[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#47422: tar is vulnerable to CVE-2021-20193
|
From: |
Mark H Weaver |
|
Subject: |
bug#47422: tar is vulnerable to CVE-2021-20193 |
|
Date: |
Fri, 05 Nov 2021 16:15:55 -0400 |
Hi Maxime,
Maxime Devos <maximedevos@telenet.be> writes:
> Leo Famulari schreef op vr 05-11-2021 om 12:23 [-0400]:
>> For use of tar by Guix users, we could add a new package 'tar-1.34'
>> and arrange so that `guix install tar` selects it instead of
>> tar@1.32, and so that whatever tar is provided by default on Guix
>> System [1] is tar-1.34.
>
> I don't think this is sufficient, because some packages keep
> references to 'tar', e.g. 'hdup'. A solution would be registering
> the updated tar as a replacement of the somewhat vulnerable tar:
I think this is the better approach. Leo's analysis is correct, but
there are a few problems:
(1) I guess that most Guix users don't install 'tar' manually, but
rather depend on the fact that 'tar' is included in %base-packages,
which references 'tar' by its variable name.
(2) Even for users who explicitly ask for 'tar', if they reference it by
its variable name, they would still get the vulnerable version.
That includes users (such as myself) who manage their profiles
declaratively, i.e. using "guix package --manifest".
(3) As Maxime pointed out, it's possible that some packages might retain
a reference to 'tar' to be used at runtime.
However, someone would need to test to make sure that after grafting
'tar', they can successfully rebuild their system and boot into it.
Hopefully the code in 'commencement' deals properly with a grafted
'tar', but that should be checked.
I won't be able to work on this today, so hopefully someone else can
take care of it. Otherwise, I'll do it tomorrow.
Thanks!
Mark
--
Disinformation flourishes because many people care deeply about injustice
but very few check the facts. Ask me about <https://stallmansupport.org>.