <https://stallmansupport.org>.

[Prev in Thread]

Current Thread

[Next in Thread]

bug#47422: tar is vulnerable to CVE-2021-20193, phodina, 2021/11/05
- bug#47422: tar is vulnerable to CVE-2021-20193, Leo Famulari, 2021/11/05
  - bug#47422: tar is vulnerable to CVE-2021-20193, Maxime Devos, 2021/11/05
    - bug#47422: tar is vulnerable to CVE-2021-20193, Mark H Weaver, 2021/11/05
    - bug#47422: tar is vulnerable to CVE-2021-20193, Mark H Weaver <=
    - bug#47422: tar is vulnerable to CVE-2021-20193, Mark H Weaver, 2021/11/12

Prev by Date: bug#51559: [PATCH v2] gnu: webkit: Disable SSE2 when not on x86_64.
Next by Date: bug#51439: python-poppler-qt5 fails to build on core-updates-frozen
Previous by thread: bug#47422: tar is vulnerable to CVE-2021-20193
Next by thread: bug#47422: tar is vulnerable to CVE-2021-20193
Index(es):
- Date
- Thread