* [PATCH] xz: Revert back to version 5.4.5 due to backdoor issue
@ 2024-03-30 8:14 Adolf Belka
2024-03-30 12:28 ` Michael Tremer
0 siblings, 1 reply; 4+ messages in thread
From: Adolf Belka @ 2024-03-30 8:14 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 5957 bytes --]
- xz version 5.6.0 and 5.6.1 discovered to have been backdoored by what looks to have
been one of the xz devs.
- IPFire looks not to be affected by the problem as we don't patch openssh to be linked
with liblzma
- However due to question marks about what else might be in these 5.6.x versions it is
better to revert back to a version that did not have the build-to-host.m4 file with the
code that modifies the build if it meets certain criteria.
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
config/rootfiles/common/xz | 34 +++++++++++++++++++++++-----------
lfs/xz | 6 ++++--
2 files changed, 27 insertions(+), 13 deletions(-)
diff --git a/config/rootfiles/common/xz b/config/rootfiles/common/xz
index 73c0e4d24..f3818a083 100644
--- a/config/rootfiles/common/xz
+++ b/config/rootfiles/common/xz
@@ -41,18 +41,17 @@ usr/bin/xzmore
#usr/lib/liblzma.la
#usr/lib/liblzma.so
usr/lib/liblzma.so.5
-usr/lib/liblzma.so.5.6.1
+usr/lib/liblzma.so.5.4.5
#usr/lib/pkgconfig/liblzma.pc
#usr/share/doc/xz
#usr/share/doc/xz/AUTHORS
#usr/share/doc/xz/COPYING
-#usr/share/doc/xz/COPYING.0BSD
#usr/share/doc/xz/COPYING.GPLv2
#usr/share/doc/xz/NEWS
#usr/share/doc/xz/README
#usr/share/doc/xz/THANKS
+#usr/share/doc/xz/TODO
#usr/share/doc/xz/api
-#usr/share/doc/xz/api/COPYING.CC-BY-SA-4.0
#usr/share/doc/xz/api/annotated.html
#usr/share/doc/xz/api/base_8h.html
#usr/share/doc/xz/api/bc_s.png
@@ -121,15 +120,16 @@ usr/lib/liblzma.so.5.6.1
#usr/share/doc/xz/api/tabs.css
#usr/share/doc/xz/api/version_8h.html
#usr/share/doc/xz/api/vli_8h.html
-#usr/share/doc/xz/api/xz-logo.png
#usr/share/doc/xz/examples
#usr/share/doc/xz/examples/00_README.txt
#usr/share/doc/xz/examples/01_compress_easy.c
#usr/share/doc/xz/examples/02_decompress.c
#usr/share/doc/xz/examples/03_compress_custom.c
#usr/share/doc/xz/examples/04_compress_easy_mt.c
-#usr/share/doc/xz/examples/11_file_info.c
#usr/share/doc/xz/examples/Makefile
+#usr/share/doc/xz/examples_old
+#usr/share/doc/xz/examples_old/xz_pipe_comp.c
+#usr/share/doc/xz/examples_old/xz_pipe_decomp.c
#usr/share/doc/xz/faq.txt
#usr/share/doc/xz/history.txt
#usr/share/doc/xz/lzma-file-format.txt
@@ -168,7 +168,6 @@ usr/lib/liblzma.so.5.6.1
#usr/share/man/de/man1/lzless.1
#usr/share/man/de/man1/lzma.1
#usr/share/man/de/man1/lzmadec.1
-#usr/share/man/de/man1/lzmainfo.1
#usr/share/man/de/man1/lzmore.1
#usr/share/man/de/man1/unlzma.1
#usr/share/man/de/man1/unxz.1
@@ -185,16 +184,21 @@ usr/lib/liblzma.so.5.6.1
#usr/share/man/fr
#usr/share/man/fr/man1
#usr/share/man/fr/man1/lzcat.1
+#usr/share/man/fr/man1/lzcmp.1
+#usr/share/man/fr/man1/lzdiff.1
#usr/share/man/fr/man1/lzless.1
#usr/share/man/fr/man1/lzma.1
#usr/share/man/fr/man1/lzmadec.1
-#usr/share/man/fr/man1/lzmainfo.1
+#usr/share/man/fr/man1/lzmore.1
#usr/share/man/fr/man1/unlzma.1
#usr/share/man/fr/man1/unxz.1
#usr/share/man/fr/man1/xz.1
#usr/share/man/fr/man1/xzcat.1
+#usr/share/man/fr/man1/xzcmp.1
#usr/share/man/fr/man1/xzdec.1
+#usr/share/man/fr/man1/xzdiff.1
#usr/share/man/fr/man1/xzless.1
+#usr/share/man/fr/man1/xzmore.1
#usr/share/man/ko
#usr/share/man/ko/man1
#usr/share/man/ko/man1/lzcat.1
@@ -206,7 +210,6 @@ usr/lib/liblzma.so.5.6.1
#usr/share/man/ko/man1/lzless.1
#usr/share/man/ko/man1/lzma.1
#usr/share/man/ko/man1/lzmadec.1
-#usr/share/man/ko/man1/lzmainfo.1
#usr/share/man/ko/man1/lzmore.1
#usr/share/man/ko/man1/unlzma.1
#usr/share/man/ko/man1/unxz.1
@@ -246,16 +249,27 @@ usr/lib/liblzma.so.5.6.1
#usr/share/man/pt_BR
#usr/share/man/pt_BR/man1
#usr/share/man/pt_BR/man1/lzcat.1
+#usr/share/man/pt_BR/man1/lzcmp.1
+#usr/share/man/pt_BR/man1/lzdiff.1
+#usr/share/man/pt_BR/man1/lzegrep.1
+#usr/share/man/pt_BR/man1/lzfgrep.1
+#usr/share/man/pt_BR/man1/lzgrep.1
#usr/share/man/pt_BR/man1/lzless.1
#usr/share/man/pt_BR/man1/lzma.1
#usr/share/man/pt_BR/man1/lzmadec.1
-#usr/share/man/pt_BR/man1/lzmainfo.1
+#usr/share/man/pt_BR/man1/lzmore.1
#usr/share/man/pt_BR/man1/unlzma.1
#usr/share/man/pt_BR/man1/unxz.1
#usr/share/man/pt_BR/man1/xz.1
#usr/share/man/pt_BR/man1/xzcat.1
+#usr/share/man/pt_BR/man1/xzcmp.1
#usr/share/man/pt_BR/man1/xzdec.1
+#usr/share/man/pt_BR/man1/xzdiff.1
+#usr/share/man/pt_BR/man1/xzegrep.1
+#usr/share/man/pt_BR/man1/xzfgrep.1
+#usr/share/man/pt_BR/man1/xzgrep.1
#usr/share/man/pt_BR/man1/xzless.1
+#usr/share/man/pt_BR/man1/xzmore.1
#usr/share/man/ro
#usr/share/man/ro/man1
#usr/share/man/ro/man1/lzcat.1
@@ -267,7 +281,6 @@ usr/lib/liblzma.so.5.6.1
#usr/share/man/ro/man1/lzless.1
#usr/share/man/ro/man1/lzma.1
#usr/share/man/ro/man1/lzmadec.1
-#usr/share/man/ro/man1/lzmainfo.1
#usr/share/man/ro/man1/lzmore.1
#usr/share/man/ro/man1/unlzma.1
#usr/share/man/ro/man1/unxz.1
@@ -292,7 +305,6 @@ usr/lib/liblzma.so.5.6.1
#usr/share/man/uk/man1/lzless.1
#usr/share/man/uk/man1/lzma.1
#usr/share/man/uk/man1/lzmadec.1
-#usr/share/man/uk/man1/lzmainfo.1
#usr/share/man/uk/man1/lzmore.1
#usr/share/man/uk/man1/unlzma.1
#usr/share/man/uk/man1/unxz.1
diff --git a/lfs/xz b/lfs/xz
index cbec430d4..982392aa0 100644
--- a/lfs/xz
+++ b/lfs/xz
@@ -24,7 +24,7 @@
include Config
-VER = 5.6.1
+VER = 5.4.5
THISAPP = xz-$(VER)
DL_FILE = $(THISAPP).tar.xz
@@ -45,7 +45,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 3a1cf93d7223eb57e78eabe828a3d623acac5824ada299470e3126692ef89d1648293aef32468d70a5289611969d5299180c1b373dfbda002a49f3afc729d925
+$(DL_FILE)_BLAKE2 = 08d9afebd927ea5d155515a4c9eedda4d1a249f2b1ab6ada11f50e5b7a3c90b389b32378ab1c0872c7f4627de8dff37149d85e49f7f4d30614add37320ec4f3e
install : $(TARGET)
@@ -80,3 +80,5 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
cd $(DIR_APP) && make install
@rm -rf $(DIR_APP)
@$(POSTBUILD)
+
+
--
2.44.0
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] xz: Revert back to version 5.4.5 due to backdoor issue
2024-03-30 8:14 [PATCH] xz: Revert back to version 5.4.5 due to backdoor issue Adolf Belka
@ 2024-03-30 12:28 ` Michael Tremer
2024-03-30 12:56 ` Adolf Belka
0 siblings, 1 reply; 4+ messages in thread
From: Michael Tremer @ 2024-03-30 12:28 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 6405 bytes --]
Hello,
Thank you. I merged this. The patch did add a couple of empty new lines at the end of the file again?!
-Michael
> On 30 Mar 2024, at 08:14, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
>
> - xz version 5.6.0 and 5.6.1 discovered to have been backdoored by what looks to have
> been one of the xz devs.
> - IPFire looks not to be affected by the problem as we don't patch openssh to be linked
> with liblzma
> - However due to question marks about what else might be in these 5.6.x versions it is
> better to revert back to a version that did not have the build-to-host.m4 file with the
> code that modifies the build if it meets certain criteria.
>
> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
> ---
> config/rootfiles/common/xz | 34 +++++++++++++++++++++++-----------
> lfs/xz | 6 ++++--
> 2 files changed, 27 insertions(+), 13 deletions(-)
>
> diff --git a/config/rootfiles/common/xz b/config/rootfiles/common/xz
> index 73c0e4d24..f3818a083 100644
> --- a/config/rootfiles/common/xz
> +++ b/config/rootfiles/common/xz
> @@ -41,18 +41,17 @@ usr/bin/xzmore
> #usr/lib/liblzma.la
> #usr/lib/liblzma.so
> usr/lib/liblzma.so.5
> -usr/lib/liblzma.so.5.6.1
> +usr/lib/liblzma.so.5.4.5
> #usr/lib/pkgconfig/liblzma.pc
> #usr/share/doc/xz
> #usr/share/doc/xz/AUTHORS
> #usr/share/doc/xz/COPYING
> -#usr/share/doc/xz/COPYING.0BSD
> #usr/share/doc/xz/COPYING.GPLv2
> #usr/share/doc/xz/NEWS
> #usr/share/doc/xz/README
> #usr/share/doc/xz/THANKS
> +#usr/share/doc/xz/TODO
> #usr/share/doc/xz/api
> -#usr/share/doc/xz/api/COPYING.CC-BY-SA-4.0
> #usr/share/doc/xz/api/annotated.html
> #usr/share/doc/xz/api/base_8h.html
> #usr/share/doc/xz/api/bc_s.png
> @@ -121,15 +120,16 @@ usr/lib/liblzma.so.5.6.1
> #usr/share/doc/xz/api/tabs.css
> #usr/share/doc/xz/api/version_8h.html
> #usr/share/doc/xz/api/vli_8h.html
> -#usr/share/doc/xz/api/xz-logo.png
> #usr/share/doc/xz/examples
> #usr/share/doc/xz/examples/00_README.txt
> #usr/share/doc/xz/examples/01_compress_easy.c
> #usr/share/doc/xz/examples/02_decompress.c
> #usr/share/doc/xz/examples/03_compress_custom.c
> #usr/share/doc/xz/examples/04_compress_easy_mt.c
> -#usr/share/doc/xz/examples/11_file_info.c
> #usr/share/doc/xz/examples/Makefile
> +#usr/share/doc/xz/examples_old
> +#usr/share/doc/xz/examples_old/xz_pipe_comp.c
> +#usr/share/doc/xz/examples_old/xz_pipe_decomp.c
> #usr/share/doc/xz/faq.txt
> #usr/share/doc/xz/history.txt
> #usr/share/doc/xz/lzma-file-format.txt
> @@ -168,7 +168,6 @@ usr/lib/liblzma.so.5.6.1
> #usr/share/man/de/man1/lzless.1
> #usr/share/man/de/man1/lzma.1
> #usr/share/man/de/man1/lzmadec.1
> -#usr/share/man/de/man1/lzmainfo.1
> #usr/share/man/de/man1/lzmore.1
> #usr/share/man/de/man1/unlzma.1
> #usr/share/man/de/man1/unxz.1
> @@ -185,16 +184,21 @@ usr/lib/liblzma.so.5.6.1
> #usr/share/man/fr
> #usr/share/man/fr/man1
> #usr/share/man/fr/man1/lzcat.1
> +#usr/share/man/fr/man1/lzcmp.1
> +#usr/share/man/fr/man1/lzdiff.1
> #usr/share/man/fr/man1/lzless.1
> #usr/share/man/fr/man1/lzma.1
> #usr/share/man/fr/man1/lzmadec.1
> -#usr/share/man/fr/man1/lzmainfo.1
> +#usr/share/man/fr/man1/lzmore.1
> #usr/share/man/fr/man1/unlzma.1
> #usr/share/man/fr/man1/unxz.1
> #usr/share/man/fr/man1/xz.1
> #usr/share/man/fr/man1/xzcat.1
> +#usr/share/man/fr/man1/xzcmp.1
> #usr/share/man/fr/man1/xzdec.1
> +#usr/share/man/fr/man1/xzdiff.1
> #usr/share/man/fr/man1/xzless.1
> +#usr/share/man/fr/man1/xzmore.1
> #usr/share/man/ko
> #usr/share/man/ko/man1
> #usr/share/man/ko/man1/lzcat.1
> @@ -206,7 +210,6 @@ usr/lib/liblzma.so.5.6.1
> #usr/share/man/ko/man1/lzless.1
> #usr/share/man/ko/man1/lzma.1
> #usr/share/man/ko/man1/lzmadec.1
> -#usr/share/man/ko/man1/lzmainfo.1
> #usr/share/man/ko/man1/lzmore.1
> #usr/share/man/ko/man1/unlzma.1
> #usr/share/man/ko/man1/unxz.1
> @@ -246,16 +249,27 @@ usr/lib/liblzma.so.5.6.1
> #usr/share/man/pt_BR
> #usr/share/man/pt_BR/man1
> #usr/share/man/pt_BR/man1/lzcat.1
> +#usr/share/man/pt_BR/man1/lzcmp.1
> +#usr/share/man/pt_BR/man1/lzdiff.1
> +#usr/share/man/pt_BR/man1/lzegrep.1
> +#usr/share/man/pt_BR/man1/lzfgrep.1
> +#usr/share/man/pt_BR/man1/lzgrep.1
> #usr/share/man/pt_BR/man1/lzless.1
> #usr/share/man/pt_BR/man1/lzma.1
> #usr/share/man/pt_BR/man1/lzmadec.1
> -#usr/share/man/pt_BR/man1/lzmainfo.1
> +#usr/share/man/pt_BR/man1/lzmore.1
> #usr/share/man/pt_BR/man1/unlzma.1
> #usr/share/man/pt_BR/man1/unxz.1
> #usr/share/man/pt_BR/man1/xz.1
> #usr/share/man/pt_BR/man1/xzcat.1
> +#usr/share/man/pt_BR/man1/xzcmp.1
> #usr/share/man/pt_BR/man1/xzdec.1
> +#usr/share/man/pt_BR/man1/xzdiff.1
> +#usr/share/man/pt_BR/man1/xzegrep.1
> +#usr/share/man/pt_BR/man1/xzfgrep.1
> +#usr/share/man/pt_BR/man1/xzgrep.1
> #usr/share/man/pt_BR/man1/xzless.1
> +#usr/share/man/pt_BR/man1/xzmore.1
> #usr/share/man/ro
> #usr/share/man/ro/man1
> #usr/share/man/ro/man1/lzcat.1
> @@ -267,7 +281,6 @@ usr/lib/liblzma.so.5.6.1
> #usr/share/man/ro/man1/lzless.1
> #usr/share/man/ro/man1/lzma.1
> #usr/share/man/ro/man1/lzmadec.1
> -#usr/share/man/ro/man1/lzmainfo.1
> #usr/share/man/ro/man1/lzmore.1
> #usr/share/man/ro/man1/unlzma.1
> #usr/share/man/ro/man1/unxz.1
> @@ -292,7 +305,6 @@ usr/lib/liblzma.so.5.6.1
> #usr/share/man/uk/man1/lzless.1
> #usr/share/man/uk/man1/lzma.1
> #usr/share/man/uk/man1/lzmadec.1
> -#usr/share/man/uk/man1/lzmainfo.1
> #usr/share/man/uk/man1/lzmore.1
> #usr/share/man/uk/man1/unlzma.1
> #usr/share/man/uk/man1/unxz.1
> diff --git a/lfs/xz b/lfs/xz
> index cbec430d4..982392aa0 100644
> --- a/lfs/xz
> +++ b/lfs/xz
> @@ -24,7 +24,7 @@
>
> include Config
>
> -VER = 5.6.1
> +VER = 5.4.5
>
> THISAPP = xz-$(VER)
> DL_FILE = $(THISAPP).tar.xz
> @@ -45,7 +45,7 @@ objects = $(DL_FILE)
>
> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>
> -$(DL_FILE)_BLAKE2 = 3a1cf93d7223eb57e78eabe828a3d623acac5824ada299470e3126692ef89d1648293aef32468d70a5289611969d5299180c1b373dfbda002a49f3afc729d925
> +$(DL_FILE)_BLAKE2 = 08d9afebd927ea5d155515a4c9eedda4d1a249f2b1ab6ada11f50e5b7a3c90b389b32378ab1c0872c7f4627de8dff37149d85e49f7f4d30614add37320ec4f3e
>
> install : $(TARGET)
>
> @@ -80,3 +80,5 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> cd $(DIR_APP) && make install
> @rm -rf $(DIR_APP)
> @$(POSTBUILD)
> +
> +
> --
> 2.44.0
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] xz: Revert back to version 5.4.5 due to backdoor issue
2024-03-30 12:28 ` Michael Tremer
@ 2024-03-30 12:56 ` Adolf Belka
2024-03-30 13:05 ` Michael Tremer
0 siblings, 1 reply; 4+ messages in thread
From: Adolf Belka @ 2024-03-30 12:56 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 7235 bytes --]
Hi Michael,
On 30/03/2024 13:28, Michael Tremer wrote:
> Hello,
>
> Thank you. I merged this. The patch did add a couple of empty new lines at the end of the file again?!
I think that was just a plain and simple error on my part.
So that I didn't have to do a build then get the updated rootfile from
the log and then repeat the build with the new rootfile, I copy and
pasted the rootfile from CU183. I did see two blank lines at the end of
the file and I deleted them and then "saved the file". I think I didn't
correctly save the file with the two blank lines deleted.
No problem with the editor only with the fingers controlling the editor
faster than the brain controlling the fingers :-)
Regards,
Adolf.
>
> -Michael
>
>> On 30 Mar 2024, at 08:14, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
>>
>> - xz version 5.6.0 and 5.6.1 discovered to have been backdoored by what looks to have
>> been one of the xz devs.
>> - IPFire looks not to be affected by the problem as we don't patch openssh to be linked
>> with liblzma
>> - However due to question marks about what else might be in these 5.6.x versions it is
>> better to revert back to a version that did not have the build-to-host.m4 file with the
>> code that modifies the build if it meets certain criteria.
>>
>> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
>> ---
>> config/rootfiles/common/xz | 34 +++++++++++++++++++++++-----------
>> lfs/xz | 6 ++++--
>> 2 files changed, 27 insertions(+), 13 deletions(-)
>>
>> diff --git a/config/rootfiles/common/xz b/config/rootfiles/common/xz
>> index 73c0e4d24..f3818a083 100644
>> --- a/config/rootfiles/common/xz
>> +++ b/config/rootfiles/common/xz
>> @@ -41,18 +41,17 @@ usr/bin/xzmore
>> #usr/lib/liblzma.la
>> #usr/lib/liblzma.so
>> usr/lib/liblzma.so.5
>> -usr/lib/liblzma.so.5.6.1
>> +usr/lib/liblzma.so.5.4.5
>> #usr/lib/pkgconfig/liblzma.pc
>> #usr/share/doc/xz
>> #usr/share/doc/xz/AUTHORS
>> #usr/share/doc/xz/COPYING
>> -#usr/share/doc/xz/COPYING.0BSD
>> #usr/share/doc/xz/COPYING.GPLv2
>> #usr/share/doc/xz/NEWS
>> #usr/share/doc/xz/README
>> #usr/share/doc/xz/THANKS
>> +#usr/share/doc/xz/TODO
>> #usr/share/doc/xz/api
>> -#usr/share/doc/xz/api/COPYING.CC-BY-SA-4.0
>> #usr/share/doc/xz/api/annotated.html
>> #usr/share/doc/xz/api/base_8h.html
>> #usr/share/doc/xz/api/bc_s.png
>> @@ -121,15 +120,16 @@ usr/lib/liblzma.so.5.6.1
>> #usr/share/doc/xz/api/tabs.css
>> #usr/share/doc/xz/api/version_8h.html
>> #usr/share/doc/xz/api/vli_8h.html
>> -#usr/share/doc/xz/api/xz-logo.png
>> #usr/share/doc/xz/examples
>> #usr/share/doc/xz/examples/00_README.txt
>> #usr/share/doc/xz/examples/01_compress_easy.c
>> #usr/share/doc/xz/examples/02_decompress.c
>> #usr/share/doc/xz/examples/03_compress_custom.c
>> #usr/share/doc/xz/examples/04_compress_easy_mt.c
>> -#usr/share/doc/xz/examples/11_file_info.c
>> #usr/share/doc/xz/examples/Makefile
>> +#usr/share/doc/xz/examples_old
>> +#usr/share/doc/xz/examples_old/xz_pipe_comp.c
>> +#usr/share/doc/xz/examples_old/xz_pipe_decomp.c
>> #usr/share/doc/xz/faq.txt
>> #usr/share/doc/xz/history.txt
>> #usr/share/doc/xz/lzma-file-format.txt
>> @@ -168,7 +168,6 @@ usr/lib/liblzma.so.5.6.1
>> #usr/share/man/de/man1/lzless.1
>> #usr/share/man/de/man1/lzma.1
>> #usr/share/man/de/man1/lzmadec.1
>> -#usr/share/man/de/man1/lzmainfo.1
>> #usr/share/man/de/man1/lzmore.1
>> #usr/share/man/de/man1/unlzma.1
>> #usr/share/man/de/man1/unxz.1
>> @@ -185,16 +184,21 @@ usr/lib/liblzma.so.5.6.1
>> #usr/share/man/fr
>> #usr/share/man/fr/man1
>> #usr/share/man/fr/man1/lzcat.1
>> +#usr/share/man/fr/man1/lzcmp.1
>> +#usr/share/man/fr/man1/lzdiff.1
>> #usr/share/man/fr/man1/lzless.1
>> #usr/share/man/fr/man1/lzma.1
>> #usr/share/man/fr/man1/lzmadec.1
>> -#usr/share/man/fr/man1/lzmainfo.1
>> +#usr/share/man/fr/man1/lzmore.1
>> #usr/share/man/fr/man1/unlzma.1
>> #usr/share/man/fr/man1/unxz.1
>> #usr/share/man/fr/man1/xz.1
>> #usr/share/man/fr/man1/xzcat.1
>> +#usr/share/man/fr/man1/xzcmp.1
>> #usr/share/man/fr/man1/xzdec.1
>> +#usr/share/man/fr/man1/xzdiff.1
>> #usr/share/man/fr/man1/xzless.1
>> +#usr/share/man/fr/man1/xzmore.1
>> #usr/share/man/ko
>> #usr/share/man/ko/man1
>> #usr/share/man/ko/man1/lzcat.1
>> @@ -206,7 +210,6 @@ usr/lib/liblzma.so.5.6.1
>> #usr/share/man/ko/man1/lzless.1
>> #usr/share/man/ko/man1/lzma.1
>> #usr/share/man/ko/man1/lzmadec.1
>> -#usr/share/man/ko/man1/lzmainfo.1
>> #usr/share/man/ko/man1/lzmore.1
>> #usr/share/man/ko/man1/unlzma.1
>> #usr/share/man/ko/man1/unxz.1
>> @@ -246,16 +249,27 @@ usr/lib/liblzma.so.5.6.1
>> #usr/share/man/pt_BR
>> #usr/share/man/pt_BR/man1
>> #usr/share/man/pt_BR/man1/lzcat.1
>> +#usr/share/man/pt_BR/man1/lzcmp.1
>> +#usr/share/man/pt_BR/man1/lzdiff.1
>> +#usr/share/man/pt_BR/man1/lzegrep.1
>> +#usr/share/man/pt_BR/man1/lzfgrep.1
>> +#usr/share/man/pt_BR/man1/lzgrep.1
>> #usr/share/man/pt_BR/man1/lzless.1
>> #usr/share/man/pt_BR/man1/lzma.1
>> #usr/share/man/pt_BR/man1/lzmadec.1
>> -#usr/share/man/pt_BR/man1/lzmainfo.1
>> +#usr/share/man/pt_BR/man1/lzmore.1
>> #usr/share/man/pt_BR/man1/unlzma.1
>> #usr/share/man/pt_BR/man1/unxz.1
>> #usr/share/man/pt_BR/man1/xz.1
>> #usr/share/man/pt_BR/man1/xzcat.1
>> +#usr/share/man/pt_BR/man1/xzcmp.1
>> #usr/share/man/pt_BR/man1/xzdec.1
>> +#usr/share/man/pt_BR/man1/xzdiff.1
>> +#usr/share/man/pt_BR/man1/xzegrep.1
>> +#usr/share/man/pt_BR/man1/xzfgrep.1
>> +#usr/share/man/pt_BR/man1/xzgrep.1
>> #usr/share/man/pt_BR/man1/xzless.1
>> +#usr/share/man/pt_BR/man1/xzmore.1
>> #usr/share/man/ro
>> #usr/share/man/ro/man1
>> #usr/share/man/ro/man1/lzcat.1
>> @@ -267,7 +281,6 @@ usr/lib/liblzma.so.5.6.1
>> #usr/share/man/ro/man1/lzless.1
>> #usr/share/man/ro/man1/lzma.1
>> #usr/share/man/ro/man1/lzmadec.1
>> -#usr/share/man/ro/man1/lzmainfo.1
>> #usr/share/man/ro/man1/lzmore.1
>> #usr/share/man/ro/man1/unlzma.1
>> #usr/share/man/ro/man1/unxz.1
>> @@ -292,7 +305,6 @@ usr/lib/liblzma.so.5.6.1
>> #usr/share/man/uk/man1/lzless.1
>> #usr/share/man/uk/man1/lzma.1
>> #usr/share/man/uk/man1/lzmadec.1
>> -#usr/share/man/uk/man1/lzmainfo.1
>> #usr/share/man/uk/man1/lzmore.1
>> #usr/share/man/uk/man1/unlzma.1
>> #usr/share/man/uk/man1/unxz.1
>> diff --git a/lfs/xz b/lfs/xz
>> index cbec430d4..982392aa0 100644
>> --- a/lfs/xz
>> +++ b/lfs/xz
>> @@ -24,7 +24,7 @@
>>
>> include Config
>>
>> -VER = 5.6.1
>> +VER = 5.4.5
>>
>> THISAPP = xz-$(VER)
>> DL_FILE = $(THISAPP).tar.xz
>> @@ -45,7 +45,7 @@ objects = $(DL_FILE)
>>
>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>>
>> -$(DL_FILE)_BLAKE2 = 3a1cf93d7223eb57e78eabe828a3d623acac5824ada299470e3126692ef89d1648293aef32468d70a5289611969d5299180c1b373dfbda002a49f3afc729d925
>> +$(DL_FILE)_BLAKE2 = 08d9afebd927ea5d155515a4c9eedda4d1a249f2b1ab6ada11f50e5b7a3c90b389b32378ab1c0872c7f4627de8dff37149d85e49f7f4d30614add37320ec4f3e
>>
>> install : $(TARGET)
>>
>> @@ -80,3 +80,5 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>> cd $(DIR_APP) && make install
>> @rm -rf $(DIR_APP)
>> @$(POSTBUILD)
>> +
>> +
>> --
>> 2.44.0
>>
>
--
Sent from my laptop
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] xz: Revert back to version 5.4.5 due to backdoor issue
2024-03-30 12:56 ` Adolf Belka
@ 2024-03-30 13:05 ` Michael Tremer
0 siblings, 0 replies; 4+ messages in thread
From: Michael Tremer @ 2024-03-30 13:05 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 7630 bytes --]
Ah okay, I do that all the time :) I just wanted to make sure that the configuration change you made didn’t get lost.
> On 30 Mar 2024, at 12:56, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
>
> Hi Michael,
>
> On 30/03/2024 13:28, Michael Tremer wrote:
>> Hello,
>> Thank you. I merged this. The patch did add a couple of empty new lines at the end of the file again?!
> I think that was just a plain and simple error on my part.
>
> So that I didn't have to do a build then get the updated rootfile from the log and then repeat the build with the new rootfile, I copy and pasted the rootfile from CU183. I did see two blank lines at the end of the file and I deleted them and then "saved the file". I think I didn't correctly save the file with the two blank lines deleted.
>
> No problem with the editor only with the fingers controlling the editor faster than the brain controlling the fingers :-)
>
> Regards,
>
> Adolf.
>> -Michael
>>> On 30 Mar 2024, at 08:14, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
>>>
>>> - xz version 5.6.0 and 5.6.1 discovered to have been backdoored by what looks to have
>>> been one of the xz devs.
>>> - IPFire looks not to be affected by the problem as we don't patch openssh to be linked
>>> with liblzma
>>> - However due to question marks about what else might be in these 5.6.x versions it is
>>> better to revert back to a version that did not have the build-to-host.m4 file with the
>>> code that modifies the build if it meets certain criteria.
>>>
>>> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
>>> ---
>>> config/rootfiles/common/xz | 34 +++++++++++++++++++++++-----------
>>> lfs/xz | 6 ++++--
>>> 2 files changed, 27 insertions(+), 13 deletions(-)
>>>
>>> diff --git a/config/rootfiles/common/xz b/config/rootfiles/common/xz
>>> index 73c0e4d24..f3818a083 100644
>>> --- a/config/rootfiles/common/xz
>>> +++ b/config/rootfiles/common/xz
>>> @@ -41,18 +41,17 @@ usr/bin/xzmore
>>> #usr/lib/liblzma.la
>>> #usr/lib/liblzma.so
>>> usr/lib/liblzma.so.5
>>> -usr/lib/liblzma.so.5.6.1
>>> +usr/lib/liblzma.so.5.4.5
>>> #usr/lib/pkgconfig/liblzma.pc
>>> #usr/share/doc/xz
>>> #usr/share/doc/xz/AUTHORS
>>> #usr/share/doc/xz/COPYING
>>> -#usr/share/doc/xz/COPYING.0BSD
>>> #usr/share/doc/xz/COPYING.GPLv2
>>> #usr/share/doc/xz/NEWS
>>> #usr/share/doc/xz/README
>>> #usr/share/doc/xz/THANKS
>>> +#usr/share/doc/xz/TODO
>>> #usr/share/doc/xz/api
>>> -#usr/share/doc/xz/api/COPYING.CC-BY-SA-4.0
>>> #usr/share/doc/xz/api/annotated.html
>>> #usr/share/doc/xz/api/base_8h.html
>>> #usr/share/doc/xz/api/bc_s.png
>>> @@ -121,15 +120,16 @@ usr/lib/liblzma.so.5.6.1
>>> #usr/share/doc/xz/api/tabs.css
>>> #usr/share/doc/xz/api/version_8h.html
>>> #usr/share/doc/xz/api/vli_8h.html
>>> -#usr/share/doc/xz/api/xz-logo.png
>>> #usr/share/doc/xz/examples
>>> #usr/share/doc/xz/examples/00_README.txt
>>> #usr/share/doc/xz/examples/01_compress_easy.c
>>> #usr/share/doc/xz/examples/02_decompress.c
>>> #usr/share/doc/xz/examples/03_compress_custom.c
>>> #usr/share/doc/xz/examples/04_compress_easy_mt.c
>>> -#usr/share/doc/xz/examples/11_file_info.c
>>> #usr/share/doc/xz/examples/Makefile
>>> +#usr/share/doc/xz/examples_old
>>> +#usr/share/doc/xz/examples_old/xz_pipe_comp.c
>>> +#usr/share/doc/xz/examples_old/xz_pipe_decomp.c
>>> #usr/share/doc/xz/faq.txt
>>> #usr/share/doc/xz/history.txt
>>> #usr/share/doc/xz/lzma-file-format.txt
>>> @@ -168,7 +168,6 @@ usr/lib/liblzma.so.5.6.1
>>> #usr/share/man/de/man1/lzless.1
>>> #usr/share/man/de/man1/lzma.1
>>> #usr/share/man/de/man1/lzmadec.1
>>> -#usr/share/man/de/man1/lzmainfo.1
>>> #usr/share/man/de/man1/lzmore.1
>>> #usr/share/man/de/man1/unlzma.1
>>> #usr/share/man/de/man1/unxz.1
>>> @@ -185,16 +184,21 @@ usr/lib/liblzma.so.5.6.1
>>> #usr/share/man/fr
>>> #usr/share/man/fr/man1
>>> #usr/share/man/fr/man1/lzcat.1
>>> +#usr/share/man/fr/man1/lzcmp.1
>>> +#usr/share/man/fr/man1/lzdiff.1
>>> #usr/share/man/fr/man1/lzless.1
>>> #usr/share/man/fr/man1/lzma.1
>>> #usr/share/man/fr/man1/lzmadec.1
>>> -#usr/share/man/fr/man1/lzmainfo.1
>>> +#usr/share/man/fr/man1/lzmore.1
>>> #usr/share/man/fr/man1/unlzma.1
>>> #usr/share/man/fr/man1/unxz.1
>>> #usr/share/man/fr/man1/xz.1
>>> #usr/share/man/fr/man1/xzcat.1
>>> +#usr/share/man/fr/man1/xzcmp.1
>>> #usr/share/man/fr/man1/xzdec.1
>>> +#usr/share/man/fr/man1/xzdiff.1
>>> #usr/share/man/fr/man1/xzless.1
>>> +#usr/share/man/fr/man1/xzmore.1
>>> #usr/share/man/ko
>>> #usr/share/man/ko/man1
>>> #usr/share/man/ko/man1/lzcat.1
>>> @@ -206,7 +210,6 @@ usr/lib/liblzma.so.5.6.1
>>> #usr/share/man/ko/man1/lzless.1
>>> #usr/share/man/ko/man1/lzma.1
>>> #usr/share/man/ko/man1/lzmadec.1
>>> -#usr/share/man/ko/man1/lzmainfo.1
>>> #usr/share/man/ko/man1/lzmore.1
>>> #usr/share/man/ko/man1/unlzma.1
>>> #usr/share/man/ko/man1/unxz.1
>>> @@ -246,16 +249,27 @@ usr/lib/liblzma.so.5.6.1
>>> #usr/share/man/pt_BR
>>> #usr/share/man/pt_BR/man1
>>> #usr/share/man/pt_BR/man1/lzcat.1
>>> +#usr/share/man/pt_BR/man1/lzcmp.1
>>> +#usr/share/man/pt_BR/man1/lzdiff.1
>>> +#usr/share/man/pt_BR/man1/lzegrep.1
>>> +#usr/share/man/pt_BR/man1/lzfgrep.1
>>> +#usr/share/man/pt_BR/man1/lzgrep.1
>>> #usr/share/man/pt_BR/man1/lzless.1
>>> #usr/share/man/pt_BR/man1/lzma.1
>>> #usr/share/man/pt_BR/man1/lzmadec.1
>>> -#usr/share/man/pt_BR/man1/lzmainfo.1
>>> +#usr/share/man/pt_BR/man1/lzmore.1
>>> #usr/share/man/pt_BR/man1/unlzma.1
>>> #usr/share/man/pt_BR/man1/unxz.1
>>> #usr/share/man/pt_BR/man1/xz.1
>>> #usr/share/man/pt_BR/man1/xzcat.1
>>> +#usr/share/man/pt_BR/man1/xzcmp.1
>>> #usr/share/man/pt_BR/man1/xzdec.1
>>> +#usr/share/man/pt_BR/man1/xzdiff.1
>>> +#usr/share/man/pt_BR/man1/xzegrep.1
>>> +#usr/share/man/pt_BR/man1/xzfgrep.1
>>> +#usr/share/man/pt_BR/man1/xzgrep.1
>>> #usr/share/man/pt_BR/man1/xzless.1
>>> +#usr/share/man/pt_BR/man1/xzmore.1
>>> #usr/share/man/ro
>>> #usr/share/man/ro/man1
>>> #usr/share/man/ro/man1/lzcat.1
>>> @@ -267,7 +281,6 @@ usr/lib/liblzma.so.5.6.1
>>> #usr/share/man/ro/man1/lzless.1
>>> #usr/share/man/ro/man1/lzma.1
>>> #usr/share/man/ro/man1/lzmadec.1
>>> -#usr/share/man/ro/man1/lzmainfo.1
>>> #usr/share/man/ro/man1/lzmore.1
>>> #usr/share/man/ro/man1/unlzma.1
>>> #usr/share/man/ro/man1/unxz.1
>>> @@ -292,7 +305,6 @@ usr/lib/liblzma.so.5.6.1
>>> #usr/share/man/uk/man1/lzless.1
>>> #usr/share/man/uk/man1/lzma.1
>>> #usr/share/man/uk/man1/lzmadec.1
>>> -#usr/share/man/uk/man1/lzmainfo.1
>>> #usr/share/man/uk/man1/lzmore.1
>>> #usr/share/man/uk/man1/unlzma.1
>>> #usr/share/man/uk/man1/unxz.1
>>> diff --git a/lfs/xz b/lfs/xz
>>> index cbec430d4..982392aa0 100644
>>> --- a/lfs/xz
>>> +++ b/lfs/xz
>>> @@ -24,7 +24,7 @@
>>>
>>> include Config
>>>
>>> -VER = 5.6.1
>>> +VER = 5.4.5
>>>
>>> THISAPP = xz-$(VER)
>>> DL_FILE = $(THISAPP).tar.xz
>>> @@ -45,7 +45,7 @@ objects = $(DL_FILE)
>>>
>>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>>>
>>> -$(DL_FILE)_BLAKE2 = 3a1cf93d7223eb57e78eabe828a3d623acac5824ada299470e3126692ef89d1648293aef32468d70a5289611969d5299180c1b373dfbda002a49f3afc729d925
>>> +$(DL_FILE)_BLAKE2 = 08d9afebd927ea5d155515a4c9eedda4d1a249f2b1ab6ada11f50e5b7a3c90b389b32378ab1c0872c7f4627de8dff37149d85e49f7f4d30614add37320ec4f3e
>>>
>>> install : $(TARGET)
>>>
>>> @@ -80,3 +80,5 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>>> cd $(DIR_APP) && make install
>>> @rm -rf $(DIR_APP)
>>> @$(POSTBUILD)
>>> +
>>> +
>>> --
>>> 2.44.0
>>>
>
> --
> Sent from my laptop
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-03-30 13:05 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-03-30 8:14 [PATCH] xz: Revert back to version 5.4.5 due to backdoor issue Adolf Belka
2024-03-30 12:28 ` Michael Tremer
2024-03-30 12:56 ` Adolf Belka
2024-03-30 13:05 ` Michael Tremer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox