Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tar: make error reporting more robust and use correct errno #2101

Merged
merged 1 commit into from Mar 29, 2024
Merged

tar: make error reporting more robust and use correct errno #2101

merged 1 commit into from Mar 29, 2024
+3 −2

Conversation

emaste
Copy link
Contributor

@emaste emaste commented Mar 29, 2024

As discussed in #1609.

kientzle
kientzle approved these changes Mar 29, 2024
View reviewed changes
Copy link
Contributor

@kientzle kientzle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@sgammon
Copy link

sgammon commented Mar 29, 2024

Beat me to it. I'm very glad to see someone more qualified take this on @emaste ... thank you for your hard work on FreeBSD

@kientzle kientzle merged commit 6110e9c into libarchive:master Mar 29, 2024
19 of 20 checks passed
@mcatanzaro
Copy link

One more note: this is particular usage is probably fine because bsdtar is a utility rather than part of the library component of libarchive, but you unfortunately can't use strerror() in libraries (or threaded applications) because it's not threadsafe. Awkward workarounds are generally required like this or this. So beware: it's one of those tempting APIs that's almost impossible to use correctly except in single-threaded programs.

@qwertychouskie
Copy link

Are there plans to backport this fix to older releases?

@oxalica oxalica mentioned this pull request Mar 30, 2024
Closed
13 tasks
@gamer191
Copy link

gamer191 commented Mar 30, 2024
edited

this is particular usage is probably fine

That may well be the case (I don't know much about coding tbh), but it's highly suspicious, because it was added in #1609, created by a known bad actor (JiaT75 recently snuck a backdoor into XZ, over a series of commits, after contributing for over a year and eventually becoming a co-maintainer)

Once again, I don't know much about coding, and I definitely don't understand the specific change. I do wonder though whether it could have set the stage for an obfuscated attempt to insert malware (EDIT: or a vulnerability that a malicious program could then exploit)

@mcatanzaro
Copy link

I do wonder though whether it could have set the stage for an obfuscated attempt to insert malware (EDIT: or a vulnerability that a malicious program could then exploit)

Pretty unlikely; would too hard to abuse it.

@antonlacon antonlacon mentioned this pull request Mar 30, 2024
Merged
@mbargull mbargull mentioned this pull request Mar 30, 2024
Open
Scrumplex
Scrumplex reviewed Mar 30, 2024
View reviewed changes
tar/read.c
Comment on lines +375 to +376
archive_error_string(a),
strerror(archive_errno(a)));
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These changes have mixed whitespace. Someone should probably replace the new added spaces with tabs.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this follows FreeBSD style(9): tabs are 8, 2nd level indent is 4 spaces.
https://man.freebsd.org/cgi/man.cgi?query=style&sektion=9

@jmpalacios
Copy link

Are there OS-level patches going to be issued to distribute these corrections to the general public?

kientzle referenced this pull request Mar 30, 2024
@mmatuska
Merge pull request #1609 from JiaT75/added_error_message_to_warning_b…
e37efc1 
…sdtar_1561

Added error text to warning when untaring with bsdtar
@EverStarck
Copy link

hell yeah

@jjerphan jjerphan mentioned this pull request Mar 31, 2024
Open
5 tasks
Merged
12 tasks
aeiouaeiouaeiouaeiouaeiouaeiou added a commit to aeiouaeiouaeiouaeiouaeiouaeiou/macports-ports that referenced this pull request Mar 31, 2024
@aeiouaeiouaeiouaeiouaeiouaeiou
libarchive: backport upstream fix
3a2f1e8 
libarchive/libarchive#2101
ryandesign pushed a commit to macports/macports-ports that referenced this pull request Mar 31, 2024
@aeiouaeiouaeiouaeiouaeiouaeiou @ryandesign
libarchive: backport upstream fix
642293a 
libarchive/libarchive#2101
This was referenced Apr 1, 2024
Merged
Open
@dongsupark dongsupark mentioned this pull request Apr 2, 2024
Closed
@udaya2899
Copy link

Thanks @emaste for the quick fix. Will there be a new release with this fix included soon?

@emaste
Copy link
Contributor Author

emaste commented Apr 2, 2024

Release plans aren't my call. IMO it would be good to get whatever we do for #2107 into a release (and not just #2101). If that's not imminent though I see there are a number of minor updates and bugfixes in the tree since v3.7.2 that would be good to release.

Millak pushed a commit to Millak/guix that referenced this pull request Apr 4, 2024
@lfam
gnu: libarchive: Fix a potential security issue.
629614c 
libarchive/libarchive#2101

* gnu/packages/backup.scm (libarchive)[replacement]: New field.
(libarchive/fixed): New variable.
* gnu/packages/patches/libarchive-remove-potential-backdoor.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.

Change-Id: I939e9b842b10d1a78125da4a4599c38d9c037079
@kientzle kientzle mentioned this pull request Apr 4, 2024
Closed
15 tasks
@licy183 licy183 mentioned this pull request Apr 4, 2024
Merged
leahneukirchen added a commit to void-linux/void-packages that referenced this pull request Apr 6, 2024
@leahneukirchen
libarchive: backport "make error reporting more robust and use correc…
d1a05c5 
…t errno".

libarchive/libarchive#2101
leahneukirchen added a commit to void-linux/void-packages that referenced this pull request Apr 6, 2024
@leahneukirchen
libarchive: backport "make error reporting more robust and use correc…
9e28dad 
…t errno".

libarchive/libarchive#2101
atweiden added a commit to atweiden/voidpkgs that referenced this pull request Apr 7, 2024
@atweiden
libarchive: backport "make error reporting more robust and use correc…
fc4452c 
…t errno".

libarchive/libarchive#2101

void-linux/void-packages@9e28dad
@thesamesam thesamesam mentioned this pull request Apr 7, 2024
Closed
snwnde pushed a commit to snwnde/void-packages that referenced this pull request Apr 18, 2024
@leahneukirchen @snwnde
libarchive: backport "make error reporting more robust and use correc…
d791b1a 
…t errno".

libarchive/libarchive#2101
snwnde pushed a commit to snwnde/void-packages that referenced this pull request Apr 18, 2024
@leahneukirchen @snwnde
libarchive: backport "make error reporting more robust and use correc…
3c5aee7 
…t errno".

libarchive/libarchive#2101
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Scrumplex Scrumplex Scrumplex left review comments

@kientzle kientzle kientzle approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
10 participants
@emaste @sgammon @mcatanzaro @qwertychouskie @gamer191 @jmpalacios @EverStarck @udaya2899 @kientzle @Scrumplex