[packages/xz] Revert back to 5.4.6 as 5.6.x are BACKDOORED! https://www.openwall.com/lists/oss-security/2024/03/29

Mateusz Kocielski shm at digitalsun.pl
Sat Mar 30 17:04:13 CET 2024 

Dnia Sat, Mar 30, 2024 at 01:57:22PM +0100, Jan Palus napisał(a):
> On 30.03.2024 01:49, arekm wrote:
> > commit b369fe78b7b4a02e900fb6fe7ac035a9bba39436
> > Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
> > Date:   Fri Mar 29 23:50:59 2024 +0100
> > 
> >     Revert back to 5.4.6 as 5.6.x are BACKDOORED! https://www.openwall.com/lists/oss-security/2024/03/29/4
> > 
> >  xz.spec | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> > ---
> > diff --git a/xz.spec b/xz.spec
> > index a36b5df..8094d11 100644
> > --- a/xz.spec
> > +++ b/xz.spec
> > @@ -19,8 +19,8 @@ Summary:	LZMA Encoder/Decoder
> >  Summary(pl.UTF-8):	Koder/Dekoder LZMA
> >  Name:		xz
> >  Version:	5.4.6
> > -Release:	1
> > -Epoch:		1
> > +Release:	2
> > +Epoch:		2
> >  License:	LGPL v2.1+, helper scripts on GPL v2+
> >  Group:		Applications/Archiving
> >  Source0:	https://github.com/tukaani-project/xz/releases/download/v%{version}/%{name}-%{version}.tar.bz2
> 
> Some notes from what I've gathered so far from a rather lengthy HN
> thread:
> 
> - main backdoor appears to affect /usr/sbin/sshd on x86_64 with liblzma
>   being pulled in as an indirect dependency. liblzma can be loaded by
>   libsystemd if sshd was built with additional systemd patches which PLD
>   does not use (unlike Debian and Fedora). So _possibly_ PLD is not
>   affected
> 
> - despite that some claims start to surface that going back to 5.4.6
>   might not be enough so let's see how this drama develops

Hi there,

 I checked manually that the 5.6.1 version from this build [1] seems not
to be vulnerable (I verified it using the signature provided in the original
post [2]).


My suspicion regarding why it was not activated is due to the failure of the
following check on the build machine. The check is a part of the malicious
script which decides if backdoor should be planted.

[...]
if test "x$CC" != 'xgcc' > /dev/null 2>&1;then
exit 0
fi
[...]

The condition fails because CC set during the build is different:
'CC=x86_64-pld-linux-gcc' However, please note that there might be additional
components within the package unknown to us at present.

 Regards,
 Mateusz

[1] http://buildlogs.pld-linux.org//index.php?dist=th&arch=x86_64&ok=1&ns=&cnt=50&off=0&name=xz&id=0a127d4c-eda2-4f14-aedf-4a69d79b5b80&action=text
[2] https://seclists.org/oss-sec/2024/q1/268

More information about the pld-devel-pl mailing list