libarchive: pull the fix for a suspicious commit #300114
Conversation
This is a follow-up to the downgrade to version older than 5.6.x made in NixOS#300028 (also known as CVE-2024-3094). A suspicious commit made by the same actor has been spotted in libarchive and following up discussions a change has been made by contributor and merged by another maintainer.
LeSuisse
force-pushed
the
libarchive-suspicious-commit-bad-actor
branch
from
2219caf
to
b3743f7
Compare
|
Likely too early, we might need to wait a bit to let the dust settle: libarchive/libarchive#1609 (comment) |
|
AIUI, the issues mentioned in that comment are additional issues; and reverting the suspicious commit would be valuable regardless of whether those additional issues are valid and/or are fixed in the future. |
|
Agreed, opened #300122 closing this one for now. |
Looks like the PR has settled on that patch being acceptable/sufficient: libarchive/libarchive#1609 (comment) I see Debian have released this too: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068047 We should stick with upstream, since their change has gone through the right level of review. I'm happy to approve and merge this PR if it's re-opened. |
|
@LeSuisse, nice work on responding to this issue! :) Please mark as ready for review, to allow this to be merged. It's worth us waiting for CI to pass too, given libarchive is a dependency of Nix. |
|
Successfully created backport PR for |
Description of changes
This is a follow-up to the downgrade to version older than 5.6.x made in #300028 (also known as CVE-2024-3094).
A suspicious commit made by the same actor has been spotted in libarchive and following up discussions a change has been made by contributor and merged by another maintainer.
Things done
nix.conf? (See Nix manual)sandbox = relaxedsandbox = truenix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)Add a 馃憤 reaction to pull requests you find important.