Bug#1068348: xz-utils: Should activate trigger to force regenerating initramfs
Hi! On Thu, 2024-04-04 at 23:13:03 +0200, Sebastian Andrzej Siewior wrote: > On 2024-04-04 00:14:27 [+0200], Guillem Jover wrote: > > I initially was thinking that a conditionally triggered activation > > when upgrading from the affected versions would be sufficient, but if > > people have already upgraded, then that will still leave them with the > > malicious stuff in their initramfs. > > Do you think about a one-time trigger to ensure the 5.6 release is gone > or to keep it? Given that we do not have a release barrier to assume people have upgraded to a known state, and are dealing with the rolling testing and sid releases, I'd say probably at least until the release of trixie to be extra safe, or if you don't want to have it included in the stable release, then to be removed immediately before or during the freeze? (As in, if you include it for say 5.6.1+really5.4.5-2 and remove it in 5.6.1+really5.4.5-3, if someone does not upgrade until -3 or later then they will still miss it.) > I can't tell what happend exactly but the 5.6 release is > gone from my _current_ initramfs so something triggered it already. Only > the older "previous" kernel has it. If you have since installed any other package that might also trigger its regeneration such as grub, a linux kernel, udev, etc, then that would be expected. But if users have not, they might still have the backdoor. I think the price for an excess initramfs regeneration is worth the hassle of the time it takes to perform that action (better safe than sorry etc). Thanks, Guillem
Bug#1068348: xz-utils: Should activate trigger to force regenerating initramfs
Sebastian Andrzej Siewior dixit: >the older "previous" kernel has it. And that won’t be fixed even with a trigger. Used to be -uk all would, but (#1065698) that doesn’t work any more. Given how widespread the info already is and that it affects sid and a subset of trixie users, maybe go with just a NEWS.Debian entry for that? (I’d be more interested of what other backdoors there might be like joeyh indicated.) bye, //mirabilos -- 22:20⎜ The crazy that persists in his craziness becomes a master 22:21⎜ And the distance between the craziness and geniality is only measured by the success 18:35⎜ "Psychotics are consistently inconsistent. The essence of sanity is to be inconsistently inconsistent
Bug#1068348: xz-utils: Should activate trigger to force regenerating initramfs
On 2024-04-04 00:14:27 [+0200], Guillem Jover wrote: > Hi! Hi, > I initially was thinking that a conditionally triggered activation > when upgrading from the affected versions would be sufficient, but if > people have already upgraded, then that will still leave them with the > malicious stuff in their initramfs. Do you think about a one-time trigger to ensure the 5.6 release is gone or to keep it? I can't tell what happend exactly but the 5.6 release is gone from my _current_ initramfs so something triggered it already. Only the older "previous" kernel has it. > Thanks, > Guillem Sebastian
Bug#1068348: xz-utils: Should activate trigger to force regenerating initramfs
Source: xz-utils Source-Version: 5.6.1+really5.4.5-1 Severity: important (Maybe this even deserves to be serious, dunno.) Hi! The last upload by the Security Team reverted the version, but that does not necessarily include regenerating the system initramfs, as brought up from a comment in LWN but directed to RedHat/Fedora systems. And detectable in Debian and derivatives with something like: ,--- for i in /boot/initrd.img*; do echo $i: lsinitramfs $i | grep liblzma\.so\.5\.6 done `--- I suggested this to the Security Team some days ago, but I guess they have their hands full. And a bug report here seems probably more appropriate. I initially was thinking that a conditionally triggered activation when upgrading from the affected versions would be sufficient, but if people have already upgraded, then that will still leave them with the malicious stuff in their initramfs. So I guess adding an unconditional: ,--- liblzma5.triggers --- activate-noawait update-initramfs `--- should do, but have not tested the integration. Thanks, Guillem
