From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] xz: Revert back to version 5.4.5 due to backdoor issue
Date: Sat, 30 Mar 2024 12:28:51 +0000 [thread overview]
Message-ID: <65D89520-8353-4B5A-BC90-477009E745CB@ipfire.org> (raw)
In-Reply-To: <20240330081458.5299-1-adolf.belka@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 6405 bytes --]
Hello,
Thank you. I merged this. The patch did add a couple of empty new lines at the end of the file again?!
-Michael
> On 30 Mar 2024, at 08:14, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
>
> - xz version 5.6.0 and 5.6.1 discovered to have been backdoored by what looks to have
> been one of the xz devs.
> - IPFire looks not to be affected by the problem as we don't patch openssh to be linked
> with liblzma
> - However due to question marks about what else might be in these 5.6.x versions it is
> better to revert back to a version that did not have the build-to-host.m4 file with the
> code that modifies the build if it meets certain criteria.
>
> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
> ---
> config/rootfiles/common/xz | 34 +++++++++++++++++++++++-----------
> lfs/xz | 6 ++++--
> 2 files changed, 27 insertions(+), 13 deletions(-)
>
> diff --git a/config/rootfiles/common/xz b/config/rootfiles/common/xz
> index 73c0e4d24..f3818a083 100644
> --- a/config/rootfiles/common/xz
> +++ b/config/rootfiles/common/xz
> @@ -41,18 +41,17 @@ usr/bin/xzmore
> #usr/lib/liblzma.la
> #usr/lib/liblzma.so
> usr/lib/liblzma.so.5
> -usr/lib/liblzma.so.5.6.1
> +usr/lib/liblzma.so.5.4.5
> #usr/lib/pkgconfig/liblzma.pc
> #usr/share/doc/xz
> #usr/share/doc/xz/AUTHORS
> #usr/share/doc/xz/COPYING
> -#usr/share/doc/xz/COPYING.0BSD
> #usr/share/doc/xz/COPYING.GPLv2
> #usr/share/doc/xz/NEWS
> #usr/share/doc/xz/README
> #usr/share/doc/xz/THANKS
> +#usr/share/doc/xz/TODO
> #usr/share/doc/xz/api
> -#usr/share/doc/xz/api/COPYING.CC-BY-SA-4.0
> #usr/share/doc/xz/api/annotated.html
> #usr/share/doc/xz/api/base_8h.html
> #usr/share/doc/xz/api/bc_s.png
> @@ -121,15 +120,16 @@ usr/lib/liblzma.so.5.6.1
> #usr/share/doc/xz/api/tabs.css
> #usr/share/doc/xz/api/version_8h.html
> #usr/share/doc/xz/api/vli_8h.html
> -#usr/share/doc/xz/api/xz-logo.png
> #usr/share/doc/xz/examples
> #usr/share/doc/xz/examples/00_README.txt
> #usr/share/doc/xz/examples/01_compress_easy.c
> #usr/share/doc/xz/examples/02_decompress.c
> #usr/share/doc/xz/examples/03_compress_custom.c
> #usr/share/doc/xz/examples/04_compress_easy_mt.c
> -#usr/share/doc/xz/examples/11_file_info.c
> #usr/share/doc/xz/examples/Makefile
> +#usr/share/doc/xz/examples_old
> +#usr/share/doc/xz/examples_old/xz_pipe_comp.c
> +#usr/share/doc/xz/examples_old/xz_pipe_decomp.c
> #usr/share/doc/xz/faq.txt
> #usr/share/doc/xz/history.txt
> #usr/share/doc/xz/lzma-file-format.txt
> @@ -168,7 +168,6 @@ usr/lib/liblzma.so.5.6.1
> #usr/share/man/de/man1/lzless.1
> #usr/share/man/de/man1/lzma.1
> #usr/share/man/de/man1/lzmadec.1
> -#usr/share/man/de/man1/lzmainfo.1
> #usr/share/man/de/man1/lzmore.1
> #usr/share/man/de/man1/unlzma.1
> #usr/share/man/de/man1/unxz.1
> @@ -185,16 +184,21 @@ usr/lib/liblzma.so.5.6.1
> #usr/share/man/fr
> #usr/share/man/fr/man1
> #usr/share/man/fr/man1/lzcat.1
> +#usr/share/man/fr/man1/lzcmp.1
> +#usr/share/man/fr/man1/lzdiff.1
> #usr/share/man/fr/man1/lzless.1
> #usr/share/man/fr/man1/lzma.1
> #usr/share/man/fr/man1/lzmadec.1
> -#usr/share/man/fr/man1/lzmainfo.1
> +#usr/share/man/fr/man1/lzmore.1
> #usr/share/man/fr/man1/unlzma.1
> #usr/share/man/fr/man1/unxz.1
> #usr/share/man/fr/man1/xz.1
> #usr/share/man/fr/man1/xzcat.1
> +#usr/share/man/fr/man1/xzcmp.1
> #usr/share/man/fr/man1/xzdec.1
> +#usr/share/man/fr/man1/xzdiff.1
> #usr/share/man/fr/man1/xzless.1
> +#usr/share/man/fr/man1/xzmore.1
> #usr/share/man/ko
> #usr/share/man/ko/man1
> #usr/share/man/ko/man1/lzcat.1
> @@ -206,7 +210,6 @@ usr/lib/liblzma.so.5.6.1
> #usr/share/man/ko/man1/lzless.1
> #usr/share/man/ko/man1/lzma.1
> #usr/share/man/ko/man1/lzmadec.1
> -#usr/share/man/ko/man1/lzmainfo.1
> #usr/share/man/ko/man1/lzmore.1
> #usr/share/man/ko/man1/unlzma.1
> #usr/share/man/ko/man1/unxz.1
> @@ -246,16 +249,27 @@ usr/lib/liblzma.so.5.6.1
> #usr/share/man/pt_BR
> #usr/share/man/pt_BR/man1
> #usr/share/man/pt_BR/man1/lzcat.1
> +#usr/share/man/pt_BR/man1/lzcmp.1
> +#usr/share/man/pt_BR/man1/lzdiff.1
> +#usr/share/man/pt_BR/man1/lzegrep.1
> +#usr/share/man/pt_BR/man1/lzfgrep.1
> +#usr/share/man/pt_BR/man1/lzgrep.1
> #usr/share/man/pt_BR/man1/lzless.1
> #usr/share/man/pt_BR/man1/lzma.1
> #usr/share/man/pt_BR/man1/lzmadec.1
> -#usr/share/man/pt_BR/man1/lzmainfo.1
> +#usr/share/man/pt_BR/man1/lzmore.1
> #usr/share/man/pt_BR/man1/unlzma.1
> #usr/share/man/pt_BR/man1/unxz.1
> #usr/share/man/pt_BR/man1/xz.1
> #usr/share/man/pt_BR/man1/xzcat.1
> +#usr/share/man/pt_BR/man1/xzcmp.1
> #usr/share/man/pt_BR/man1/xzdec.1
> +#usr/share/man/pt_BR/man1/xzdiff.1
> +#usr/share/man/pt_BR/man1/xzegrep.1
> +#usr/share/man/pt_BR/man1/xzfgrep.1
> +#usr/share/man/pt_BR/man1/xzgrep.1
> #usr/share/man/pt_BR/man1/xzless.1
> +#usr/share/man/pt_BR/man1/xzmore.1
> #usr/share/man/ro
> #usr/share/man/ro/man1
> #usr/share/man/ro/man1/lzcat.1
> @@ -267,7 +281,6 @@ usr/lib/liblzma.so.5.6.1
> #usr/share/man/ro/man1/lzless.1
> #usr/share/man/ro/man1/lzma.1
> #usr/share/man/ro/man1/lzmadec.1
> -#usr/share/man/ro/man1/lzmainfo.1
> #usr/share/man/ro/man1/lzmore.1
> #usr/share/man/ro/man1/unlzma.1
> #usr/share/man/ro/man1/unxz.1
> @@ -292,7 +305,6 @@ usr/lib/liblzma.so.5.6.1
> #usr/share/man/uk/man1/lzless.1
> #usr/share/man/uk/man1/lzma.1
> #usr/share/man/uk/man1/lzmadec.1
> -#usr/share/man/uk/man1/lzmainfo.1
> #usr/share/man/uk/man1/lzmore.1
> #usr/share/man/uk/man1/unlzma.1
> #usr/share/man/uk/man1/unxz.1
> diff --git a/lfs/xz b/lfs/xz
> index cbec430d4..982392aa0 100644
> --- a/lfs/xz
> +++ b/lfs/xz
> @@ -24,7 +24,7 @@
>
> include Config
>
> -VER = 5.6.1
> +VER = 5.4.5
>
> THISAPP = xz-$(VER)
> DL_FILE = $(THISAPP).tar.xz
> @@ -45,7 +45,7 @@ objects = $(DL_FILE)
>
> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>
> -$(DL_FILE)_BLAKE2 = 3a1cf93d7223eb57e78eabe828a3d623acac5824ada299470e3126692ef89d1648293aef32468d70a5289611969d5299180c1b373dfbda002a49f3afc729d925
> +$(DL_FILE)_BLAKE2 = 08d9afebd927ea5d155515a4c9eedda4d1a249f2b1ab6ada11f50e5b7a3c90b389b32378ab1c0872c7f4627de8dff37149d85e49f7f4d30614add37320ec4f3e
>
> install : $(TARGET)
>
> @@ -80,3 +80,5 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> cd $(DIR_APP) && make install
> @rm -rf $(DIR_APP)
> @$(POSTBUILD)
> +
> +
> --
> 2.44.0
>
next prev parent reply other threads:[~2024-03-30 12:28 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-30 8:14 Adolf Belka
2024-03-30 12:28 ` Michael Tremer [this message]
2024-03-30 12:56 ` Adolf Belka
2024-03-30 13:05 ` Michael Tremer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=65D89520-8353-4B5A-BC90-477009E745CB@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox