date:20240329

Re: xz backdoor

2024-03-29 Thread Daniel Alley

This might be a good place to start

https://gitlab.gnome.org/GNOME/nautilus/-/issues/1936
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Unresponsive maintainer: petersen / Pandoc package not updated since June 2023: Security vulnerability, CVE-2023-35936 (medium)

2024-03-29 Thread Michel Lind

Hi Jens,

Apologies for resurrecting and older thread here

On Thu, Feb 22, 2024 at 02:06:22PM +0800, Jens-Ulrik Petersen wrote:
> (Not sure if it makes sense to post to Discourse: Haskell library reviews
> are still a little bit "esoteric" since ghc uses some non-standard linking
> (ie various warnings appear which tend to discourage/throw less experienced
> reviewers alas: perhaps they should be spelled out further as exception(s)
> in the Haskell Packaging policy, so I don't need to keep explaining them).
> 
Warnings from fedora-review and rpmlint, or in the build output?

If the warnings are from the first two, we should probably try and get
them fixed - I will try and look closely the next time I do a Haskell
review.

Some other ecosystems (e.g. Guile) also trigger a lot of rpmlint
warnings, and I have in mind fixing the rpmlint policies so that at some
point we can actually make use of the result - right now there's too
many false positives.

Best regards,

-- 
 _o) Michel Lind (né Salim)
_( ) identities: https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2


signature.asc
Description: PGP signature
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-29 Thread Justin W. Flory (he/him)

More about this is now published on the Fedora Magazine as well in this
statement:
https://fedoramagazine.org/cve-2024-3094-security-alert-f40-rawhide/

Thank you to all of our Fedora first responders who stopped something that
could have been much worse. We should feel proud here. As far as Fedora and
our ecosystem is concerned, the exploit failed.

https://floss.social/@jwildeb...@social.wildeboer.net/112181976426765177

On Fri, Mar 29, 2024 at 2:01 PM Kevin Kofler via devel <
devel@lists.fedoraproject.org> wrote:

> Hi,
>
> wow: https://www.openwall.com/lists/oss-security/2024/
>
> I think at this point we clearly cannot trust xz upstream anymore and
> should
> probably fork the project.
>
> Kevin Kofler
> --
> ___
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>


-- 
*JWF* (*he/him*) ||  j...@redhat.com
TZ=America/New_York (UTC-4) 
*Fedora is a registered Digital Public Good
*

While I may be sending this email outside my normal office hours, I have no
expectation to receive a reply outside yours.
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Bug 2270514] perl-CPAN-Perl-Releases-5.20240321 is available

2024-03-29 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=2270514

Fedora Update System  changed:

   What|Removed |Added

   Fixed In Version|perl-CPAN-Perl-Releases-5.2 |perl-CPAN-Perl-Releases-5.2
   |0240321-1.fc41  |0240321-1.fc41
   |perl-CPAN-Perl-Releases-5.2 |perl-CPAN-Perl-Releases-5.2
   |0240321-1.fc40  |0240321-1.fc40
   |perl-CPAN-Perl-Releases-5.2 |perl-CPAN-Perl-Releases-5.2
   |0240321-1.fc39  |0240321-1.fc39
   ||perl-CPAN-Perl-Releases-5.2
   ||0240321-1.fc38



--- Comment #11 from Fedora Update System  ---
FEDORA-2024-0465fc03b8 (perl-CPAN-Perl-Releases-5.20240321-1.fc38) has been
pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.


-- 
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2270514

Report this comment as SPAM: 
https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla=report-spam_desc=Report%20of%20Bug%202270514%23c11
--
___
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Bug 2270521] perl-Module-CoreList-5.20240320 is available

2024-03-29 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=2270521

Fedora Update System  changed:

   What|Removed |Added

   Fixed In Version|perl-Module-CoreList-5.2024 |perl-Module-CoreList-5.2024
   |0320-1.fc41 |0320-1.fc41
   |perl-Module-CoreList-5.2024 |perl-Module-CoreList-5.2024
   |0320-1.fc40 |0320-1.fc40
   |perl-Module-CoreList-5.2024 |perl-Module-CoreList-5.2024
   |0320-1.fc39 |0320-1.fc39
   ||perl-Module-CoreList-5.2024
   ||0320-1.fc38



--- Comment #10 from Fedora Update System  ---
FEDORA-2024-1b24d0ba2e (perl-Module-CoreList-5.20240320-1.fc38) has been pushed
to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.


-- 
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2270521

Report this comment as SPAM: 
https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla=report-spam_desc=Report%20of%20Bug%202270521%23c10
--
___
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Bug 2270514] perl-CPAN-Perl-Releases-5.20240321 is available

2024-03-29 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=2270514

Fedora Update System  changed:

   What|Removed |Added

   Fixed In Version|perl-CPAN-Perl-Releases-5.2 |perl-CPAN-Perl-Releases-5.2
   |0240321-1.fc41  |0240321-1.fc41
   |perl-CPAN-Perl-Releases-5.2 |perl-CPAN-Perl-Releases-5.2
   |0240321-1.fc40  |0240321-1.fc40
   ||perl-CPAN-Perl-Releases-5.2
   ||0240321-1.fc39



--- Comment #10 from Fedora Update System  ---
FEDORA-2024-ea406abb46 (perl-CPAN-Perl-Releases-5.20240321-1.fc39) has been
pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.


-- 
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2270514

Report this comment as SPAM: 
https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla=report-spam_desc=Report%20of%20Bug%202270514%23c10
--
___
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Bug 2270521] perl-Module-CoreList-5.20240320 is available

2024-03-29 Thread bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=2270521

Fedora Update System  changed:

   What|Removed |Added

   Fixed In Version|perl-Module-CoreList-5.2024 |perl-Module-CoreList-5.2024
   |0320-1.fc41 |0320-1.fc41
   |perl-Module-CoreList-5.2024 |perl-Module-CoreList-5.2024
   |0320-1.fc40 |0320-1.fc40
   ||perl-Module-CoreList-5.2024
   ||0320-1.fc39



--- Comment #9 from Fedora Update System  ---
FEDORA-2024-3699640048 (perl-Module-CoreList-5.20240320-1.fc39) has been pushed
to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.


-- 
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2270521

Report this comment as SPAM: 
https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla=report-spam_desc=Report%20of%20Bug%202270521%23c9
--
___
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-29 Thread Chris Adams

Once upon a time, Richard W.M. Jones  said:
> (1) We built 5.6.0 for Fedora 40 & 41.  Jia Tan was very insistent in
> emails that we should update.

So this wasn't just a "hey, new upstream version", this was PUSHED on
distributions by the culprit.  Are they a contributor to any other
software in the distribution?  I think anything they might have touched
has to be considered suspect.

Either (a) their systems have been completely compromised or (b) they
did this intentionally.  Neither is good.

> (2) We got reports later of a valgrind test failure.  I also saw it
> myself in my own projects that use liblzma.  We notified Jia Tan of
> this.

Why does libsystemd pull in libzma (as well as liblz4 and libzstd,
because we need three compression libraries in one place)?  That seems
to be a broad amount of extra code, for a library that's in a number of
network-listening services is just linked for socket activation.

Also, while it appears there's more than one developer with Github
commit access (one other made commits since the initial "bad" commit),
it would seem they aren't doing reviews, so not sure how much xz/liblzma
can be trusted to be linked into a whole lot of key programs.

-- 
Chris Adams 
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-29 Thread Dmitry Belyavskiy

There is a chance Fedora is not affected according to the following
analysis:

https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27

Quoting:
=
If those conditions check, the payload is injected into the source tree. We
have not analyzed this payload in detail. Here are the main things we know:

The payload only activates if the running program has the process name
/usr/bin/sshd. This means that systems that put sshd in /usr/sbin or
another folder are not vulnerable. This further suspects targeting systemd
systems due to their usrmerge initiative putting all binaries in /usr/bin.
=

We have the patch from https://github.com/openssh/openssh-portable/pull/375
applied, BTW.

On Fri, Mar 29, 2024 at 10:59 PM Richard W.M. Jones 
wrote:

> On Fri, Mar 29, 2024 at 04:46:54PM -0500, Michael Catanzaro wrote:
> > On Fri, Mar 29 2024 at 04:10:53 PM -05:00:00, Michael Catanzaro
> >  wrote:
> > >OK, I am going to ask Product Security to edit their blog post to
> > >remove the incorrect information. I will CC you on that request.
> >
> > Or maybe I should rephrase this as a "request for clarification,"
> > because maybe they know something that we don't. E.g. the Ars
> > article [1] says
> >
> > "The build environment on Fedora 40, for example, contains
> > incompatibilities that prevent the injection from correctly
> > occurring. Fedora 40 has now reverted to the 5.4.x versions of xz
> > Utils."
> >
> > [1]
> https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/
>
> Yeah that's just a confused report.  This is how it actually happened:
>
> (1) We built 5.6.0 for Fedora 40 & 41.  Jia Tan was very insistent in
> emails that we should update.
>
> (2) We got reports later of a valgrind test failure.  I also saw it
> myself in my own projects that use liblzma.  We notified Jia Tan of
> this.
>
> (3) Since the valgrind failure pointed to something with ifuncs, using
> './configure --disable-ifuncs' was used to fix this in F40 & F41.
>
> (4) xz 5.6.1 was released with a fix for the valgrind failure.
>
> (5) Fedora 40 was now in beta so we kept 5.6.0 + --disable-ifuncs.
> Fedora 41 was updated to 5.6.1 (enabling ifuncs again).
>
> And now with the benefit of hindsight ...
>
> In step (1) we worked in good faith with upstream.  Given how
> obfuscated the injection is, it's very unlikely we would have found
> the problem even if we'd spent days inspecting the tarball.  (And the
> initial step of injection is *not* in git, so forget about reviewing
> git commits.)
>
> The valgrind failure (2) was caused by a bug in the back door.
>
> Disabling ifuncs in (3) disabled the back door, because I think it
> relies on ifuncs to do its malware, but in any case the obfuscated
> injection script explicitly skips injection if ifuncs are disabled.
>
> Step (4) fixed the back door valgrind failure.
>
> The Fedora 40 beta freeze in (5) meant we got lucky for F40, not so
> much for F41.
>
> Rich.
>
> > Now, that's a secondary source, and I'm not confident if it is true,
> > but perhaps Product Security had time to analyze the build logs
> > before publishing and found something that we don't know about.
> > Richard, what do you think?
> >
>
> --
> Richard Jones, Virtualization Group, Red Hat
> http://people.redhat.com/~rjones
> Read my programming and virtualization blog: http://rwmj.wordpress.com
> nbdkit - Flexible, fast NBD server with plugins
> https://gitlab.com/nbdkit/nbdkit
> --
> ___
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>


-- 
Dmitry Belyavskiy
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-29 Thread Richard W.M. Jones

On Fri, Mar 29, 2024 at 04:46:54PM -0500, Michael Catanzaro wrote:
> On Fri, Mar 29 2024 at 04:10:53 PM -05:00:00, Michael Catanzaro
>  wrote:
> >OK, I am going to ask Product Security to edit their blog post to
> >remove the incorrect information. I will CC you on that request.
> 
> Or maybe I should rephrase this as a "request for clarification,"
> because maybe they know something that we don't. E.g. the Ars
> article [1] says
> 
> "The build environment on Fedora 40, for example, contains
> incompatibilities that prevent the injection from correctly
> occurring. Fedora 40 has now reverted to the 5.4.x versions of xz
> Utils."
>
> [1] 
> https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/

Yeah that's just a confused report.  This is how it actually happened:

(1) We built 5.6.0 for Fedora 40 & 41.  Jia Tan was very insistent in
emails that we should update.

(2) We got reports later of a valgrind test failure.  I also saw it
myself in my own projects that use liblzma.  We notified Jia Tan of
this.

(3) Since the valgrind failure pointed to something with ifuncs, using
'./configure --disable-ifuncs' was used to fix this in F40 & F41.

(4) xz 5.6.1 was released with a fix for the valgrind failure.

(5) Fedora 40 was now in beta so we kept 5.6.0 + --disable-ifuncs.
Fedora 41 was updated to 5.6.1 (enabling ifuncs again).

And now with the benefit of hindsight ...

In step (1) we worked in good faith with upstream.  Given how
obfuscated the injection is, it's very unlikely we would have found
the problem even if we'd spent days inspecting the tarball.  (And the
initial step of injection is *not* in git, so forget about reviewing
git commits.)

The valgrind failure (2) was caused by a bug in the back door.

Disabling ifuncs in (3) disabled the back door, because I think it
relies on ifuncs to do its malware, but in any case the obfuscated
injection script explicitly skips injection if ifuncs are disabled.

Step (4) fixed the back door valgrind failure.

The Fedora 40 beta freeze in (5) meant we got lucky for F40, not so
much for F41.

Rich.

> Now, that's a secondary source, and I'm not confident if it is true,
> but perhaps Product Security had time to analyze the build logs
> before publishing and found something that we don't know about.
> Richard, what do you think?
> 

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
nbdkit - Flexible, fast NBD server with plugins
https://gitlab.com/nbdkit/nbdkit
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[EPEL-devel] EPEL Packages SIG page rewrite

2024-03-29 Thread Troy Dawson

I have done a first draft to rewrite the EPEL Packagers SIG page.[1]
The most dramatic thing was that I took out all of the "What is EPEL" stuff.
That is all found elsewhere in the EPEL docs and was (in my opinion) the
confusing stuff, making people think you needed to join the SIG, and that
by joining the SIG you had more permissions than you really did.
I really only did a minor change to the requirements, simply adding the
part I thought was significant to members of the sig.
Let me know what ya'll think.
I've added 'meeting' to the issue, so it will be on the agenda for next
weeks meeting.

Troy

[1] - https://pagure.io/epel/pull-request/270
--
___
epel-devel mailing list -- epel-devel@lists.fedoraproject.org
To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-29 Thread Michael Catanzaro

On Fri, Mar 29 2024 at 04:10:53 PM -05:00:00, Michael Catanzaro 
 wrote:
OK, I am going to ask Product Security to edit their blog post to 
remove the incorrect information. I will CC you on that request.


Or maybe I should rephrase this as a "request for clarification," 
because maybe they know something that we don't. E.g. the Ars article 
[1] says


"The build environment on Fedora 40, for example, contains 
incompatibilities that prevent the injection from correctly occurring. 
Fedora 40 has now reverted to the 5.4.x versions of xz Utils."


[1] 
https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/


Now, that's a secondary source, and I'm not confident if it is true, 
but perhaps Product Security had time to analyze the build logs before 
publishing and found something that we don't know about. Richard, what 
do you think?


--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-29 Thread Stephen Gallagher

Please add “Fedora ELN” as well. We have updates ready that should be
composed by midnight tonight, but it should be mentioned in the
announcements.

On Fri, Mar 29, 2024 at 5:11 PM Michael Catanzaro 
wrote:

> On Fri, Mar 29 2024 at 08:16:55 PM +00:00:00, Richard W.M. Jones
>  wrote:
> > These are the exact builds which were vulnerable.  Note the tags are
> > all empty because Kevin untagged them last night, so you'll probably
> > need to cross-reference these with bodhi updates.
>
> OK, I am going to ask Product Security to edit their blog post to
> remove the incorrect information. I will CC you on that request.
>
> Thanks,
>
> Michael
>
> --
> ___
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-29 Thread Michael Catanzaro

On Fri, Mar 29 2024 at 08:16:55 PM +00:00:00, Richard W.M. Jones 
 wrote:

These are the exact builds which were vulnerable.  Note the tags are
all empty because Kevin untagged them last night, so you'll probably
need to cross-reference these with bodhi updates.


OK, I am going to ask Product Security to edit their blog post to 
remove the incorrect information. I will CC you on that request.


Thanks,

Michael

--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-29 Thread Christopher Klooz


On 29/03/2024 21.01, Richard W.M. Jones wrote:

On Fri, Mar 29, 2024 at 06:46:59PM +, Christopher Klooz wrote:

Yes, F40 beta is affected, along with rawhide, but not F38/F39.

https://discussion.fedoraproject.org/t/warning-malicious-code-in-current-pre-release-testing-versions-variants-f40-and-rawhide-affected-users-of-f40-rawhide-need-to-respond/110683

https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

https://access.redhat.com/security/cve/CVE-2024-3094

https://www.linkedin.com/posts/fedora-project_urgent-security-alert-for-fedora-41-and-fedora-activity-7179540438494629888-EH4d?utm_source=share_medium=member_desktop

It might be noted that the header of the RH article is wrong and refers to "F41 and rawhide", 
whereas the RH article content is correct and refers to "F40 and rawhide". Other sources, including 
the publication of Fedora Project (e.g., on linkedin), also refer to F40 and rawhide. However, the RH CVE 
article also refers to "F41 and rawhide".

Can someone from RH check and change the RH article header and the RH CVE page content to 
avoid confusion? I tend to assume that "F41 and rawhide" makes no sense at all 
since the two are currently equal.

There was an F40 change that was vulnerable but it was in testing only
briefly.  After disabling ifuncs we (accidentally) were not vulnerable
in F40.  So the RH article is kind of correct.

I still recommend everyone updating to the Epoch: 1 package if they're
on F40 or F41.

Also if you're on F41 and/or think you might have installed the
vulnerable xz anywhere, note that the exploit has not been fully
analyzed and no one really knows what it could do.  I'm currently
reinstalling a couple of machines from scratch and have regenerated
my SSH keys.

Rich.


Thanks for the clarifications and your quick responses to the issue!

However, the article could be still adjusted in some direction to avoid 
confusion, e.g.:

page header: "Urgent security alert for Fedora Linux 41 and Fedora Rawhide users " 
(-> 41)
page headline: "Urgent security alert for Fedora Linux 40 and Fedora Rawhide users 
" (-> 40)

Not the most urgent problem at the moment of course, but maybe someone could adjust it at 
some time. As Michael already mentioned, the term "F41" can be on itself a 
little confusing at the moment.


Chris

On 29/03/2024 19.37, Barry wrote:

Has this shipped on f40 beta?

Barry


On 29 Mar 2024, at 18:08, Richard W.M. Jones  wrote:



On Fri, Mar 29, 2024 at 07:00:37PM +0100, Kevin Kofler via devel wrote:
Hi,

wow: https://www.openwall.com/lists/oss-security/2024/

I think at this point we clearly cannot trust xz upstream anymore and should
probably fork the project.

I kind of agree here, though it saddens me to say it.  Any commit or
release by "Jia Tan" or "Hans Jansen" [1] is suspect until proven
otherwise, and those go back 2 or more years.

Rich.

[1] Putting quotes here because those are almost certainly not real
peoples' names.

--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-top is 'top' for virtual machines.  Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: xz backdoor

2024-03-29 Thread Björn Persson

Michael Catanzaro wrote:
> On Fri, Mar 29 2024 at 07:44:12 PM +01:00:00, Mikel Olasagasti 
>  wrote:
> > Do we know if GH release tarballs are safe?  
> 
> The tarballs generated by GitHub that just include the contents of the 
> git repo should be safe (at least from this particular issue),

So it is reported. The bulk of the attack code is in the Git repository,
but the line that triggers it is only in the release tarballs, according
to the report – but that means that the attacker is or was able to push
commits to Github, so at this point it would be foolish to blindly trust
the Git repository or the Github-generated tarballs.

Björn Persson


pgp8nUs2fpGPZ.pgp
Description: OpenPGP digital signatur
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-29 Thread Björn Persson

Mikel Olasagasti wrote:
> For whatever reason Source for xz was changed 2 months ago[1] to use
> GH releases instead of tukaani.org site.

The public key jia_tan_pubkey.txt did not change at the same time. It
was introduced on 2023-05-04 when the package was updated to version
5.4.3. Apparently the current tarballs on github.com and older tarballs
on tukaani.org were signed with the same OpenPGP key.

Either the attacker has been preparing this for a long time, and is
able to upload files to tukaani.org too, or else the attacker has
compromised an honest developer and gained access to their secret
OpenPGP key, their Github account, and probably all of their other
credentials.

Björn Persson

pgpcAJciGABWI.pgp
Description: OpenPGP digital signatur
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-29 Thread Chris Adams

Once upon a time, Richard W.M. Jones  said:
> On Fri, Mar 29, 2024 at 07:44:12PM +0100, Mikel Olasagasti wrote:
> > Do we know if GH release tarballs are safe?
> > @richard, do you remember why you had to change the source for the tarball?
> 
> Sadly the release tarballs we used *do* contain the vulnerability.
> I checked myself that the payload is present in the final xz RPMs.

I read that this did not go into the git history, so downloading a
Github-generated tarball SHOULD be safe (note SHOULD: I did not
personally check).

I guess a new security check when using release tarballs for projects
with public git that also supports tarball generation would be to have
both sources and compare.  Signed sources don't help with the signer is
the problem.

-- 
Chris Adams 
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-29 Thread Richard W.M. Jones

On Fri, Mar 29, 2024 at 07:44:12PM +0100, Mikel Olasagasti wrote:
> Hi,
> 
> I'm seeing weird things.
> 
> For whatever reason Source for xz was changed 2 months ago[1] to use
> GH releases instead of tukaani.org site.
> 
> The XZ page[2] has a note stating:
> 
> "Note: GitHub automatically includes two archives Source code (zip)
> and Source code (tar.gz) in the releases. These archives cannot be
> disabled and should be ignored."
> 
> And they wayback WayBackMachine[3] doesn't have previous versions.
> 
> Do we know if GH release tarballs are safe?
> @richard, do you remember why you had to change the source for the tarball?

Sadly the release tarballs we used *do* contain the vulnerability.
I checked myself that the payload is present in the final xz RPMs.

Rich.

> Regards,
> Mikel
> 
> [1] 
> https://src.fedoraproject.org/rpms/xz/c/0c09a6280b4a0c4fd7a9fc742c09469c95ff431f?branch=f40
> [2] https://xz.tukaani.org/
> [3] https://web.archive.org/web/20240119212251/https://xz.tukaani.org/
> 
> Hau idatzi du Kevin Kofler via devel (devel@lists.fedoraproject.org)
> erabiltzaileak (2024 mar. 29(a), or. (19:01)):
> >
> > Hi,
> >
> > wow: https://www.openwall.com/lists/oss-security/2024/
> >
> > I think at this point we clearly cannot trust xz upstream anymore and should
> > probably fork the project.
> >
> > Kevin Kofler
> > --
> > ___
> > devel mailing list -- devel@lists.fedoraproject.org
> > To unsubscribe send an email to devel-le...@lists.fedoraproject.org
> > Fedora Code of Conduct: 
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives: 
> > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
> > Do not reply to spam, report it: 
> > https://pagure.io/fedora-infrastructure/new_issue
> --
> ___
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
> Do not reply to spam, report it: 
> https://pagure.io/fedora-infrastructure/new_issue

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-builder quickly builds VMs from scratch
http://libguestfs.org/virt-builder.1.html
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-29 Thread Richard W.M. Jones

On Fri, Mar 29, 2024 at 03:01:34PM -0500, Michael Catanzaro wrote:
> On Fri, Mar 29 2024 at 07:56:49 PM +00:00:00, Richard W.M. Jones
>  wrote:
> >secalert are already well aware and have approved the update.  Kevin
> >Fenzi, myself and others were working on it late last night :-(
> 
> Sorry, I linked to the wrong article. I meant to link to [1] which
> says that "At this time the Fedora Linux 40 builds have not been
> shown to be compromised. We believe the malicious code injection did
> not take effect in these builds." But this statement contradicts my
> findings above, and you just replied "yes" to those, implying that
> my understanding is correct. So I guess either this blog post is
> wrong and needs to be updated, or you're wrong about me being right.
> Er, correct? :)
> 
> [1] 
> https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

These are the exact builds which were vulnerable.  Note the tags are
all empty because Kevin untagged them last night, so you'll probably
need to cross-reference these with bodhi updates.

xz-5.6.0-1.fc41
https://koji.fedoraproject.org/koji/buildinfo?buildID=2411083

xz-5.6.0-1.fc40
https://koji.fedoraproject.org/koji/buildinfo?buildID=2411092

xz-5.6.0-2.fc41
https://koji.fedoraproject.org/koji/buildinfo?buildID=2412686

xz-5.6.0-2.fc40
https://koji.fedoraproject.org/koji/buildinfo?buildID=2412698

xz-5.6.0-2.eln136
https://koji.fedoraproject.org/koji/buildinfo?buildID=2412908

xz-5.6.1-1.fc41
https://koji.fedoraproject.org/koji/buildinfo?buildID=2417414

xz-5.6.1-1.eln136
https://koji.fedoraproject.org/koji/buildinfo?buildID=2417425

NOT known to be vulnerable:

 * xz-5.6.0-3.fc41 (because --disable-ifunc)
 * xz-5.6.0-3.fc40 (because --disable-ifunc)
 * anything < 5.6.0

You can also use the detection script "detect.sh" written by Vegard
Nossum (https://www.openwall.com/lists/oss-security/2024/03/29/4)

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
libguestfs lets you edit virtual machines.  Supports shell scripting,
bindings from many languages.  http://libguestfs.org
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-29 Thread Germano Massullo

It would be interesting to study how SELinux would have reacted to such 
kind of attack against sshd

--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-29 Thread Michael Catanzaro

On Fri, Mar 29 2024 at 07:44:12 PM +01:00:00, Mikel Olasagasti 
 wrote:

Do we know if GH release tarballs are safe?


The tarballs generated by GitHub that just include the contents of the 
git repo should be safe (at least from this particular issue), but the 
Fedora package is not built from those. It was built from the malicious 
release tarballs.


--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-29 Thread Michael Catanzaro

On Fri, Mar 29 2024 at 07:56:49 PM +00:00:00, Richard W.M. Jones 
 wrote:

secalert are already well aware and have approved the update.  Kevin
Fenzi, myself and others were working on it late last night :-(


Sorry, I linked to the wrong article. I meant to link to [1] which says 
that "At this time the Fedora Linux 40 builds have not been shown to be 
compromised. We believe the malicious code injection did not take 
effect in these builds." But this statement contradicts my findings 
above, and you just replied "yes" to those, implying that my 
understanding is correct. So I guess either this blog post is wrong and 
needs to be updated, or you're wrong about me being right. Er, correct? 
:)


[1] 
https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users


--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-29 Thread Richard W.M. Jones

On Fri, Mar 29, 2024 at 06:46:59PM +, Christopher Klooz wrote:
> Yes, F40 beta is affected, along with rawhide, but not F38/F39.
> 
> https://discussion.fedoraproject.org/t/warning-malicious-code-in-current-pre-release-testing-versions-variants-f40-and-rawhide-affected-users-of-f40-rawhide-need-to-respond/110683
> 
> https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
> 
> https://access.redhat.com/security/cve/CVE-2024-3094
> 
> https://www.linkedin.com/posts/fedora-project_urgent-security-alert-for-fedora-41-and-fedora-activity-7179540438494629888-EH4d?utm_source=share_medium=member_desktop
> 
> It might be noted that the header of the RH article is wrong and refers to 
> "F41 and rawhide", whereas the RH article content is correct and refers to 
> "F40 and rawhide". Other sources, including the publication of Fedora Project 
> (e.g., on linkedin), also refer to F40 and rawhide. However, the RH CVE 
> article also refers to "F41 and rawhide".
> 
> Can someone from RH check and change the RH article header and the RH CVE 
> page content to avoid confusion? I tend to assume that "F41 and rawhide" 
> makes no sense at all since the two are currently equal.

There was an F40 change that was vulnerable but it was in testing only
briefly.  After disabling ifuncs we (accidentally) were not vulnerable
in F40.  So the RH article is kind of correct.

I still recommend everyone updating to the Epoch: 1 package if they're
on F40 or F41.

Also if you're on F41 and/or think you might have installed the
vulnerable xz anywhere, note that the exploit has not been fully
analyzed and no one really knows what it could do.  I'm currently
reinstalling a couple of machines from scratch and have regenerated
my SSH keys.

Rich.

> Chris
> 
> On 29/03/2024 19.37, Barry wrote:
> >Has this shipped on f40 beta?
> >
> >Barry
> >
> >>On 29 Mar 2024, at 18:08, Richard W.M. Jones  wrote:
> >>
> >>
> >>>On Fri, Mar 29, 2024 at 07:00:37PM +0100, Kevin Kofler via devel wrote:
> >>>Hi,
> >>>
> >>>wow: https://www.openwall.com/lists/oss-security/2024/
> >>>
> >>>I think at this point we clearly cannot trust xz upstream anymore and 
> >>>should
> >>>probably fork the project.
> >>I kind of agree here, though it saddens me to say it.  Any commit or
> >>release by "Jia Tan" or "Hans Jansen" [1] is suspect until proven
> >>otherwise, and those go back 2 or more years.
> >>
> >>Rich.
> >>
> >>[1] Putting quotes here because those are almost certainly not real
> >>peoples' names.
> >>
> >>--
> >>Richard Jones, Virtualization Group, Red Hat 
> >>http://people.redhat.com/~rjones
> >>Read my programming and virtualization blog: http://rwmj.wordpress.com
> >>virt-top is 'top' for virtual machines.  Tiny program with many
> >>powerful monitoring features, net stats, disk stats, logging, etc.
> >>http://people.redhat.com/~rjones/virt-top
> >>--
> >>___
> >>devel mailing list -- devel@lists.fedoraproject.org
> >>To unsubscribe send an email to devel-le...@lists.fedoraproject.org
> >>Fedora Code of Conduct: 
> >>https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> >>List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> >>List Archives: 
> >>https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
> >>Do not reply to spam, report it: 
> >>https://pagure.io/fedora-infrastructure/new_issue
> >--
> >___
> >devel mailing list -- devel@lists.fedoraproject.org
> >To unsubscribe send an email to devel-le...@lists.fedoraproject.org
> >Fedora Code of Conduct: 
> >https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> >List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> >List Archives: 
> >https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
> >Do not reply to spam, report it: 
> >https://pagure.io/fedora-infrastructure/new_issue
> --
> ___
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
> Do not reply to spam, report it: 
> https://pagure.io/fedora-infrastructure/new_issue

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-p2v converts physical machines to virtual machines.  Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora

Re: xz backdoor

2024-03-29 Thread Richard W.M. Jones

On Fri, Mar 29, 2024 at 02:40:48PM -0500, Michael Catanzaro wrote:
> On Fri, Mar 29 2024 at 06:46:59 PM +00:00:00, Christopher Klooz
>  wrote:
> >Yes, F40 beta is affected, along with rawhide, but not F38/F39.
> 
> Unless I'm misunderstanding something, it looks xz-5.6.0-1.fc40 and
> 5.6.0-2.fc40 are backdoored, yes? Then rjones unknowingly broke the
> backdoor in two different ways in 5.6.0-3.fc40, (a) by adding the
> --disable-ifunc configure flag [1],

Yes.

> and also (b) by running
> everything through autoreconf to regenerate the malicious autogoo
> files [2].

Sadly this on its own was not sufficient.  You also have to delete
m4/build-to-host.m4 first.  But (a) was sufficient to prevent the
backdoor on its own.

> So F40 stable was never affected, but F40 updates-testing
> looks like it really was backdoored for about one week, between
> February 27 [3] and March 4 [4].
> 
> Hey Richard, if you agree with my quick assessment, then we should
> ask secal...@redhat.com to update the warning article [5]. (I also
> don't like the confusing references to "Fedora 41" in that article,
> since Fedora 41 does not yet exist as something separate from
> rawhide.)

secalert are already well aware and have approved the update.  Kevin
Fenzi, myself and others were working on it late last night :-(

Rich.

> [1] 
> https://src.fedoraproject.org/rpms/xz/c/c837ae96c716c6d63da2b4a016e9034ade2a01f7?branch=f40
> [2] 
> https://src.fedoraproject.org/rpms/xz/c/d2408dde878851ca6350297a738a72496a9558c4?branch=f40
> [3] https://bodhi.fedoraproject.org/updates/FEDORA-2024-a7fba89402
> [4] https://bodhi.fedoraproject.org/updates/FEDORA-2024-f5033032b8
> [5] https://access.redhat.com/security/cve/CVE-2024-3094
> 

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
libguestfs lets you edit virtual machines.  Supports shell scripting,
bindings from many languages.  http://libguestfs.org
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-29 Thread Michael Catanzaro

On Fri, Mar 29 2024 at 06:46:59 PM +00:00:00, Christopher Klooz 
 wrote:

Yes, F40 beta is affected, along with rawhide, but not F38/F39.


Unless I'm misunderstanding something, it looks xz-5.6.0-1.fc40 and 
5.6.0-2.fc40 are backdoored, yes? Then rjones unknowingly broke the 
backdoor in two different ways in 5.6.0-3.fc40, (a) by adding the 
--disable-ifunc configure flag [1], and also (b) by running everything 
through autoreconf to regenerate the malicious autogoo files [2]. So 
F40 stable was never affected, but F40 updates-testing looks like it 
really was backdoored for about one week, between February 27 [3] and 
March 4 [4].


Hey Richard, if you agree with my quick assessment, then we should ask 
secal...@redhat.com to update the warning article [5]. (I also don't 
like the confusing references to "Fedora 41" in that article, since 
Fedora 41 does not yet exist as something separate from rawhide.)


[1] 
https://src.fedoraproject.org/rpms/xz/c/c837ae96c716c6d63da2b4a016e9034ade2a01f7?branch=f40
[2] 
https://src.fedoraproject.org/rpms/xz/c/d2408dde878851ca6350297a738a72496a9558c4?branch=f40

[3] https://bodhi.fedoraproject.org/updates/FEDORA-2024-a7fba89402
[4] https://bodhi.fedoraproject.org/updates/FEDORA-2024-f5033032b8
[5] https://access.redhat.com/security/cve/CVE-2024-3094

--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-29 Thread Kevin Kofler via devel

Mikel Olasagasti wrote:
> And they wayback WayBackMachine[3] doesn't have previous versions.

We have the previous versions in the dist-git lookaside cache and in the old 
SRPMs.

Kevin Kofler
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-29 Thread Christopher Klooz


Yes, F40 beta is affected, along with rawhide, but not F38/F39.

https://discussion.fedoraproject.org/t/warning-malicious-code-in-current-pre-release-testing-versions-variants-f40-and-rawhide-affected-users-of-f40-rawhide-need-to-respond/110683

https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

https://access.redhat.com/security/cve/CVE-2024-3094

https://www.linkedin.com/posts/fedora-project_urgent-security-alert-for-fedora-41-and-fedora-activity-7179540438494629888-EH4d?utm_source=share_medium=member_desktop

It might be noted that the header of the RH article is wrong and refers to "F41 and rawhide", 
whereas the RH article content is correct and refers to "F40 and rawhide". Other sources, including 
the publication of Fedora Project (e.g., on linkedin), also refer to F40 and rawhide. However, the RH CVE 
article also refers to "F41 and rawhide".

Can someone from RH check and change the RH article header and the RH CVE page content to 
avoid confusion? I tend to assume that "F41 and rawhide" makes no sense at all 
since the two are currently equal.

Chris

On 29/03/2024 19.37, Barry wrote:

Has this shipped on f40 beta?

Barry


On 29 Mar 2024, at 18:08, Richard W.M. Jones  wrote:



On Fri, Mar 29, 2024 at 07:00:37PM +0100, Kevin Kofler via devel wrote:
Hi,

wow: https://www.openwall.com/lists/oss-security/2024/

I think at this point we clearly cannot trust xz upstream anymore and should
probably fork the project.

I kind of agree here, though it saddens me to say it.  Any commit or
release by "Jia Tan" or "Hans Jansen" [1] is suspect until proven
otherwise, and those go back 2 or more years.

Rich.

[1] Putting quotes here because those are almost certainly not real
peoples' names.

--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-top is 'top' for virtual machines.  Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-29 Thread Mikel Olasagasti

Hi,

I'm seeing weird things.

For whatever reason Source for xz was changed 2 months ago[1] to use
GH releases instead of tukaani.org site.

The XZ page[2] has a note stating:

"Note: GitHub automatically includes two archives Source code (zip)
and Source code (tar.gz) in the releases. These archives cannot be
disabled and should be ignored."

And they wayback WayBackMachine[3] doesn't have previous versions.

Do we know if GH release tarballs are safe?
@richard, do you remember why you had to change the source for the tarball?

Regards,
Mikel

[1] 
https://src.fedoraproject.org/rpms/xz/c/0c09a6280b4a0c4fd7a9fc742c09469c95ff431f?branch=f40
[2] https://xz.tukaani.org/
[3] https://web.archive.org/web/20240119212251/https://xz.tukaani.org/

Hau idatzi du Kevin Kofler via devel (devel@lists.fedoraproject.org)
erabiltzaileak (2024 mar. 29(a), or. (19:01)):
>
> Hi,
>
> wow: https://www.openwall.com/lists/oss-security/2024/
>
> I think at this point we clearly cannot trust xz upstream anymore and should
> probably fork the project.
>
> Kevin Kofler
> --
> ___
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
> Do not reply to spam, report it: 
> https://pagure.io/fedora-infrastructure/new_issue
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-29 Thread Barry

Has this shipped on f40 beta?

Barry

> On 29 Mar 2024, at 18:08, Richard W.M. Jones  wrote:
> 
> 
>> On Fri, Mar 29, 2024 at 07:00:37PM +0100, Kevin Kofler via devel wrote:
>> Hi,
>> 
>> wow: https://www.openwall.com/lists/oss-security/2024/
>> 
>> I think at this point we clearly cannot trust xz upstream anymore and should
>> probably fork the project.
> 
> I kind of agree here, though it saddens me to say it.  Any commit or
> release by "Jia Tan" or "Hans Jansen" [1] is suspect until proven
> otherwise, and those go back 2 or more years.
> 
> Rich.
> 
> [1] Putting quotes here because those are almost certainly not real
> peoples' names.
> 
> --
> Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
> Read my programming and virtualization blog: http://rwmj.wordpress.com
> virt-top is 'top' for virtual machines.  Tiny program with many
> powerful monitoring features, net stats, disk stats, logging, etc.
> http://people.redhat.com/~rjones/virt-top
> --
> ___
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
> Do not reply to spam, report it: 
> https://pagure.io/fedora-infrastructure/new_issue
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-29 Thread Jerry James

On Fri, Mar 29, 2024 at 12:08 PM Richard W.M. Jones  wrote:
> On Fri, Mar 29, 2024 at 07:00:37PM +0100, Kevin Kofler via devel wrote:
> > Hi,
> >
> > wow: https://www.openwall.com/lists/oss-security/2024/
> >
> > I think at this point we clearly cannot trust xz upstream anymore and should
> > probably fork the project.
>
> I kind of agree here, though it saddens me to say it.  Any commit or
> release by "Jia Tan" or "Hans Jansen" [1] is suspect until proven
> otherwise, and those go back 2 or more years.
>
> Rich.
>
> [1] Putting quotes here because those are almost certainly not real
> peoples' names.

That github user has also committed to libarchive, although not since
November 2021.
-- 
Jerry James
http://www.jamezone.org/
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-29 Thread Neal Gompa

On Fri, Mar 29, 2024 at 2:08 PM Richard W.M. Jones  wrote:
>
>
> On Fri, Mar 29, 2024 at 07:00:37PM +0100, Kevin Kofler via devel wrote:
> > Hi,
> >
> > wow: https://www.openwall.com/lists/oss-security/2024/
> >
> > I think at this point we clearly cannot trust xz upstream anymore and should
> > probably fork the project.
>
> I kind of agree here, though it saddens me to say it.  Any commit or
> release by "Jia Tan" or "Hans Jansen" [1] is suspect until proven
> otherwise, and those go back 2 or more years.
>

I've been rolling in my head for a while now the idea of picking at
things where we use gzip or xz to move to zstd where possible, given
the benefits of the algorithm. This compromise has kind of raised the
profile for me to seriously consider looking into it.




--
真実はいつも一つ！/ Always, there's only one truth!
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-29 Thread Samuel Sieb


On 3/29/24 11:00, Kevin Kofler via devel wrote:

wow: https://www.openwall.com/lists/oss-security/2024/


Specifically:
https://www.openwall.com/lists/oss-security/2024/03/29/4


I think at this point we clearly cannot trust xz upstream anymore and should
probably fork the project.

--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-29 Thread Richard W.M. Jones


On Fri, Mar 29, 2024 at 07:00:37PM +0100, Kevin Kofler via devel wrote:
> Hi,
> 
> wow: https://www.openwall.com/lists/oss-security/2024/
> 
> I think at this point we clearly cannot trust xz upstream anymore and should 
> probably fork the project.

I kind of agree here, though it saddens me to say it.  Any commit or
release by "Jia Tan" or "Hans Jansen" [1] is suspect until proven
otherwise, and those go back 2 or more years.

Rich.

[1] Putting quotes here because those are almost certainly not real
peoples' names.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-top is 'top' for virtual machines.  Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-29 Thread Jonathan Wright via devel

That would be a bit premature.  At this point it looks like one bad actor,
and the other maintainer probably wasn't even aware.  We should wait and
see how this plays out.

On Fri, Mar 29, 2024 at 1:01 PM Kevin Kofler via devel <
devel@lists.fedoraproject.org> wrote:

> Hi,
>
> wow: https://www.openwall.com/lists/oss-security/2024/
>
> I think at this point we clearly cannot trust xz upstream anymore and
> should
> probably fork the project.
>
> Kevin Kofler
> --
> ___
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>


-- 
Jonathan Wright
AlmaLinux Foundation
Mattermost: chat 
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

xz backdoor

2024-03-29 Thread Kevin Kofler via devel

Hi,

wow: https://www.openwall.com/lists/oss-security/2024/

I think at this point we clearly cannot trust xz upstream anymore and should 
probably fork the project.

Kevin Kofler
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Fedora rawhide compose report: 20240329.n.0 changes

2024-03-29 Thread Fedora Rawhide Report

OLD: Fedora-Rawhide-20240328.n.0
NEW: Fedora-Rawhide-20240329.n.0

= SUMMARY =
Added images:2
Dropped images:  1
Added packages:  58
Dropped packages:0
Upgraded packages:   135
Downgraded packages: 0

Size of added packages:  7.63 MiB
Size of dropped packages:0 B
Size of upgraded packages:   2.15 GiB
Size of downgraded packages: 0 B

Size change of upgraded packages:   -177.05 KiB
Size change of downgraded packages: 0 B

= ADDED IMAGES =
Image: LXQt live aarch64
Path: Spins/aarch64/iso/Fedora-LXQt-Live-aarch64-Rawhide-20240329.n.0.iso
Image: Silverblue ociarchive ppc64le
Path: 
Silverblue/ppc64le/images/Fedora-Silverblue-Rawhide.20240329.n.0.ociarchive

= DROPPED IMAGES =
Image: Workstation live aarch64
Path: 
Workstation/aarch64/iso/Fedora-Workstation-Live-aarch64-Rawhide-20240328.n.0.iso

= ADDED PACKAGES =
Package: go-vendor-tools-0.3.0-1.fc41
Summary: Tools for handling Go library vendoring in Fedora
RPMs:go-vendor-tools go-vendor-tools+all go-vendor-tools-doc
Size:101.77 KiB

Package: ipa-hcc-0.16-1.fc41
Summary: Hybrid Cloud Console extension for IPA
RPMs:ipa-hcc-server
Size:166.92 KiB

Package: python-expecttest-0.2.1-1.fc41
Summary: A python test utility
RPMs:python3-expecttest
Size:22.98 KiB

Package: python-torchtext-0.17.1-1.fc41
Summary: Data loaders and abstractions for language processing, powered by 
PyTorch
RPMs:python3-torchtext
Size:1.22 MiB

Package: rust-cairo-rs0.18-0.18.5-1.fc41
Summary: Rust bindings for the Cairo library
RPMs:rust-cairo-rs0.18+default-devel rust-cairo-rs0.18+freetype-devel 
rust-cairo-rs0.18+freetype-rs-devel rust-cairo-rs0.18+glib-devel 
rust-cairo-rs0.18+pdf-devel rust-cairo-rs0.18+png-devel 
rust-cairo-rs0.18+ps-devel rust-cairo-rs0.18+script-devel 
rust-cairo-rs0.18+svg-devel rust-cairo-rs0.18+use_glib-devel 
rust-cairo-rs0.18+v1_16-devel rust-cairo-rs0.18+v1_18-devel 
rust-cairo-rs0.18+xcb-devel rust-cairo-rs0.18+xlib-devel rust-cairo-rs0.18-devel
Size:165.99 KiB

Package: rust-cairo-sys-rs0.18-0.18.2-1.fc41
Summary: FFI bindings to libcairo
RPMs:rust-cairo-sys-rs0.18+default-devel 
rust-cairo-sys-rs0.18+freetype-devel rust-cairo-sys-rs0.18+glib-devel 
rust-cairo-sys-rs0.18+pdf-devel rust-cairo-sys-rs0.18+png-devel 
rust-cairo-sys-rs0.18+ps-devel rust-cairo-sys-rs0.18+script-devel 
rust-cairo-sys-rs0.18+svg-devel rust-cairo-sys-rs0.18+use_glib-devel 
rust-cairo-sys-rs0.18+v1_16-devel rust-cairo-sys-rs0.18+v1_18-devel 
rust-cairo-sys-rs0.18+x11-devel rust-cairo-sys-rs0.18+xcb-devel 
rust-cairo-sys-rs0.18+xlib-devel rust-cairo-sys-rs0.18-devel
Size:119.83 KiB

Package: rust-freetype-rs0.32-0.32.0-1.fc41
Summary: Bindings for FreeType font library
RPMs:rust-freetype-rs0.32+default-devel rust-freetype-rs0.32-devel
Size:113.38 KiB

Package: rust-freetype-sys0.17-0.17.0-1.fc41
Summary: Low level binding for FreeType font library
RPMs:rust-freetype-sys0.17+default-devel rust-freetype-sys0.17-devel
Size:29.99 KiB

Package: rust-gdk-pixbuf-sys0.18-0.18.0-1.fc41
Summary: FFI bindings to libgdk_pixbuf-2.0
RPMs:rust-gdk-pixbuf-sys0.18+default-devel 
rust-gdk-pixbuf-sys0.18+v2_40-devel rust-gdk-pixbuf-sys0.18+v2_42-devel 
rust-gdk-pixbuf-sys0.18-devel
Size:39.66 KiB

Package: rust-gdk-pixbuf0.18-0.18.5-1.fc41
Summary: Rust bindings for the GdkPixbuf library
RPMs:rust-gdk-pixbuf0.18+default-devel rust-gdk-pixbuf0.18+v2_40-devel 
rust-gdk-pixbuf0.18+v2_42-devel rust-gdk-pixbuf0.18-devel
Size:54.95 KiB

Package: rust-gdk4-sys0.7-0.7.2-1.fc41
Summary: FFI bindings of GDK 4
RPMs:rust-gdk4-sys0.7+default-devel rust-gdk4-sys0.7+v4_10-devel 
rust-gdk4-sys0.7+v4_12-devel rust-gdk4-sys0.7+v4_2-devel 
rust-gdk4-sys0.7+v4_4-devel rust-gdk4-sys0.7+v4_6-devel 
rust-gdk4-sys0.7+v4_8-devel rust-gdk4-sys0.7-devel
Size:111.00 KiB

Package: rust-gdk4-wayland-sys0.7-0.7.2-1.fc41
Summary: FFI bindings of GDK4 Wayland
RPMs:rust-gdk4-wayland-sys0.7+default-devel 
rust-gdk4-wayland-sys0.7+v4_10-devel rust-gdk4-wayland-sys0.7+v4_12-devel 
rust-gdk4-wayland-sys0.7+v4_4-devel rust-gdk4-wayland-sys0.7-devel
Size:40.68 KiB

Package: rust-gdk4-wayland0.7-0.7.2-1.fc41
Summary: Rust bindings of the GDK 4 Wayland library
RPMs:rust-gdk4-wayland0.7+default-devel rust-gdk4-wayland0.7+v4_10-devel 
rust-gdk4-wayland0.7+v4_12-devel rust-gdk4-wayland0.7+v4_4-devel 
rust-gdk4-wayland0.7-devel
Size:52.27 KiB

Package: rust-gdk4-x11-sys0.7-0.7.2-1.fc41
Summary: FFI bindings of GDK4 X11
RPMs:rust-gdk4-x11-sys0.7+default-devel rust-gdk4-x11-sys0.7+v4_10-devel 
rust-gdk4-x11-sys0.7+v4_4-devel rust-gdk4-x11-sys0.7-devel
Size:36.73 KiB

Package: rust-gdk4-x11_0.7-0.7.2-1.fc41
Summary: Rust bindings of the GDK4 X11 library
RPMs:rust-gdk4-x11_0.7+default-devel rust-gdk4-x11_0.7+v4_10-devel 
rust-gdk4-x11_0.7+v4_4-devel rust-gdk4-x11_0.7+x11-devel 
rust-gdk4-x11_0.7+xlib-devel rust-gdk4-x11_0.7-devel
Size:62.77 KiB

Package: rust-gdk4_0.7-0.7.3-1

37 matches

Mail list logo