From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] xz: Revert back to version 5.4.5 due to backdoor issue Date: Sat, 30 Mar 2024 12:28:51 +0000 Message-ID: <65D89520-8353-4B5A-BC90-477009E745CB@ipfire.org> In-Reply-To: <20240330081458.5299-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3416494279364458892==" List-Id: --===============3416494279364458892== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello, Thank you. I merged this. The patch did add a couple of empty new lines at th= e end of the file again?! -Michael > On 30 Mar 2024, at 08:14, Adolf Belka wrote: >=20 > - xz version 5.6.0 and 5.6.1 discovered to have been backdoored by what loo= ks to have > been one of the xz devs. > - IPFire looks not to be affected by the problem as we don't patch openssh = to be linked > with liblzma > - However due to question marks about what else might be in these 5.6.x ver= sions it is > better to revert back to a version that did not have the build-to-host.m4= file with the > code that modifies the build if it meets certain criteria. >=20 > Signed-off-by: Adolf Belka > --- > config/rootfiles/common/xz | 34 +++++++++++++++++++++++----------- > lfs/xz | 6 ++++-- > 2 files changed, 27 insertions(+), 13 deletions(-) >=20 > diff --git a/config/rootfiles/common/xz b/config/rootfiles/common/xz > index 73c0e4d24..f3818a083 100644 > --- a/config/rootfiles/common/xz > +++ b/config/rootfiles/common/xz > @@ -41,18 +41,17 @@ usr/bin/xzmore > #usr/lib/liblzma.la > #usr/lib/liblzma.so > usr/lib/liblzma.so.5 > -usr/lib/liblzma.so.5.6.1 > +usr/lib/liblzma.so.5.4.5 > #usr/lib/pkgconfig/liblzma.pc > #usr/share/doc/xz > #usr/share/doc/xz/AUTHORS > #usr/share/doc/xz/COPYING > -#usr/share/doc/xz/COPYING.0BSD > #usr/share/doc/xz/COPYING.GPLv2 > #usr/share/doc/xz/NEWS > #usr/share/doc/xz/README > #usr/share/doc/xz/THANKS > +#usr/share/doc/xz/TODO > #usr/share/doc/xz/api > -#usr/share/doc/xz/api/COPYING.CC-BY-SA-4.0 > #usr/share/doc/xz/api/annotated.html > #usr/share/doc/xz/api/base_8h.html > #usr/share/doc/xz/api/bc_s.png > @@ -121,15 +120,16 @@ usr/lib/liblzma.so.5.6.1 > #usr/share/doc/xz/api/tabs.css > #usr/share/doc/xz/api/version_8h.html > #usr/share/doc/xz/api/vli_8h.html > -#usr/share/doc/xz/api/xz-logo.png > #usr/share/doc/xz/examples > #usr/share/doc/xz/examples/00_README.txt > #usr/share/doc/xz/examples/01_compress_easy.c > #usr/share/doc/xz/examples/02_decompress.c > #usr/share/doc/xz/examples/03_compress_custom.c > #usr/share/doc/xz/examples/04_compress_easy_mt.c > -#usr/share/doc/xz/examples/11_file_info.c > #usr/share/doc/xz/examples/Makefile > +#usr/share/doc/xz/examples_old > +#usr/share/doc/xz/examples_old/xz_pipe_comp.c > +#usr/share/doc/xz/examples_old/xz_pipe_decomp.c > #usr/share/doc/xz/faq.txt > #usr/share/doc/xz/history.txt > #usr/share/doc/xz/lzma-file-format.txt > @@ -168,7 +168,6 @@ usr/lib/liblzma.so.5.6.1 > #usr/share/man/de/man1/lzless.1 > #usr/share/man/de/man1/lzma.1 > #usr/share/man/de/man1/lzmadec.1 > -#usr/share/man/de/man1/lzmainfo.1 > #usr/share/man/de/man1/lzmore.1 > #usr/share/man/de/man1/unlzma.1 > #usr/share/man/de/man1/unxz.1 > @@ -185,16 +184,21 @@ usr/lib/liblzma.so.5.6.1 > #usr/share/man/fr > #usr/share/man/fr/man1 > #usr/share/man/fr/man1/lzcat.1 > +#usr/share/man/fr/man1/lzcmp.1 > +#usr/share/man/fr/man1/lzdiff.1 > #usr/share/man/fr/man1/lzless.1 > #usr/share/man/fr/man1/lzma.1 > #usr/share/man/fr/man1/lzmadec.1 > -#usr/share/man/fr/man1/lzmainfo.1 > +#usr/share/man/fr/man1/lzmore.1 > #usr/share/man/fr/man1/unlzma.1 > #usr/share/man/fr/man1/unxz.1 > #usr/share/man/fr/man1/xz.1 > #usr/share/man/fr/man1/xzcat.1 > +#usr/share/man/fr/man1/xzcmp.1 > #usr/share/man/fr/man1/xzdec.1 > +#usr/share/man/fr/man1/xzdiff.1 > #usr/share/man/fr/man1/xzless.1 > +#usr/share/man/fr/man1/xzmore.1 > #usr/share/man/ko > #usr/share/man/ko/man1 > #usr/share/man/ko/man1/lzcat.1 > @@ -206,7 +210,6 @@ usr/lib/liblzma.so.5.6.1 > #usr/share/man/ko/man1/lzless.1 > #usr/share/man/ko/man1/lzma.1 > #usr/share/man/ko/man1/lzmadec.1 > -#usr/share/man/ko/man1/lzmainfo.1 > #usr/share/man/ko/man1/lzmore.1 > #usr/share/man/ko/man1/unlzma.1 > #usr/share/man/ko/man1/unxz.1 > @@ -246,16 +249,27 @@ usr/lib/liblzma.so.5.6.1 > #usr/share/man/pt_BR > #usr/share/man/pt_BR/man1 > #usr/share/man/pt_BR/man1/lzcat.1 > +#usr/share/man/pt_BR/man1/lzcmp.1 > +#usr/share/man/pt_BR/man1/lzdiff.1 > +#usr/share/man/pt_BR/man1/lzegrep.1 > +#usr/share/man/pt_BR/man1/lzfgrep.1 > +#usr/share/man/pt_BR/man1/lzgrep.1 > #usr/share/man/pt_BR/man1/lzless.1 > #usr/share/man/pt_BR/man1/lzma.1 > #usr/share/man/pt_BR/man1/lzmadec.1 > -#usr/share/man/pt_BR/man1/lzmainfo.1 > +#usr/share/man/pt_BR/man1/lzmore.1 > #usr/share/man/pt_BR/man1/unlzma.1 > #usr/share/man/pt_BR/man1/unxz.1 > #usr/share/man/pt_BR/man1/xz.1 > #usr/share/man/pt_BR/man1/xzcat.1 > +#usr/share/man/pt_BR/man1/xzcmp.1 > #usr/share/man/pt_BR/man1/xzdec.1 > +#usr/share/man/pt_BR/man1/xzdiff.1 > +#usr/share/man/pt_BR/man1/xzegrep.1 > +#usr/share/man/pt_BR/man1/xzfgrep.1 > +#usr/share/man/pt_BR/man1/xzgrep.1 > #usr/share/man/pt_BR/man1/xzless.1 > +#usr/share/man/pt_BR/man1/xzmore.1 > #usr/share/man/ro > #usr/share/man/ro/man1 > #usr/share/man/ro/man1/lzcat.1 > @@ -267,7 +281,6 @@ usr/lib/liblzma.so.5.6.1 > #usr/share/man/ro/man1/lzless.1 > #usr/share/man/ro/man1/lzma.1 > #usr/share/man/ro/man1/lzmadec.1 > -#usr/share/man/ro/man1/lzmainfo.1 > #usr/share/man/ro/man1/lzmore.1 > #usr/share/man/ro/man1/unlzma.1 > #usr/share/man/ro/man1/unxz.1 > @@ -292,7 +305,6 @@ usr/lib/liblzma.so.5.6.1 > #usr/share/man/uk/man1/lzless.1 > #usr/share/man/uk/man1/lzma.1 > #usr/share/man/uk/man1/lzmadec.1 > -#usr/share/man/uk/man1/lzmainfo.1 > #usr/share/man/uk/man1/lzmore.1 > #usr/share/man/uk/man1/unlzma.1 > #usr/share/man/uk/man1/unxz.1 > diff --git a/lfs/xz b/lfs/xz > index cbec430d4..982392aa0 100644 > --- a/lfs/xz > +++ b/lfs/xz > @@ -24,7 +24,7 @@ >=20 > include Config >=20 > -VER =3D 5.6.1 > +VER =3D 5.4.5 >=20 > THISAPP =3D xz-$(VER) > DL_FILE =3D $(THISAPP).tar.xz > @@ -45,7 +45,7 @@ objects =3D $(DL_FILE) >=20 > $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) >=20 > -$(DL_FILE)_BLAKE2 =3D 3a1cf93d7223eb57e78eabe828a3d623acac5824ada299470e31= 26692ef89d1648293aef32468d70a5289611969d5299180c1b373dfbda002a49f3afc729d925 > +$(DL_FILE)_BLAKE2 =3D 08d9afebd927ea5d155515a4c9eedda4d1a249f2b1ab6ada11f5= 0e5b7a3c90b389b32378ab1c0872c7f4627de8dff37149d85e49f7f4d30614add37320ec4f3e >=20 > install : $(TARGET) >=20 > @@ -80,3 +80,5 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > cd $(DIR_APP) && make install > @rm -rf $(DIR_APP) > @$(POSTBUILD) > + > + > --=20 > 2.44.0 >=20 --===============3416494279364458892==--