From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] xz: Revert back to version 5.4.5 due to backdoor issue Date: Sat, 30 Mar 2024 13:05:33 +0000 Message-ID: <0C997945-E0C7-4C7D-B339-DA2FC33D6AC1@ipfire.org> In-Reply-To: <8db31983-e9c1-4ca2-a7ce-c850e58f4eee@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8937132620563258555==" List-Id: --===============8937132620563258555== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Ah okay, I do that all the time :) I just wanted to make sure that the config= uration change you made didn=E2=80=99t get lost. > On 30 Mar 2024, at 12:56, Adolf Belka wrote: >=20 > Hi Michael, >=20 > On 30/03/2024 13:28, Michael Tremer wrote: >> Hello, >> Thank you. I merged this. The patch did add a couple of empty new lines at= the end of the file again?! > I think that was just a plain and simple error on my part. >=20 > So that I didn't have to do a build then get the updated rootfile from the = log and then repeat the build with the new rootfile, I copy and pasted the ro= otfile from CU183. I did see two blank lines at the end of the file and I del= eted them and then "saved the file". I think I didn't correctly save the file= with the two blank lines deleted. >=20 > No problem with the editor only with the fingers controlling the editor fas= ter than the brain controlling the fingers :-) >=20 > Regards, >=20 > Adolf. >> -Michael >>> On 30 Mar 2024, at 08:14, Adolf Belka wrote: >>>=20 >>> - xz version 5.6.0 and 5.6.1 discovered to have been backdoored by what l= ooks to have >>> been one of the xz devs. >>> - IPFire looks not to be affected by the problem as we don't patch openss= h to be linked >>> with liblzma >>> - However due to question marks about what else might be in these 5.6.x v= ersions it is >>> better to revert back to a version that did not have the build-to-host.= m4 file with the >>> code that modifies the build if it meets certain criteria. >>>=20 >>> Signed-off-by: Adolf Belka >>> --- >>> config/rootfiles/common/xz | 34 +++++++++++++++++++++++----------- >>> lfs/xz | 6 ++++-- >>> 2 files changed, 27 insertions(+), 13 deletions(-) >>>=20 >>> diff --git a/config/rootfiles/common/xz b/config/rootfiles/common/xz >>> index 73c0e4d24..f3818a083 100644 >>> --- a/config/rootfiles/common/xz >>> +++ b/config/rootfiles/common/xz >>> @@ -41,18 +41,17 @@ usr/bin/xzmore >>> #usr/lib/liblzma.la >>> #usr/lib/liblzma.so >>> usr/lib/liblzma.so.5 >>> -usr/lib/liblzma.so.5.6.1 >>> +usr/lib/liblzma.so.5.4.5 >>> #usr/lib/pkgconfig/liblzma.pc >>> #usr/share/doc/xz >>> #usr/share/doc/xz/AUTHORS >>> #usr/share/doc/xz/COPYING >>> -#usr/share/doc/xz/COPYING.0BSD >>> #usr/share/doc/xz/COPYING.GPLv2 >>> #usr/share/doc/xz/NEWS >>> #usr/share/doc/xz/README >>> #usr/share/doc/xz/THANKS >>> +#usr/share/doc/xz/TODO >>> #usr/share/doc/xz/api >>> -#usr/share/doc/xz/api/COPYING.CC-BY-SA-4.0 >>> #usr/share/doc/xz/api/annotated.html >>> #usr/share/doc/xz/api/base_8h.html >>> #usr/share/doc/xz/api/bc_s.png >>> @@ -121,15 +120,16 @@ usr/lib/liblzma.so.5.6.1 >>> #usr/share/doc/xz/api/tabs.css >>> #usr/share/doc/xz/api/version_8h.html >>> #usr/share/doc/xz/api/vli_8h.html >>> -#usr/share/doc/xz/api/xz-logo.png >>> #usr/share/doc/xz/examples >>> #usr/share/doc/xz/examples/00_README.txt >>> #usr/share/doc/xz/examples/01_compress_easy.c >>> #usr/share/doc/xz/examples/02_decompress.c >>> #usr/share/doc/xz/examples/03_compress_custom.c >>> #usr/share/doc/xz/examples/04_compress_easy_mt.c >>> -#usr/share/doc/xz/examples/11_file_info.c >>> #usr/share/doc/xz/examples/Makefile >>> +#usr/share/doc/xz/examples_old >>> +#usr/share/doc/xz/examples_old/xz_pipe_comp.c >>> +#usr/share/doc/xz/examples_old/xz_pipe_decomp.c >>> #usr/share/doc/xz/faq.txt >>> #usr/share/doc/xz/history.txt >>> #usr/share/doc/xz/lzma-file-format.txt >>> @@ -168,7 +168,6 @@ usr/lib/liblzma.so.5.6.1 >>> #usr/share/man/de/man1/lzless.1 >>> #usr/share/man/de/man1/lzma.1 >>> #usr/share/man/de/man1/lzmadec.1 >>> -#usr/share/man/de/man1/lzmainfo.1 >>> #usr/share/man/de/man1/lzmore.1 >>> #usr/share/man/de/man1/unlzma.1 >>> #usr/share/man/de/man1/unxz.1 >>> @@ -185,16 +184,21 @@ usr/lib/liblzma.so.5.6.1 >>> #usr/share/man/fr >>> #usr/share/man/fr/man1 >>> #usr/share/man/fr/man1/lzcat.1 >>> +#usr/share/man/fr/man1/lzcmp.1 >>> +#usr/share/man/fr/man1/lzdiff.1 >>> #usr/share/man/fr/man1/lzless.1 >>> #usr/share/man/fr/man1/lzma.1 >>> #usr/share/man/fr/man1/lzmadec.1 >>> -#usr/share/man/fr/man1/lzmainfo.1 >>> +#usr/share/man/fr/man1/lzmore.1 >>> #usr/share/man/fr/man1/unlzma.1 >>> #usr/share/man/fr/man1/unxz.1 >>> #usr/share/man/fr/man1/xz.1 >>> #usr/share/man/fr/man1/xzcat.1 >>> +#usr/share/man/fr/man1/xzcmp.1 >>> #usr/share/man/fr/man1/xzdec.1 >>> +#usr/share/man/fr/man1/xzdiff.1 >>> #usr/share/man/fr/man1/xzless.1 >>> +#usr/share/man/fr/man1/xzmore.1 >>> #usr/share/man/ko >>> #usr/share/man/ko/man1 >>> #usr/share/man/ko/man1/lzcat.1 >>> @@ -206,7 +210,6 @@ usr/lib/liblzma.so.5.6.1 >>> #usr/share/man/ko/man1/lzless.1 >>> #usr/share/man/ko/man1/lzma.1 >>> #usr/share/man/ko/man1/lzmadec.1 >>> -#usr/share/man/ko/man1/lzmainfo.1 >>> #usr/share/man/ko/man1/lzmore.1 >>> #usr/share/man/ko/man1/unlzma.1 >>> #usr/share/man/ko/man1/unxz.1 >>> @@ -246,16 +249,27 @@ usr/lib/liblzma.so.5.6.1 >>> #usr/share/man/pt_BR >>> #usr/share/man/pt_BR/man1 >>> #usr/share/man/pt_BR/man1/lzcat.1 >>> +#usr/share/man/pt_BR/man1/lzcmp.1 >>> +#usr/share/man/pt_BR/man1/lzdiff.1 >>> +#usr/share/man/pt_BR/man1/lzegrep.1 >>> +#usr/share/man/pt_BR/man1/lzfgrep.1 >>> +#usr/share/man/pt_BR/man1/lzgrep.1 >>> #usr/share/man/pt_BR/man1/lzless.1 >>> #usr/share/man/pt_BR/man1/lzma.1 >>> #usr/share/man/pt_BR/man1/lzmadec.1 >>> -#usr/share/man/pt_BR/man1/lzmainfo.1 >>> +#usr/share/man/pt_BR/man1/lzmore.1 >>> #usr/share/man/pt_BR/man1/unlzma.1 >>> #usr/share/man/pt_BR/man1/unxz.1 >>> #usr/share/man/pt_BR/man1/xz.1 >>> #usr/share/man/pt_BR/man1/xzcat.1 >>> +#usr/share/man/pt_BR/man1/xzcmp.1 >>> #usr/share/man/pt_BR/man1/xzdec.1 >>> +#usr/share/man/pt_BR/man1/xzdiff.1 >>> +#usr/share/man/pt_BR/man1/xzegrep.1 >>> +#usr/share/man/pt_BR/man1/xzfgrep.1 >>> +#usr/share/man/pt_BR/man1/xzgrep.1 >>> #usr/share/man/pt_BR/man1/xzless.1 >>> +#usr/share/man/pt_BR/man1/xzmore.1 >>> #usr/share/man/ro >>> #usr/share/man/ro/man1 >>> #usr/share/man/ro/man1/lzcat.1 >>> @@ -267,7 +281,6 @@ usr/lib/liblzma.so.5.6.1 >>> #usr/share/man/ro/man1/lzless.1 >>> #usr/share/man/ro/man1/lzma.1 >>> #usr/share/man/ro/man1/lzmadec.1 >>> -#usr/share/man/ro/man1/lzmainfo.1 >>> #usr/share/man/ro/man1/lzmore.1 >>> #usr/share/man/ro/man1/unlzma.1 >>> #usr/share/man/ro/man1/unxz.1 >>> @@ -292,7 +305,6 @@ usr/lib/liblzma.so.5.6.1 >>> #usr/share/man/uk/man1/lzless.1 >>> #usr/share/man/uk/man1/lzma.1 >>> #usr/share/man/uk/man1/lzmadec.1 >>> -#usr/share/man/uk/man1/lzmainfo.1 >>> #usr/share/man/uk/man1/lzmore.1 >>> #usr/share/man/uk/man1/unlzma.1 >>> #usr/share/man/uk/man1/unxz.1 >>> diff --git a/lfs/xz b/lfs/xz >>> index cbec430d4..982392aa0 100644 >>> --- a/lfs/xz >>> +++ b/lfs/xz >>> @@ -24,7 +24,7 @@ >>>=20 >>> include Config >>>=20 >>> -VER =3D 5.6.1 >>> +VER =3D 5.4.5 >>>=20 >>> THISAPP =3D xz-$(VER) >>> DL_FILE =3D $(THISAPP).tar.xz >>> @@ -45,7 +45,7 @@ objects =3D $(DL_FILE) >>>=20 >>> $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) >>>=20 >>> -$(DL_FILE)_BLAKE2 =3D 3a1cf93d7223eb57e78eabe828a3d623acac5824ada299470e= 3126692ef89d1648293aef32468d70a5289611969d5299180c1b373dfbda002a49f3afc729d925 >>> +$(DL_FILE)_BLAKE2 =3D 08d9afebd927ea5d155515a4c9eedda4d1a249f2b1ab6ada11= f50e5b7a3c90b389b32378ab1c0872c7f4627de8dff37149d85e49f7f4d30614add37320ec4f3e >>>=20 >>> install : $(TARGET) >>>=20 >>> @@ -80,3 +80,5 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >>> cd $(DIR_APP) && make install >>> @rm -rf $(DIR_APP) >>> @$(POSTBUILD) >>> + >>> + >>> --=20 >>> 2.44.0 >>>=20 >=20 > --=20 > Sent from my laptop --===============8937132620563258555==--