gnu: tar: Replace with 1.34 [fixes CVE-2021-20193].

* gnu/packages/base.scm (tar)[replacement]: New field. (tar-1.34): New variable.
2021-11-06 05:52:51 -04:00 · 2021-11-06 05:52:51 -04:00 · 33a80e1110
parent 893a31ec20
commit 33a80e1110
1 changed files with 16 additions and 0 deletions
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@ -180,6 +180,7 @@ implementation offers several extensions over the standard utility.")
  (package
   (name "tar")
   (version "1.32")
+   (replacement tar-1.34)
   (source (origin
            (method url-fetch)
            (uri (string-append "mirror://gnu/tar/tar-"
@ -234,6 +235,21 @@ standard utility.")
   (license gpl3+)
   (home-page "https://www.gnu.org/software/tar/")))

+(define-public tar-1.34  ; fixes CVE-2021-20193
+  (package
+    (inherit tar)
+    (version "1.34")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "mirror://gnu/tar/tar-"
+                                  version ".tar.xz"))
+              (sha256
+               (base32
+                "0a0x87anh9chbi2cgcyy7pmnm5hzk4yd1w2j8gm1wplwhwkbvgk3"))
+              (patches
+               (search-patches "tar-skip-unreliable-tests.patch"
+                               "tar-remove-wholesparse-check.patch"))))))
+
 (define-public patch
  (package
   (name "patch")