From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka <adolf.belka@ipfire.org> To: development@lists.ipfire.org Subject: Re: [PATCH] xz: Revert back to version 5.4.5 due to backdoor issue Date: Sat, 30 Mar 2024 13:56:02 +0100 Message-ID: <8db31983-e9c1-4ca2-a7ce-c850e58f4eee@ipfire.org> In-Reply-To: <65D89520-8353-4B5A-BC90-477009E745CB@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3804338542011417174==" List-Id: <development.lists.ipfire.org> --===============3804338542011417174== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Michael, On 30/03/2024 13:28, Michael Tremer wrote: > Hello, >=20 > Thank you. I merged this. The patch did add a couple of empty new lines at = the end of the file again?! I think that was just a plain and simple error on my part. So that I didn't have to do a build then get the updated rootfile from=20 the log and then repeat the build with the new rootfile, I copy and=20 pasted the rootfile from CU183. I did see two blank lines at the end of=20 the file and I deleted them and then "saved the file". I think I didn't=20 correctly save the file with the two blank lines deleted. No problem with the editor only with the fingers controlling the editor=20 faster than the brain controlling the fingers :-) Regards, Adolf. >=20 > -Michael >=20 >> On 30 Mar 2024, at 08:14, Adolf Belka <adolf.belka(a)ipfire.org> wrote: >> >> - xz version 5.6.0 and 5.6.1 discovered to have been backdoored by what lo= oks to have >> been one of the xz devs. >> - IPFire looks not to be affected by the problem as we don't patch openssh= to be linked >> with liblzma >> - However due to question marks about what else might be in these 5.6.x ve= rsions it is >> better to revert back to a version that did not have the build-to-host.= m4 file with the >> code that modifies the build if it meets certain criteria. >> >> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org> >> --- >> config/rootfiles/common/xz | 34 +++++++++++++++++++++++----------- >> lfs/xz | 6 ++++-- >> 2 files changed, 27 insertions(+), 13 deletions(-) >> >> diff --git a/config/rootfiles/common/xz b/config/rootfiles/common/xz >> index 73c0e4d24..f3818a083 100644 >> --- a/config/rootfiles/common/xz >> +++ b/config/rootfiles/common/xz >> @@ -41,18 +41,17 @@ usr/bin/xzmore >> #usr/lib/liblzma.la >> #usr/lib/liblzma.so >> usr/lib/liblzma.so.5 >> -usr/lib/liblzma.so.5.6.1 >> +usr/lib/liblzma.so.5.4.5 >> #usr/lib/pkgconfig/liblzma.pc >> #usr/share/doc/xz >> #usr/share/doc/xz/AUTHORS >> #usr/share/doc/xz/COPYING >> -#usr/share/doc/xz/COPYING.0BSD >> #usr/share/doc/xz/COPYING.GPLv2 >> #usr/share/doc/xz/NEWS >> #usr/share/doc/xz/README >> #usr/share/doc/xz/THANKS >> +#usr/share/doc/xz/TODO >> #usr/share/doc/xz/api >> -#usr/share/doc/xz/api/COPYING.CC-BY-SA-4.0 >> #usr/share/doc/xz/api/annotated.html >> #usr/share/doc/xz/api/base_8h.html >> #usr/share/doc/xz/api/bc_s.png >> @@ -121,15 +120,16 @@ usr/lib/liblzma.so.5.6.1 >> #usr/share/doc/xz/api/tabs.css >> #usr/share/doc/xz/api/version_8h.html >> #usr/share/doc/xz/api/vli_8h.html >> -#usr/share/doc/xz/api/xz-logo.png >> #usr/share/doc/xz/examples >> #usr/share/doc/xz/examples/00_README.txt >> #usr/share/doc/xz/examples/01_compress_easy.c >> #usr/share/doc/xz/examples/02_decompress.c >> #usr/share/doc/xz/examples/03_compress_custom.c >> #usr/share/doc/xz/examples/04_compress_easy_mt.c >> -#usr/share/doc/xz/examples/11_file_info.c >> #usr/share/doc/xz/examples/Makefile >> +#usr/share/doc/xz/examples_old >> +#usr/share/doc/xz/examples_old/xz_pipe_comp.c >> +#usr/share/doc/xz/examples_old/xz_pipe_decomp.c >> #usr/share/doc/xz/faq.txt >> #usr/share/doc/xz/history.txt >> #usr/share/doc/xz/lzma-file-format.txt >> @@ -168,7 +168,6 @@ usr/lib/liblzma.so.5.6.1 >> #usr/share/man/de/man1/lzless.1 >> #usr/share/man/de/man1/lzma.1 >> #usr/share/man/de/man1/lzmadec.1 >> -#usr/share/man/de/man1/lzmainfo.1 >> #usr/share/man/de/man1/lzmore.1 >> #usr/share/man/de/man1/unlzma.1 >> #usr/share/man/de/man1/unxz.1 >> @@ -185,16 +184,21 @@ usr/lib/liblzma.so.5.6.1 >> #usr/share/man/fr >> #usr/share/man/fr/man1 >> #usr/share/man/fr/man1/lzcat.1 >> +#usr/share/man/fr/man1/lzcmp.1 >> +#usr/share/man/fr/man1/lzdiff.1 >> #usr/share/man/fr/man1/lzless.1 >> #usr/share/man/fr/man1/lzma.1 >> #usr/share/man/fr/man1/lzmadec.1 >> -#usr/share/man/fr/man1/lzmainfo.1 >> +#usr/share/man/fr/man1/lzmore.1 >> #usr/share/man/fr/man1/unlzma.1 >> #usr/share/man/fr/man1/unxz.1 >> #usr/share/man/fr/man1/xz.1 >> #usr/share/man/fr/man1/xzcat.1 >> +#usr/share/man/fr/man1/xzcmp.1 >> #usr/share/man/fr/man1/xzdec.1 >> +#usr/share/man/fr/man1/xzdiff.1 >> #usr/share/man/fr/man1/xzless.1 >> +#usr/share/man/fr/man1/xzmore.1 >> #usr/share/man/ko >> #usr/share/man/ko/man1 >> #usr/share/man/ko/man1/lzcat.1 >> @@ -206,7 +210,6 @@ usr/lib/liblzma.so.5.6.1 >> #usr/share/man/ko/man1/lzless.1 >> #usr/share/man/ko/man1/lzma.1 >> #usr/share/man/ko/man1/lzmadec.1 >> -#usr/share/man/ko/man1/lzmainfo.1 >> #usr/share/man/ko/man1/lzmore.1 >> #usr/share/man/ko/man1/unlzma.1 >> #usr/share/man/ko/man1/unxz.1 >> @@ -246,16 +249,27 @@ usr/lib/liblzma.so.5.6.1 >> #usr/share/man/pt_BR >> #usr/share/man/pt_BR/man1 >> #usr/share/man/pt_BR/man1/lzcat.1 >> +#usr/share/man/pt_BR/man1/lzcmp.1 >> +#usr/share/man/pt_BR/man1/lzdiff.1 >> +#usr/share/man/pt_BR/man1/lzegrep.1 >> +#usr/share/man/pt_BR/man1/lzfgrep.1 >> +#usr/share/man/pt_BR/man1/lzgrep.1 >> #usr/share/man/pt_BR/man1/lzless.1 >> #usr/share/man/pt_BR/man1/lzma.1 >> #usr/share/man/pt_BR/man1/lzmadec.1 >> -#usr/share/man/pt_BR/man1/lzmainfo.1 >> +#usr/share/man/pt_BR/man1/lzmore.1 >> #usr/share/man/pt_BR/man1/unlzma.1 >> #usr/share/man/pt_BR/man1/unxz.1 >> #usr/share/man/pt_BR/man1/xz.1 >> #usr/share/man/pt_BR/man1/xzcat.1 >> +#usr/share/man/pt_BR/man1/xzcmp.1 >> #usr/share/man/pt_BR/man1/xzdec.1 >> +#usr/share/man/pt_BR/man1/xzdiff.1 >> +#usr/share/man/pt_BR/man1/xzegrep.1 >> +#usr/share/man/pt_BR/man1/xzfgrep.1 >> +#usr/share/man/pt_BR/man1/xzgrep.1 >> #usr/share/man/pt_BR/man1/xzless.1 >> +#usr/share/man/pt_BR/man1/xzmore.1 >> #usr/share/man/ro >> #usr/share/man/ro/man1 >> #usr/share/man/ro/man1/lzcat.1 >> @@ -267,7 +281,6 @@ usr/lib/liblzma.so.5.6.1 >> #usr/share/man/ro/man1/lzless.1 >> #usr/share/man/ro/man1/lzma.1 >> #usr/share/man/ro/man1/lzmadec.1 >> -#usr/share/man/ro/man1/lzmainfo.1 >> #usr/share/man/ro/man1/lzmore.1 >> #usr/share/man/ro/man1/unlzma.1 >> #usr/share/man/ro/man1/unxz.1 >> @@ -292,7 +305,6 @@ usr/lib/liblzma.so.5.6.1 >> #usr/share/man/uk/man1/lzless.1 >> #usr/share/man/uk/man1/lzma.1 >> #usr/share/man/uk/man1/lzmadec.1 >> -#usr/share/man/uk/man1/lzmainfo.1 >> #usr/share/man/uk/man1/lzmore.1 >> #usr/share/man/uk/man1/unlzma.1 >> #usr/share/man/uk/man1/unxz.1 >> diff --git a/lfs/xz b/lfs/xz >> index cbec430d4..982392aa0 100644 >> --- a/lfs/xz >> +++ b/lfs/xz >> @@ -24,7 +24,7 @@ >> >> include Config >> >> -VER =3D 5.6.1 >> +VER =3D 5.4.5 >> >> THISAPP =3D xz-$(VER) >> DL_FILE =3D $(THISAPP).tar.xz >> @@ -45,7 +45,7 @@ objects =3D $(DL_FILE) >> >> $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) >> >> -$(DL_FILE)_BLAKE2 =3D 3a1cf93d7223eb57e78eabe828a3d623acac5824ada299470e3= 126692ef89d1648293aef32468d70a5289611969d5299180c1b373dfbda002a49f3afc729d925 >> +$(DL_FILE)_BLAKE2 =3D 08d9afebd927ea5d155515a4c9eedda4d1a249f2b1ab6ada11f= 50e5b7a3c90b389b32378ab1c0872c7f4627de8dff37149d85e49f7f4d30614add37320ec4f3e >> >> install : $(TARGET) >> >> @@ -80,3 +80,5 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >> cd $(DIR_APP) && make install >> @rm -rf $(DIR_APP) >> @$(POSTBUILD) >> + >> + >> --=20 >> 2.44.0 >> >=20 --=20 Sent from my laptop --===============3804338542011417174==--