From atler at pld-linux.org Mon Mar 25 10:22:00 2024 From: atler at pld-linux.org (Jan Palus) Date: Mon, 25 Mar 2024 10:22:00 +0100 Subject: [packages/python3] python points to python3 now In-Reply-To: References:

Message-ID: On 25.03.2024 11:05, arekm wrote: > commit d073fb40c26996aedc0c52fdea5af8b596e4f395 > Author: Arkadiusz Mi?kiewicz > Date: Mon Mar 25 09:58:15 2024 +0100 > > python points to python3 now > > python3.spec | 4 ++++ > 1 file changed, 4 insertions(+) > --- > diff --git a/python3.spec b/python3.spec > index 503d98b..686f876 100644 > --- a/python3.spec > +++ b/python3.spec > @@ -669,6 +669,9 @@ install -p Tools/patchcheck/reindent.py $RPM_BUILD_ROOT%{_bindir}/pyreindent%{py > %{__mv} $RPM_BUILD_ROOT%{py_incdir}/pyconfig.h $RPM_BUILD_ROOT%{py_libdir}/config-%{py_platform}/pyconfig.h > %{__sed} -e's#@PREFIX@#%{_prefix}#g;s#@PY_VER@#%{py_ver}#g;s#@PY_ABI@#%{py_platform}#g' %{SOURCE1} > $RPM_BUILD_ROOT%{py_incdir}/pyconfig.h > > +# python points to python3 now > +ln -s python3 $RPM_BUILD_ROOT%{_bindir}/python > + I guess all those packages that still meet `ipoldek what-requires /usr/bin/python` might not be happy about it. From atler at pld-linux.org Sat Mar 30 13:57:22 2024 From: atler at pld-linux.org (Jan Palus) Date: Sat, 30 Mar 2024 13:57:22 +0100 Subject: [packages/xz] Revert back to 5.4.6 as 5.6.x are BACKDOORED! https://www.openwall.com/lists/oss-security/2024/03/29 In-Reply-To: References:

Message-ID: On 30.03.2024 01:49, arekm wrote: > commit b369fe78b7b4a02e900fb6fe7ac035a9bba39436 > Author: Arkadiusz Mi?kiewicz > Date: Fri Mar 29 23:50:59 2024 +0100 > > Revert back to 5.4.6 as 5.6.x are BACKDOORED! https://www.openwall.com/lists/oss-security/2024/03/29/4 > > xz.spec | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > --- > diff --git a/xz.spec b/xz.spec > index a36b5df..8094d11 100644 > --- a/xz.spec > +++ b/xz.spec > @@ -19,8 +19,8 @@ Summary: LZMA Encoder/Decoder > Summary(pl.UTF-8): Koder/Dekoder LZMA > Name: xz > Version: 5.4.6 > -Release: 1 > -Epoch: 1 > +Release: 2 > +Epoch: 2 > License: LGPL v2.1+, helper scripts on GPL v2+ > Group: Applications/Archiving > Source0: https://github.com/tukaani-project/xz/releases/download/v%{version}/%{name}-%{version}.tar.bz2 Some notes from what I've gathered so far from a rather lengthy HN thread: - main backdoor appears to affect /usr/sbin/sshd on x86_64 with liblzma being pulled in as an indirect dependency. liblzma can be loaded by libsystemd if sshd was built with additional systemd patches which PLD does not use (unlike Debian and Fedora). So _possibly_ PLD is not affected - despite that some claims start to surface that going back to 5.4.6 might not be enough so let's see how this drama develops From shm at digitalsun.pl Sat Mar 30 17:04:13 2024 From: shm at digitalsun.pl (Mateusz Kocielski) Date: Sat, 30 Mar 2024 16:04:13 +0000 Subject: [packages/xz] Revert back to 5.4.6 as 5.6.x are BACKDOORED! https://www.openwall.com/lists/oss-security/2024/03/29 In-Reply-To: References:

Message-ID: Dnia Sat, Mar 30, 2024 at 01:57:22PM +0100, Jan Palus napisa?(a): > On 30.03.2024 01:49, arekm wrote: > > commit b369fe78b7b4a02e900fb6fe7ac035a9bba39436 > > Author: Arkadiusz Mi?kiewicz > > Date: Fri Mar 29 23:50:59 2024 +0100 > > > > Revert back to 5.4.6 as 5.6.x are BACKDOORED! https://www.openwall.com/lists/oss-security/2024/03/29/4 > > > > xz.spec | 4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > --- > > diff --git a/xz.spec b/xz.spec > > index a36b5df..8094d11 100644 > > --- a/xz.spec > > +++ b/xz.spec > > @@ -19,8 +19,8 @@ Summary: LZMA Encoder/Decoder > > Summary(pl.UTF-8): Koder/Dekoder LZMA > > Name: xz > > Version: 5.4.6 > > -Release: 1 > > -Epoch: 1 > > +Release: 2 > > +Epoch: 2 > > License: LGPL v2.1+, helper scripts on GPL v2+ > > Group: Applications/Archiving > > Source0: https://github.com/tukaani-project/xz/releases/download/v%{version}/%{name}-%{version}.tar.bz2 > > Some notes from what I've gathered so far from a rather lengthy HN > thread: > > - main backdoor appears to affect /usr/sbin/sshd on x86_64 with liblzma > being pulled in as an indirect dependency. liblzma can be loaded by > libsystemd if sshd was built with additional systemd patches which PLD > does not use (unlike Debian and Fedora). So _possibly_ PLD is not > affected > > - despite that some claims start to surface that going back to 5.4.6 > might not be enough so let's see how this drama develops Hi there, I checked manually that the 5.6.1 version from this build [1] seems not to be vulnerable (I verified it using the signature provided in the original post [2]). My suspicion regarding why it was not activated is due to the failure of the following check on the build machine. The check is a part of the malicious script which decides if backdoor should be planted. [...] if test "x$CC" != 'xgcc' > /dev/null 2>&1;then exit 0 fi [...] The condition fails because CC set during the build is different: 'CC=x86_64-pld-linux-gcc' However, please note that there might be additional components within the package unknown to us at present. Regards, Mateusz [1] http://buildlogs.pld-linux.org//index.php?dist=th&arch=x86_64&ok=1&ns=&cnt=50&off=0&name=xz&id=0a127d4c-eda2-4f14-aedf-4a69d79b5b80&action=text [2] https://seclists.org/oss-sec/2024/q1/268