• Question on libarchive/3.7.4-2 and CVE-2025-1632 patch

    From Salvatore Bonaccorso@21:1/5 to Debian FTP Masters on Sat Apr 26 11:40:02 2025
    Hi Peter,

    On Sat, Apr 26, 2025 at 09:20:46AM +0000, Debian FTP Masters wrote:
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    Format: 1.8
    Date: Sat, 26 Apr 2025 11:34:57 +0300
    Source: libarchive
    Architecture: source
    Version: 3.7.4-2
    Distribution: unstable
    Urgency: high
    Maintainer: Peter Pentchev <roam@debian.org>
    Changed-By: Peter Pentchev <roam@debian.org>
    Closes: 1103494
    Changes:
    libarchive (3.7.4-2) unstable; urgency=high
    .
    * Acknowledge NMU; thanks, Salvatore!
    * Point to the debian/trixie branch in the gbp.conf file since
    the master branch in the repository already contains changes that
    did not make it in time for the Trixie freeze.
    * Add the CVE-2025-1632 patch. Closes: #1103494
    * Add the year 2025 to my debian/* copyright notice.

    Was there a reason not to pick the upstream commited https://github.com/libarchive/libarchive/commit/8ce2aca6c7d6f004f860c6619cb6cc98d51ac69a
    ?

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Peter Pentchev@21:1/5 to Salvatore Bonaccorso on Sat Apr 26 12:30:01 2025
    On Sat, Apr 26, 2025 at 11:36:46AM +0200, Salvatore Bonaccorso wrote:
    Hi Peter,

    On Sat, Apr 26, 2025 at 09:20:46AM +0000, Debian FTP Masters wrote:
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    Format: 1.8
    Date: Sat, 26 Apr 2025 11:34:57 +0300
    Source: libarchive
    Architecture: source
    Version: 3.7.4-2
    Distribution: unstable
    Urgency: high
    Maintainer: Peter Pentchev <roam@debian.org>
    Changed-By: Peter Pentchev <roam@debian.org>
    Closes: 1103494
    Changes:
    libarchive (3.7.4-2) unstable; urgency=high
    .
    * Acknowledge NMU; thanks, Salvatore!
    * Point to the debian/trixie branch in the gbp.conf file since
    the master branch in the repository already contains changes that
    did not make it in time for the Trixie freeze.
    * Add the CVE-2025-1632 patch. Closes: #1103494
    * Add the year 2025 to my debian/* copyright notice.

    Was there a reason not to pick the upstream commited https://github.com/libarchive/libarchive/commit/8ce2aca6c7d6f004f860c6619cb6cc98d51ac69a
    ?

    That was actually a very good question. The only reason I can give you
    is that I had a bit of a neuron misfire and made a silly mistake -
    I had two versions of the patch ready for testing and somehow I forgot
    which one was which, and I kept forgetting even after adding it to
    my copy of the package.

    So, yeah... Later today or tomorrow I will upload a new version of
    libarchive with the upstream patch instead of this one,

    Thanks a lot for catching this, I really have no idea how it happened.

    G'luck,
    Peter

    --
    Peter Pentchev roam@ringlet.net roam@debian.org peter@morpheusly.com
    PGP key: https://www.ringlet.net/roam/roam.key.asc
    Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEELuenpRf8EkzxFcNUZR7vsCUn3xMFAmgMtKwACgkQZR7vsCUn 3xP7/BAAsxvoLRlHR5jRRdjxNaZqPW3WTMNutEggs131vUOK2n42K+TYiQiQsqak sfh6f3z5VQReodIeJUB7cI7wAC1GrKsymK2sWkBxcFJU19ClHcQhCbd4lt0+wTU2 b4JN6AkWFkNp9k4kdK/K7ZsK8aGRiKhYXQeNshKCd6PAM7x07O4bYzt6n9VxOPNX PtHG3xZiDjdM3NbLlsV8jTzVtWP5WspRfgT5O2cQkGMiej+bnXeJogzgWRp5/EwX J/hMBXWt+ZMtn/1dsnWxR5ha/AjLxcnO8O3g7f5Z7yioZVs12j6rwLzqEhAi/hCC rHD0sVbfj31EvnUnGaxH731aoTp6xD/rXbOjCoQgA7kovq8R0hx7wYxzGHEDRbyJ rBacBmAuQEgJBpbePaqhR17+pxdwdetBbWxbt/MNJ+dS/yD8AwOxaCDvDThdxZl7 yW7aaP74vJCifuFxu+sB1mvp+mkqp6c6VHsfTsCCnZQbuDE5OrD/c6vhw30PuvZC qnv+ewpRCcVLS9usrduHYdw/+bp5QZTtAYfMuHpTO5n067JRT4dyz+eG/IrtwwQR RNttvyGDp6cFKXre7Ls0alQpQqsSt42ffTIC4JQJx6dwZFK7XSecXILpNswLZyRD YNjMtlv/K/kz+WdQGEsu9F+rF8B38YQD7whqN+g6SEhExRyv1L8=
    =2ANd
  • From Peter Pentchev@21:1/5 to Peter Pentchev on Mon Apr 28 00:10:01 2025
    On Sat, Apr 26, 2025 at 01:25:52PM +0300, Peter Pentchev wrote:
    On Sat, Apr 26, 2025 at 11:36:46AM +0200, Salvatore Bonaccorso wrote:
    Hi Peter,

    On Sat, Apr 26, 2025 at 09:20:46AM +0000, Debian FTP Masters wrote:
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    Format: 1.8
    Date: Sat, 26 Apr 2025 11:34:57 +0300
    Source: libarchive
    Architecture: source
    Version: 3.7.4-2
    Distribution: unstable
    Urgency: high
    Maintainer: Peter Pentchev <roam@debian.org>
    Changed-By: Peter Pentchev <roam@debian.org>
    Closes: 1103494
    Changes:
    libarchive (3.7.4-2) unstable; urgency=high
    .
    * Acknowledge NMU; thanks, Salvatore!
    * Point to the debian/trixie branch in the gbp.conf file since
    the master branch in the repository already contains changes that
    did not make it in time for the Trixie freeze.
    * Add the CVE-2025-1632 patch. Closes: #1103494
    * Add the year 2025 to my debian/* copyright notice.

    Was there a reason not to pick the upstream commited https://github.com/libarchive/libarchive/commit/8ce2aca6c7d6f004f860c6619cb6cc98d51ac69a
    ?

    That was actually a very good question. The only reason I can give you
    is that I had a bit of a neuron misfire and made a silly mistake -
    I had two versions of the patch ready for testing and somehow I forgot
    which one was which, and I kept forgetting even after adding it to
    my copy of the package.

    So, yeah... Later today or tomorrow I will upload a new version of
    libarchive with the upstream patch instead of this one,

    Thanks a lot for catching this, I really have no idea how it happened.

    Right, so I uploaded libarchive/3.7.4-3 and, um, Salvatore, I'm sorry that
    that even though it is kinda sorta in the name of the new patch, again
    I forgot to mention CVE-2025-25724 by name in the changelog entry :/

    Thanks again for spotting this and pointing it out!

    G'luck,
    Peter

    --
    Peter Pentchev roam@ringlet.net roam@debian.org peter@morpheusly.com
    PGP key: https://www.ringlet.net/roam/roam.key.asc
    Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEELuenpRf8EkzxFcNUZR7vsCUn3xMFAmgOqngACgkQZR7vsCUn 3xMOHA/+JBFJvKT/JZCoF1WXxQX8xua49tyqrZV4iLm2b6yAS8A9nPkg+pVzCK47 nXslFkWTdY7mTmym29E+A3KZDzmb1jkcvtZvfx9YmS4VH5MSGC7/mUNwscKxUDgY Yq3ddp5fDSgoWPrhb88/anSJgDv1Q0F5V7KpSmgleCwJcmEMH/SGhqu0OccYUUNA v4AJF/aMj7FBc0TesLEsuupuvMz/AuVvZGpSDyYORZzWTRgbpEm8Kbh1qV9Wewhj zCM4+d8jXzo0i+QCKln9PzEADfex8aHkAxRsSF0hGeCFv1jN3quCKH0B2zcbggNH Z2WFb5gx2y6TC1rgyD89bUWayb/fEIrjpAi8LvUpHyZcvc4GRD+J7m66WUJ83/3V w3Im0pqwYRJWY0Aaj9H8kG17iRv4Yu1QknQrQHSGJ630/OAN3qD8qhBmOyp3Mcxt t/R4Yi0BbEijtyd3J/L9rfaJHuJXV7eP9oZ/cC9YCLdBJtIaADML4xyv5PrkTFpt qQSq8qaOzbssI1KfY2nAAeIVomBFgAZLVqSn6Gtw8LUfDtlECpPWitkz00UkIHbi NzNvULaLNz+suJOFN3Ls6p1wuVOQhzgHsAIOhD2MOJFjjkbq9/AVx0I+lkOv9PoO lLCykvCjenBPfwEtxb0NOQcli/539wQK9VYJQRRP8UsO70CkuDg=
    =ZFki