On Fri, Mar 29 2024 at 06:46:59 PM +00:00:00, Christopher Klooz
<py0...@posteo.net> wrote:
Yes, F40 beta is affected, along with rawhide, but not F38/F39.
Unless I'm misunderstanding something, it looks xz-5.6.0-1.fc40 and
5.6.0-2.fc40 are backdoored, yes? Then rjones unknowingly broke the
backdoor in two different ways in 5.6.0-3.fc40, (a) by adding the
--disable-ifunc configure flag [1], and also (b) by running everything
through autoreconf to regenerate the malicious autogoo files [2]. So
F40 stable was never affected, but F40 updates-testing looks like it
really was backdoored for about one week, between February 27 [3] and
March 4 [4].
Hey Richard, if you agree with my quick assessment, then we should ask
secal...@redhat.com to update the warning article [5]. (I also don't
like the confusing references to "Fedora 41" in that article, since
Fedora 41 does not yet exist as something separate from rawhide.)
[1]
https://src.fedoraproject.org/rpms/xz/c/c837ae96c716c6d63da2b4a016e9034ade2a01f7?branch=f40
[2]
https://src.fedoraproject.org/rpms/xz/c/d2408dde878851ca6350297a738a72496a9558c4?branch=f40
[3] https://bodhi.fedoraproject.org/updates/FEDORA-2024-a7fba89402
[4] https://bodhi.fedoraproject.org/updates/FEDORA-2024-f5033032b8
[5] https://access.redhat.com/security/cve/CVE-2024-3094
--
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
