Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: libarchive@packages.debian.org, roam@debian.org Control: affects -1 + src:libarchive User: release.debian.org@packages.debian.org Usertags: pu [ Reason ] Revert a change made by the same person that smuggled the backdoor into xz. See #1068047 for more details. [ Impact ] In the discussion in the upstream bugtracker, the consensus is that the reverted change may not really introduce any vulnerability, but still some concerns were expressed regarding some unlikely scenarios. It might be a safer bet to revert it, just in case. [ Tests ] None yet. [ Risks ] The change reverting the previous one is straightforward, limited to a specific piece of code (specific error logging in the bsdtar(1) command-line tool), and changes the source code back to using the same error reporting functions that are used elsewhere throughout the bsdtar and libarchive source code. Thus, IMHO the risks are negligible, if any. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Introduce a patch that uses libarchive's own error reporting functions instead of unchecked fprintf().
diff -Nru libarchive-3.6.2/debian/changelog libarchive-3.6.2/debian/changelog
--- libarchive-3.6.2/debian/changelog 2022-12-24 23:17:29.000000000 +0200
+++ libarchive-3.6.2/debian/changelog 2024-03-30 20:36:47.000000000 +0200
@@ -1,3 +1,9 @@
+libarchive (3.6.2-1+deb12u1) bookworm; urgency=medium
+
+ * Add the robust-error-reporting upstream patch. Closes: #1068047
+
+ -- Peter Pentchev <roam@debian.org> Sat, 30 Mar 2024 20:36:47 +0200
+
libarchive (3.6.2-1) unstable; urgency=medium
[ Debian Janitor ]
diff -Nru libarchive-3.6.2/debian/patches/robust-error-reporting.patch libarchive-3.6.2/debian/patches/robust-error-reporting.patch
--- libarchive-3.6.2/debian/patches/robust-error-reporting.patch 1970-01-01 02:00:00.000000000 +0200
+++ libarchive-3.6.2/debian/patches/robust-error-reporting.patch 2024-03-30 20:31:38.000000000 +0200
@@ -0,0 +1,20 @@
+Description: tar: make error reporting more robust and use correct errno
+Debian-Bug: https://bugs.debian.org/1068047
+Origin: upstream, https://github.com/libarchive/libarchive/commit/6110e9c82d8ba830c3440f36b990483ceaaea52c
+Author: Ed Maste <emaste@freebsd.org>
+Last-Update: 2024-03-30
+
+--- a/tar/read.c
++++ b/tar/read.c
+@@ -372,8 +372,9 @@
+ if (r != ARCHIVE_OK) {
+ if (!bsdtar->verbose)
+ safe_fprintf(stderr, "%s", archive_entry_pathname(entry));
+- fprintf(stderr, ": %s: ", archive_error_string(a));
+- fprintf(stderr, "%s", strerror(errno));
++ safe_fprintf(stderr, ": %s: %s",
++ archive_error_string(a),
++ strerror(archive_errno(a)));
+ if (!bsdtar->verbose)
+ fprintf(stderr, "\n");
+ bsdtar->return_value = 1;
diff -Nru libarchive-3.6.2/debian/patches/series libarchive-3.6.2/debian/patches/series
--- libarchive-3.6.2/debian/patches/series 2022-12-24 23:17:29.000000000 +0200
+++ libarchive-3.6.2/debian/patches/series 2024-03-30 20:31:52.000000000 +0200
@@ -1,2 +1,3 @@
typos.patch
iconv-pkgconfig.patch
+robust-error-reporting.patch
Attachment:
signature.asc
Description: PGP signature