Discussion:
Bug#1068106: bookworm-pu: package libarchive/3.6.2-1+deb12u1
Add Reply
Peter Pentchev
2024-03-30 19:00:01 UTC
Reply
Permalink
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: ***@packages.debian.org, ***@debian.org
Control: affects -1 + src:libarchive
User: ***@packages.debian.org
Usertags: pu

[ Reason ]
Revert a change made by the same person that smuggled
the backdoor into xz. See #1068047 for more details.

[ Impact ]
In the discussion in the upstream bugtracker, the consensus is that
the reverted change may not really introduce any vulnerability, but
still some concerns were expressed regarding some unlikely scenarios.
It might be a safer bet to revert it, just in case.

[ Tests ]
None yet.

[ Risks ]
The change reverting the previous one is straightforward, limited to
a specific piece of code (specific error logging in
the bsdtar(1) command-line tool), and changes the source code back to
using the same error reporting functions that are used elsewhere
throughout the bsdtar and libarchive source code. Thus, IMHO the risks
are negligible, if any.

[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable

[ Changes ]
Introduce a patch that uses libarchive's own error reporting functions
instead of unchecked fprintf().
Debian Bug Tracking System
2024-03-30 19:00:01 UTC
Reply
Permalink
Post by Peter Pentchev
affects -1 + src:libarchive
Bug #1068106 [release.debian.org] bookworm-pu: package libarchive/3.6.2-1+deb12u1
Added indication that 1068106 affects src:libarchive
--
1068106: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068106
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Peter Pentchev
2024-03-31 10:10:01 UTC
Reply
Permalink
Post by Peter Pentchev
Package: release.debian.org
Severity: normal
Tags: bookworm
Control: affects -1 + src:libarchive
Usertags: pu
[ Reason ]
Revert a change made by the same person that smuggled
the backdoor into xz. See #1068047 for more details.
[ Impact ]
In the discussion in the upstream bugtracker, the consensus is that
the reverted change may not really introduce any vulnerability, but
still some concerns were expressed regarding some unlikely scenarios.
It might be a safer bet to revert it, just in case.
Right, so it seems that I was a bit impatient filing this bug, right
after I got the "processing" e-mail from the archive for libarchive-3.7.2-2
in unstable, but before I got the "accepted" one... and before I had
noticed the d-d-a e-mail about the paused archive processing.

So yeah, this is still a pre-upload approval request, but it will
apparently need to wait until 3.7.2-2 makes it into unstable :)

Thanks in advance, and sorry for the bother!

G'luck,
Peter
--
Peter Pentchev ***@ringlet.net ***@debian.org ***@storpool.com
PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
Jonathan Wiltshire
2024-04-06 21:40:02 UTC
Reply
Permalink
Control: tag -1 confirmed

Hi,
Post by Peter Pentchev
[ Reason ]
Revert a change made by the same person that smuggled
the backdoor into xz. See #1068047 for more details.
Please go ahead. However I wonder if you also want to wait for a patch for
https://github.com/libarchive/libarchive/issues/2107 and include that? If
so please un-confirm this bug and provide an updated debdiff when ready.

Thanks,
--
Jonathan Wiltshire ***@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Debian Bug Tracking System
2024-04-06 21:40:02 UTC
Reply
Permalink
Post by Jonathan Wiltshire
tag -1 confirmed
Bug #1068106 [release.debian.org] bookworm-pu: package libarchive/3.6.2-1+deb12u1
Added tag(s) confirmed.
--
1068106: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068106
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Jonathan Wiltshire
2024-09-03 07:50:01 UTC
Reply
Permalink
Hi,

This request was approved for 12.6 but not uploaded in time; is it still
relevant for 12.7?

Thanks,
--
Jonathan Wiltshire ***@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Salvatore Bonaccorso
2024-11-09 09:10:01 UTC
Reply
Permalink
hi Peter,
Post by Jonathan Wiltshire
Hi,
This request was approved for 12.6 but not uploaded in time; is it still
relevant for 12.7?
Can you rebase your changes post 12.8 to have it included in 12.9?

Regards,
Salvatore
Salvatore Bonaccorso
2025-02-28 20:10:02 UTC
Reply
Permalink
Hi Peter,
Post by Salvatore Bonaccorso
hi Peter,
Post by Jonathan Wiltshire
Hi,
This request was approved for 12.6 but not uploaded in time; is it still
relevant for 12.7?
Can you rebase your changes post 12.8 to have it included in 12.9?
There is an upcoming point release for bookworm soon, are you still
interested in getting that in?

Regards,
Salvatore

Loading...