New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
libarchive: pull the fix for a suspicious commit #300114
libarchive: pull the fix for a suspicious commit #300114
Conversation
This is a follow-up to the downgrade to version older than 5.6.x made in NixOS#300028 (also known as CVE-2024-3094). A suspicious commit made by the same actor has been spotted in libarchive and following up discussions a change has been made by contributor and merged by another maintainer.
2219caf
to
b3743f7
Compare
Likely too early, we might need to wait a bit to let the dust settle: libarchive/libarchive#1609 (comment) |
AIUI, the issues mentioned in that comment are additional issues; and reverting the suspicious commit would be valuable regardless of whether those additional issues are valid and/or are fixed in the future. |
Agreed, opened #300122 closing this one for now. |
Looks like the PR has settled on that patch being acceptable/sufficient: libarchive/libarchive#1609 (comment) I see Debian have released this too: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068047 We should stick with upstream, since their change has gone through the right level of review. I'm happy to approve and merge this PR if it's re-opened. |
@LeSuisse, nice work on responding to this issue! :) Please mark as ready for review, to allow this to be merged. It's worth us waiting for CI to pass too, given libarchive is a dependency of Nix. |
Successfully created backport PR for |
Description of changes
This is a follow-up to the downgrade to version older than 5.6.x made in #300028 (also known as CVE-2024-3094).
A suspicious commit made by the same actor has been spotted in libarchive and following up discussions a change has been made by contributor and merged by another maintainer.
Things done
nix.conf
? (See Nix manual)sandbox = relaxed
sandbox = true
nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)Add a 馃憤 reaction to pull requests you find important.