[packages/xz] Revert back to 5.4.6 as 5.6.x are BACKDOORED! https://www.openwall.com/lists/oss-security/2024/03/29
Mateusz Kocielski
shm at digitalsun.pl
Sat Mar 30 17:04:13 CET 2024
Dnia Sat, Mar 30, 2024 at 01:57:22PM +0100, Jan Palus napisał(a):
> On 30.03.2024 01:49, arekm wrote:
> > commit b369fe78b7b4a02e900fb6fe7ac035a9bba39436
> > Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
> > Date: Fri Mar 29 23:50:59 2024 +0100
> >
> > Revert back to 5.4.6 as 5.6.x are BACKDOORED! https://www.openwall.com/lists/oss-security/2024/03/29/4
> >
> > xz.spec | 4 ++--
> > 1 file changed, 2 insertions(+), 2 deletions(-)
> > ---
> > diff --git a/xz.spec b/xz.spec
> > index a36b5df..8094d11 100644
> > --- a/xz.spec
> > +++ b/xz.spec
> > @@ -19,8 +19,8 @@ Summary: LZMA Encoder/Decoder
> > Summary(pl.UTF-8): Koder/Dekoder LZMA
> > Name: xz
> > Version: 5.4.6
> > -Release: 1
> > -Epoch: 1
> > +Release: 2
> > +Epoch: 2
> > License: LGPL v2.1+, helper scripts on GPL v2+
> > Group: Applications/Archiving
> > Source0: https://github.com/tukaani-project/xz/releases/download/v%{version}/%{name}-%{version}.tar.bz2
>
> Some notes from what I've gathered so far from a rather lengthy HN
> thread:
>
> - main backdoor appears to affect /usr/sbin/sshd on x86_64 with liblzma
> being pulled in as an indirect dependency. liblzma can be loaded by
> libsystemd if sshd was built with additional systemd patches which PLD
> does not use (unlike Debian and Fedora). So _possibly_ PLD is not
> affected
>
> - despite that some claims start to surface that going back to 5.4.6
> might not be enough so let's see how this drama develops
Hi there,
I checked manually that the 5.6.1 version from this build [1] seems not
to be vulnerable (I verified it using the signature provided in the original
post [2]).
My suspicion regarding why it was not activated is due to the failure of the
following check on the build machine. The check is a part of the malicious
script which decides if backdoor should be planted.
[...]
if test "x$CC" != 'xgcc' > /dev/null 2>&1;then
exit 0
fi
[...]
The condition fails because CC set during the build is different:
'CC=x86_64-pld-linux-gcc' However, please note that there might be additional
components within the package unknown to us at present.
Regards,
Mateusz
[1] http://buildlogs.pld-linux.org//index.php?dist=th&arch=x86_64&ok=1&ns=&cnt=50&off=0&name=xz&id=0a127d4c-eda2-4f14-aedf-4a69d79b5b80&action=text
[2] https://seclists.org/oss-sec/2024/q1/268
More information about the pld-devel-pl
mailing list