Bug#1068047: Suspicious commit merged in 2021 from account responsible for xz backdoor
Control: severity -1 serious Control: found -1 3.6.0-1 Hi Russ, On Fri, Mar 29, 2024 at 07:24:13PM -0700, Russ Allbery wrote: > Package: libarchive13t64 > Version: 3.7.2-1.1 > Severity: important > X-Debbugs-Cc: r...@debian.org > > So far it looks like no one has been able to figure out an obvious way > for this to be exploitable, but I wanted to make sure that you were > aware of this upstream issue: > > https://github.com/libarchive/libarchive/pull/1609 > > The author of this commit is the same GitHub account that was used to > create the xz backdoor. Upstream has merged a revert of this change at: > > https://github.com/libarchive/libarchive/pull/2101 > > It may be worth expediting getting this change into Debian in case the > potential attacker knows something that we don't. However, I don't have > any reason to currently believe that this is a security vulnerability, > so I've kept the severity at important and not applied the security tag. Let's be on the safe side, and at least make it RC. Regards, Salvatore
Bug#1068047: Suspicious commit merged in 2021 from account responsible for xz backdoor
On Fri, Mar 29, 2024 at 07:24:13PM -0700, Russ Allbery wrote: > So far it looks like no one has been able to figure out an obvious way > for this to be exploitable, but I wanted to make sure that you were > aware of this upstream issue: > > https://github.com/libarchive/libarchive/pull/1609 > > The author of this commit is the same GitHub account that was used to > create the xz backdoor. Upstream has merged a revert of this change at: > > https://github.com/libarchive/libarchive/pull/2101 > > It may be worth expediting getting this change into Debian in case the > potential attacker knows something that we don't. However, I don't have > any reason to currently believe that this is a security vulnerability, > so I've kept the severity at important and not applied the security tag. I also noticed this, I send an e-mail to secur...@debian.org about it, 921847da-a715-42c4-b87d-e8a1f0fb5...@schwengle.net. FWIW, this also impacts Debian stable. The commit can be found in tags: v3.7.2 v3.7.1 v3.7.0 v3.6.2 v3.6.1 v3.6.0. Debian stable ships 3.6.2-1 Cheers, Wesley
Bug#1068047: Suspicious commit merged in 2021 from account responsible for xz backdoor
Package: libarchive13t64 Version: 3.7.2-1.1 Severity: important X-Debbugs-Cc: r...@debian.org So far it looks like no one has been able to figure out an obvious way for this to be exploitable, but I wanted to make sure that you were aware of this upstream issue: https://github.com/libarchive/libarchive/pull/1609 The author of this commit is the same GitHub account that was used to create the xz backdoor. Upstream has merged a revert of this change at: https://github.com/libarchive/libarchive/pull/2101 It may be worth expediting getting this change into Debian in case the potential attacker knows something that we don't. However, I don't have any reason to currently believe that this is a security vulnerability, so I've kept the severity at important and not applied the security tag. -- System Information: Debian Release: trixie/sid APT prefers unstable APT policy: (990, 'unstable'), (500, 'unstable-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.7.9-amd64 (SMP w/8 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libarchive13t64 depends on: ii libacl12.3.2-1 ii libbz2-1.0 1.0.8-5.1 ii libc6 2.37-15.1 ii liblz4-1 1.9.4-1+b2 ii liblzma5 5.6.1+really5.4.5-1 ii libnettle8t64 3.9.1-2.2 ii libxml22.9.14+dfsg-1.3+b2 ii libzstd1 1.5.5+dfsg2-2 ii zlib1g 1:1.3.dfsg-3.1 libarchive13t64 recommends no packages. Versions of packages libarchive13t64 suggests: pn lrzip -- no debconf information