[PATCH 0/1] Xz backdoor / JiaT75 cleanup for libarchive

The malicious actor that attacked Xz was also active in the libarchive

codebase:

This patch cherry-picks a fix for a potential vulnerability added by

this entity. The patch file includes annotations.

Please test with packages that directly use libarchive! For example:

------

$ ./pre-inst-env guix package -s . | recsel -e '(dependencies ~ "libarchive")' -p name,synopsis,location

name: dwarfs

synopsis: Fast high compression read-only file system

location: gnu/packages/file-systems.scm:2106:2

name: patool

synopsis: Portable archive file manager

location: gnu/packages/patool.scm:37:2

name: gnome-boxes

synopsis: View, access, and manage remote and virtual systems

location: gnu/packages/gnome.scm:12554:2

name: proot

synopsis: Unprivileged chroot, bind mount, and binfmt_misc

location: gnu/packages/linux.scm:8449:2

name: geary

synopsis: GNOME email application built around conversations

location: gnu/packages/gnome.scm:12630:2

name: tesseract-ocr

synopsis: Optical character recognition engine

location: gnu/packages/ocr.scm:104:2

name: tesseract-ocr

synopsis: Optical character recognition engine

location: gnu/packages/ocr.scm:192:2

name: reprepro

synopsis: Debian package repository producer

location: gnu/packages/debian.scm:610:2

name: libjami

synopsis: Jami core library and daemon

location: gnu/packages/jami.scm:85:2

name: diffoscope

synopsis: Compare files, archives, and directories in depth

location: gnu/packages/diffoscope.scm:75:2

name: geeqie

synopsis: Lightweight GTK+ based image viewer

location: gnu/packages/image-viewers.scm:235:2

name: samba

synopsis: The standard Windows interoperability suite of programs for GNU and Unix

location: gnu/packages/samba.scm:296:2

name: gpaste

synopsis: Clipboard management system for GNOME Shell

location: gnu/packages/gnome-xyz.scm:1012:2

name: libextractor

synopsis: Library to extract meta-data from media files

location: gnu/packages/gnunet.scm:87:2

name: unrar-free

synopsis: Extract files from RAR archives

location: gnu/packages/compression.scm:2813:2

name: archivemount

synopsis: Tool for mounting archive files with FUSE

location: gnu/packages/linux.scm:4034:2

name: rpm

synopsis: The RPM Package Manager

location: gnu/packages/package-management.scm:934:2

name: nix

synopsis: The Nix package manager

location: gnu/packages/package-management.scm:804:2

name: gvfs

synopsis: Userspace virtual file system for GIO

location: gnu/packages/gnome.scm:7000:2

name: claws-mail

synopsis: GTK-based Email client

location: gnu/packages/mail.scm:1753:2

name: kbackup

synopsis: Backup program with an easy-to-use interface

location: gnu/packages/kde-utils.scm:438:2

name: cmake-minimal-cross

synopsis: Cross-platform build system

location: gnu/packages/cmake.scm:411:2

name: scilab

synopsis: Software for engineers and scientists

location: gnu/packages/maths.scm:9708:2

name: pixz

synopsis: Parallel indexing implementation of LZMA

location: gnu/packages/compression.scm:1037:2

name: cmake-minimal

synopsis: Cross-platform build system

location: gnu/packages/cmake.scm:263:2

name: python-fsspec

synopsis: File-system specification

location: gnu/packages/python-xyz.scm:27706:2

name: libostree

synopsis: Operating system and container binary deployment and upgrades

location: gnu/packages/package-management.scm:1958:2

name: cmake

synopsis: Cross-platform build system

location: gnu/packages/cmake.scm:346:2

name: meandmyshadow

synopsis: Puzzle/platform game

location: gnu/packages/games.scm:1788:2

name: reprotest

synopsis: Build software and check it for reproducibility

location: gnu/packages/diffoscope.scm:247:2

name: gimp-next

synopsis: GNU Image Manipulation Program

location: gnu/packages/gimp.scm:415:2

name: rdup

synopsis: Provide a list of files to backup

location: /home/leo/work/guix/gnu/packages/backup.scm:370:2

name: irods-client-icommands

synopsis: Data management software

location: gnu/packages/irods.scm:170:2

name: nestopia-ue

synopsis: Nintendo Entertainment System (NES/Famicom) emulator

location: gnu/packages/emulators.scm:1363:2

name: avogadrolibs

synopsis: Libraries for chemistry, bioinformatics, and related areas

location: gnu/packages/chemistry.scm:74:2

name: swi-prolog

synopsis: ISO/Edinburgh-style Prolog interpreter

location: gnu/packages/prolog.scm:88:2

name: evince

synopsis: GNOME's document viewer

location: gnu/packages/gnome.scm:2669:2

name: singularity

synopsis: Container platform

location: gnu/packages/linux.scm:5245:2

name: pqiv

synopsis: Powerful image viewer with minimal UI

location: gnu/packages/image-viewers.scm:896:2

name: python-libarchive-c

synopsis: Python interface to libarchive

location: gnu/packages/python-xyz.scm:16283:2

name: python-conda-package-handling

synopsis: Create and extract conda packages of various formats

location: gnu/packages/package-management.scm:1105:2

name: opencpn

synopsis: Chart plotter and marine GPS navigation software

location: gnu/packages/geo.scm:2473:2

name: midori

synopsis: Lightweight graphical web browser

location: gnu/packages/web-browsers.scm:106:2

name: appstream-glib

synopsis: Library for reading and writing AppStream metadata

location: gnu/packages/glib.scm:1346:2

name: libgxps

synopsis: GObject-based library for handling and rendering XPS documents

location: gnu/packages/gnome.scm:2069:2

name: libticalcs2

synopsis: Support library for TI calculators

location: gnu/packages/emulators.scm:1747:2

name: irods

synopsis: Data management software

location: gnu/packages/irods.scm:48:2

name: ardour

synopsis: Digital audio workstation

location: gnu/packages/audio.scm:775:2

name: libtifiles2

synopsis: File functions library for TI calculators

location: gnu/packages/emulators.scm:1712:2

name: flatpak

synopsis: System for building, distributing, and running sandboxed desktop applications

location: gnu/packages/package-management.scm:2011:2

name: epic5

synopsis: Epic5 IRC Client

location: gnu/packages/irc.scm:669:2

name: file-roller

synopsis: Graphical archive manager for GNOME

location: gnu/packages/gnome.scm:7628:2

name: rpi-imager

synopsis: Raspberry Pi Imaging Utility

location: gnu/packages/raspberry-pi.scm:467:2

name: fwupd

synopsis: Daemon to allow session software to update firmware

location: gnu/packages/firmware.scm:211:2

name: totem-pl-parser

synopsis: Library to parse and save media playlists for GNOME

location: gnu/packages/gnome.scm:6075:1

name: osinfo-db-tools

synopsis: Tools for managing the osinfo database

location: gnu/packages/virtualization.scm:2691:2

name: ark

synopsis: Graphical archiving tool

location: gnu/packages/kde-utils.scm:54:2

name: vlc

synopsis: Audio and video framework

location: gnu/packages/video.scm:2365:2

name: fpm

synopsis: Package building and mangling tool

location: gnu/packages/package-management.scm:2118:2

name: hydrogen

synopsis: Drum machine

location: gnu/packages/music.scm:869:2

name: gnome-autoar

synopsis: Archives integration support for GNOME

location: gnu/packages/gnome.scm:9531:2

name: python-py7zr

synopsis: 7-zip in Python

location: gnu/packages/python-compression.scm:444:2

name: zathura-cb

synopsis: Comic book support for zathura (libarchive backend)

location: gnu/packages/pdf.scm:516:2

name: python-rarfile

synopsis: RAR archive reader for Python

location: gnu/packages/python-xyz.scm:19616:2

name: epiphany

synopsis: GNOME web browser

location: gnu/packages/gnome.scm:7160:2

name: gnome-arcade

synopsis: Minimal MAME frontend

location: gnu/packages/emulators.scm:1962:2

name: zeal

synopsis: Offline documentation browser inspired by Dash

location: gnu/packages/documentation.scm:412:4

name: pcsxr

synopsis: PlayStation emulator

location: gnu/packages/emulators.scm:2057:4

name: atril

synopsis: Document viewer for Mate

location: gnu/packages/mate.scm:683:2

------

Leo Famulari (1):

gnu: libarchive: Fix a potential security issue.

gnu/local.mk | 1 +

gnu/packages/backup.scm | 19 ++++++++

...libarchive-remove-potential-backdoor.patch | 47 +++++++++++++++++++

3 files changed, 67 insertions(+)

create mode 100644 gnu/packages/patches/libarchive-remove-potential-backdoor.patch

base-commit: 4d79a9cd6b5f0d8c5afbab0c6b70ae42740d5470

--

2.41.0

merge 70114 70113

Hi Leo,

On Sun, Mar 31, 2024 at 04:44 PM, Leo Famulari wrote:

Overall changes look good, but I have not had a chance to try it locally

(building or dependents).

[...]

In light of the xz backdoor, perhaps we should just do a git checkout of

the v3.6.1 tag rather than the tarballs? Assuming that works, of course.

I haven't had a chance to look at potential ABI changes, but perhaps at

least v3.6.2 is graftable? That also lists a security update (as well as

later versions).

Or, if it is easier and this is tested on your end, let's push this and

do an upgrade to the latest on a branch. I would volunteer mesa-updates,

but Cuirass has been stuck all day not building anything, so I don't

know what will end up being quickest (which branch or a new one).

Thanks for the quick work!

John

On Tue, Apr 02, 2024 at 03:23:44AM +0000, John Kehayias via Guix-patches via wrote:

This looks like what I was going to suggest

In this case it was just the patch which didn't do (just) what the

commit message said. IMO applying this patch will make us safe from this

potential JiaT75 backdoor, no bootstrapping from source needed.

If it turns out that we need to move forward a bit to guard against

other CVEs then this patch should be forward compatible, considering it

was just added to the libarchive repository.

Indeed. Thanks!

--

Efraim Flashner <efraim@flashner.co.il> ????? ?????

GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351

Confidentiality cannot be guaranteed on emails sent or received unencrypted

Hello,

John Kehayias via Guix-patches via <guix-patches@gnu.org> writes:

Not having followed the details, I believe the git checkout contained an

incomplete part of the malicious code too, from what Joshua Branson (I

guess the sender is him?) cites from Phoronix

https://lists.gnu.org/archive/html/guix-devel/2024-04/msg00002.html:

jbranso@dismail.de writes:

It doesn’t look like avoiding tarballs gives us more verified code.

Regards,

Florian

On Tue, Apr 02, 2024 at 03:23:44AM +0000, John Kehayias wrote:

I successfully tested with the file-roller package, which depends

directly on libarchive and no other related packages. I think it's a

reasonable basic test case.

I agree it's a good idea to look into a more comprehensive update to

libarchive, but I just wanted to get this patch in ASAP.

Pushed as 629614c7a3f9283306939402f1ff46914f327c21

Hello,

On Tue, Apr 02, 2024 at 03:45 PM, pelzflorian (Florian Pelz) wrote:

Well, it removes one step where something can be added. From what I

understand release tarballs don't match a git checkout as often build

artifacts (from autotools) are added, so it is just another potential

attack vector. Indeed, it was only part of the attack here, but I do

believe there is general support for trying to favor git checkouts

when we can (there is overhead and I think issues for parts in

bootstrapping, to get git). Certainly not perfect, but gets us to

"just" the source. One can still do things with access of course.

Thanks Leo for the quick work here and pushing the patch, much

appreciated!

John

tags 70114 + security

quit