gnu: libarchive: Replace with libarchive 3.3.3 and fix CVE-2018-{1000877,1000878,1000880}.

* gnu/packages/backup.scm (libarchive)[source, home-page]: Use HTTPS. [replacement]: New field. (libarchive-3.3.3): New variable. * gnu/packages/patches/libarchive-CVE-2018-1000877.patch, gnu/packages/patches/libarchive-CVE-2018-1000878.patch, gnu/packages/patches/libarchive-CVE-2018-1000880.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them.
2025-07-17 12:30:38 +02:00 · 2019-01-05 23:20:41 +08:00 · 2019-01-05 23:20:41 +08:00 · c824dedf71
commit c824dedf71
parent b7ec276e57
5 changed files with 206 additions and 3 deletions
--- a/gnu/packages/backup.scm
+++ b/gnu/packages/backup.scm
@ -12,6 +12,7 @@
 ;;; Copyright © 2018 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2018 Oleg Pykhalov <go.wigust@gmail.com>
 ;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2019 Alex Vong <alexvong1995@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@ -194,11 +195,12 @@ backups (called chunks) to allow easy burning to CD/DVD.")
 (define-public libarchive
  (package
    (name "libarchive")
+    (replacement libarchive-3.3.3)
    (version "3.3.2")
    (source
     (origin
       (method url-fetch)
-       (uri (string-append "http://libarchive.org/downloads/libarchive-"
+       (uri (string-append "https://libarchive.org/downloads/libarchive-"
                           version ".tar.gz"))
       (patches (search-patches "libarchive-CVE-2017-14166.patch"
                                "libarchive-CVE-2017-14502.patch"))
@ -258,7 +260,7 @@ backups (called chunks) to allow easy burning to CD/DVD.")
       ;; libarchive/test/test_write_format_gnutar_filenames.c needs to be
       ;; compiled with C99 or C11 or a gnu variant.
       #:configure-flags '("CFLAGS=-O2 -g -std=c99")))
-    (home-page "http://libarchive.org/")
+    (home-page "https://libarchive.org/")
    (synopsis "Multi-format archive and compression library")
    (description
     "Libarchive provides a flexible interface for reading and writing
@ -270,6 +272,22 @@ archive.  In particular, note that there is currently no built-in support for
 random access nor for in-place modification.")
    (license license:bsd-2)))

+(define-public libarchive-3.3.3
+  (package
+    (inherit libarchive)
+    (version "3.3.3")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "https://libarchive.org/downloads/libarchive-"
+                           version ".tar.gz"))
+       (patches (search-patches "libarchive-CVE-2018-1000877.patch"
+                                "libarchive-CVE-2018-1000878.patch"
+                                "libarchive-CVE-2018-1000880.patch"))
+       (sha256
+        (base32
+         "0bhfncid058p7n1n8v29l6wxm3mhdqfassscihbsxfwz3iwb2zms"))))))
+
 (define-public rdup
  (package
    (name "rdup")