Re: archivers/xz: update to 5.6.1

[Jose Maldonado]

El Fri, 29 Mar 2024 22:55:26 +0100
Christian Weisgerber  escribió:
> Christian Weisgerber:
> 
> > > It sounds like a backdoor made it into the upstream repository:
> > > https://www.openwall.com/lists/oss-security/2024/03/29/4  
> > 
> > Yes, I just learned.  I am investigating.  
> 
> The xz 5.6.1 update hasn't been committed yet, so this mostly
> concerns only me anyway.
> 
> * A malicious m4/build-to-host.m4 has been inserted and its code
>   is used in the generated configure script.
> 
> * This extracts and executes a shell script from
>   tests/files/bad-3-corrupt_lzma2.xz.
>   That script aborts if $(uname) is not Linux.  <=== IT ENDS HERE.
>   If the script continued, it would fail because it uses "head -c"
>   and "tail -c" which are a nonstandard extension that the
> corresponding OpenBSD commands don't support.
> 
> * The script extracts the next stage shell script from
>   tests/files/good-large_compressed.lzma.
>   This stage aborts again early when $(uname) is not Linux.
>   It then proceeds to manipulate the build in some way I won't waste
>   my time to figure out.
> 
> In short, it's a supply chain attack on Linux that doesn't concern
> OpenBSD.
> 
> 
> PS:
> If anybody wants to compare build-to-host.m4, here's the GNU upstream:
> https://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob;f=m4/build-to-host.m4;h=f928e9ab403b3633e3d1d974abcf478e65d4b0aa;hb=HEAD
> 

Good to know! Thanks for this analysis! 

-- 
*
Dios en su cielo, todo bien en la Tierra

Re: archivers/xz: update to 5.6.1

[Christian Weisgerber]

Christian Weisgerber:

>   If the script continued, it would fail because it uses "head -c"
>   and "tail -c" which are a nonstandard extension that the corresponding
>   OpenBSD commands don't support.

Actually, "tail -c" is in POSIX and available on OpenBSD.
Still would fail for "head -c", though.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de

Re: archivers/xz: update to 5.6.1

[Christian Weisgerber]

Christian Weisgerber:

> > It sounds like a backdoor made it into the upstream repository:
> > https://www.openwall.com/lists/oss-security/2024/03/29/4
> 
> Yes, I just learned.  I am investigating.

The xz 5.6.1 update hasn't been committed yet, so this mostly
concerns only me anyway.

* A malicious m4/build-to-host.m4 has been inserted and its code
  is used in the generated configure script.

* This extracts and executes a shell script from
  tests/files/bad-3-corrupt_lzma2.xz.
  That script aborts if $(uname) is not Linux.  <=== IT ENDS HERE.
  If the script continued, it would fail because it uses "head -c"
  and "tail -c" which are a nonstandard extension that the corresponding
  OpenBSD commands don't support.

* The script extracts the next stage shell script from
  tests/files/good-large_compressed.lzma.
  This stage aborts again early when $(uname) is not Linux.
  It then proceeds to manipulate the build in some way I won't waste
  my time to figure out.

In short, it's a supply chain attack on Linux that doesn't concern
OpenBSD.


PS:
If anybody wants to compare build-to-host.m4, here's the GNU upstream:
https://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob;f=m4/build-to-host.m4;h=f928e9ab403b3633e3d1d974abcf478e65d4b0aa;hb=HEAD

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de

Re: archivers/xz: update to 5.6.1

[Jesse Darrone]

Thanks, Christian!

On Fri, Mar 29, 2024 at 4:35 PM Christian Weisgerber 
wrote:

> Jesse Darrone:
>
> > I hate to raise the alarm, but it looks like this should be scrutinized.
> >
> > It sounds like a backdoor made it into the upstream repository:
> > https://www.openwall.com/lists/oss-security/2024/03/29/4
>
> Yes, I just learned.  I am investigating.
>
> FWIW, I did look over the complete 5.4.5 -> 5.6.1 diff as part of
> my regular update procedure, but didn't catch this in the 144028-line
> diff.
>
> --
> Christian "naddy" Weisgerber  na...@mips.inka.de
>

Re: archivers/xz: update to 5.6.1

[Christian Weisgerber]

Jesse Darrone:

> I hate to raise the alarm, but it looks like this should be scrutinized.
> 
> It sounds like a backdoor made it into the upstream repository:
> https://www.openwall.com/lists/oss-security/2024/03/29/4

Yes, I just learned.  I am investigating.

FWIW, I did look over the complete 5.4.5 -> 5.6.1 diff as part of
my regular update procedure, but didn't catch this in the 144028-line
diff.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de

Re: archivers/xz: update to 5.6.1

[Jesse Darrone]

Hello,

I hate to raise the alarm, but it looks like this should be scrutinized.

It sounds like a backdoor made it into the upstream repository:
https://www.openwall.com/lists/oss-security/2024/03/29/4


On Mon, Mar 18, 2024 at 4:15 AM Christian Weisgerber 
wrote:

> archivers/xz: update to 5.6.1
>
> * Multithreaded mode is now the default.
> * New command line options to set filter chains using the liblzma filter
>   string syntax.
> * Significant speed optimizations to the LZMA decoder.
>
>
> I have added runtime detection code to check for CRC32 instructions
> to speed up CRC32 integrity checks on arm64.  I intend to submit
> this upstream, so if anybody has comments on that, let me know.
> (xz defaults to CRC64 anyway, so this has little practical value,
> but it is supported on other operating systems.)
>
> Upstream has added pledge() support to xzdec, rendering our previous
> patch obsolete.
>
> ok?
>
>
> diff d65615b6802f8ddeb4536c340034d07be3df3483
> 41fabc9987fb853589f2dd0de774d8f5cdbd0b69
> commit - d65615b6802f8ddeb4536c340034d07be3df3483
> commit + 41fabc9987fb853589f2dd0de774d8f5cdbd0b69
> blob - d1f7ac3fc25e3152944c4efae9a179e35ab504dc
> blob + 40addd5d055828107dd9fdb477184ffa605b5fd1
> --- archivers/xz/Makefile
> +++ archivers/xz/Makefile
> @@ -1,18 +1,19 @@
>  COMMENT=   library and tools for XZ and LZMA compressed files
>
> -DISTNAME=  xz-5.4.5
> -SHARED_LIBS=   lzma 2.2  # 9.4
> +VERSION=   5.6.1
> +DISTNAME=  xz-${VERSION}
> +SHARED_LIBS=   lzma 2.3  # 11.1
>  CATEGORIES=archivers
>  DPB_PROPERTIES=parallel
>
> -HOMEPAGE=  https://tukaani.org/xz/
> +HOMEPAGE=  https://xz.tukaani.org/xz-utils/
>
>  MAINTAINER=Christian Weisgerber 
>
>  # GPLv2+
>  PERMIT_PACKAGE=Yes
>
> -SITES= ${SITE_SOURCEFORGE:=lzmautils/}
> +SITES=
> https://github.com/tukaani-project/xz/releases/download/v${VERSION}/
>
>  # uses pledge()
>  WANTLIB=   c pthread
> blob - 98b88e2abbfec958489da8fba87fb00df54b8532
> blob + 83ae5ae9b49b503f0bcb1672db69e161dbb814b0
> --- archivers/xz/distinfo
> +++ archivers/xz/distinfo
> @@ -1,2 +1,2 @@
> -SHA256 (xz-5.4.5.tar.gz) = E1yQuTSu6PvA1Gfeh6Bctw1ifaNqvlGMNXqHNwnlt9Y=
> -SIZE (xz-5.4.5.tar.gz) = 2884510
> +SHA256 (xz-5.6.1.tar.gz) = I5j0qOUzRTJfRL3Z8Mx0Ab2QJdc2xtQ7Ny9N6ne/dbg=
> +SIZE (xz-5.6.1.tar.gz) = 3045434
> blob - 6061c7f3c22f7e992a2b66ff5cd7082eb1ffd5c8 (mode 644)
> blob + /dev/null
> --- archivers/xz/patches/patch-config_h_in
> +++ /dev/null
> @@ -1,16 +0,0 @@
> -Index: config.h.in
>  config.h.in.orig
> -+++ config.h.in
> -@@ -409,7 +409,11 @@
> -
> - /* Define to 1 if the system supports fast unaligned access to 16-bit,
> 32-bit,
> -and 64-bit integers. */
> --#undef TUKLIB_FAST_UNALIGNED_ACCESS
> -+#include 
> -+#if !defined(__STRICT_ALIGNMENT)
> -+#define \
> -+TUKLIB_FAST_UNALIGNED_ACCESS 1
> -+#endif
> -
> - /* Define to 1 if the amount of physical memory can be detected with
> -_system_configuration.physmem. */
> blob - /dev/null
> blob + a4b473567a4e085aa4ae0b4af893e51eed1e2014 (mode 644)
> --- /dev/null
> +++ archivers/xz/patches/patch-src_liblzma_check_crc32_arm64_h
> @@ -0,0 +1,30 @@
> +Index: src/liblzma/check/crc32_arm64.h
> +--- src/liblzma/check/crc32_arm64.h.orig
>  src/liblzma/check/crc32_arm64.h
> +@@ -28,6 +28,11 @@
> + # include 
> + # elif defined(__APPLE__) && defined(HAVE_SYSCTLBYNAME)
> + # include 
> ++# elif defined(__OpenBSD__)
> ++# include 
> ++# include 
> ++# include 
> ++# include 
> + # endif
> + #endif
> +
> +@@ -103,6 +108,14 @@ is_arch_extension_supported(void)
> +   , NULL, 0);
> +
> +   return !err && has_crc32;
> ++
> ++#elif defined(__OpenBSD__)
> ++  const int isar0_mib[] = { CTL_MACHDEP, CPU_ID_AA64ISAR0 };
> ++  uint64_t isar0;
> ++  size_t len = sizeof(isar0);
> ++
> ++  return sysctl(isar0_mib, 2, , , NULL, 0) != -1 &&
> ++  ID_AA64ISAR0_CRC32(isar0) >= ID_AA64ISAR0_CRC32_BASE;
> +
> + #else
> +   // If a runtime detection method cannot be found, then this must
> blob - 399cb3be7c7e9134963d36b0858d09da5dc0e3ff (mode 644)
> blob + /dev/null
> --- archivers/xz/patches/patch-src_xzdec_xzdec_c
> +++ /dev/null
> @@ -1,21 +0,0 @@
> -Index: src/xzdec/xzdec.c
>  src/xzdec/xzdec.c.orig
> -+++ src/xzdec/xzdec.c
> -@@ -295,9 +295,17 @@ main(int argc, char **argv)
> -
> -   if (optind == argc) {
> -   // No filenames given, decode from

archivers/xz: update to 5.6.1

[Christian Weisgerber]

archivers/xz: update to 5.6.1
 
* Multithreaded mode is now the default.
* New command line options to set filter chains using the liblzma filter
  string syntax.
* Significant speed optimizations to the LZMA decoder.


I have added runtime detection code to check for CRC32 instructions
to speed up CRC32 integrity checks on arm64.  I intend to submit
this upstream, so if anybody has comments on that, let me know.
(xz defaults to CRC64 anyway, so this has little practical value,
but it is supported on other operating systems.)

Upstream has added pledge() support to xzdec, rendering our previous
patch obsolete.

ok?

 
diff d65615b6802f8ddeb4536c340034d07be3df3483 
41fabc9987fb853589f2dd0de774d8f5cdbd0b69
commit - d65615b6802f8ddeb4536c340034d07be3df3483
commit + 41fabc9987fb853589f2dd0de774d8f5cdbd0b69
blob - d1f7ac3fc25e3152944c4efae9a179e35ab504dc
blob + 40addd5d055828107dd9fdb477184ffa605b5fd1
--- archivers/xz/Makefile
+++ archivers/xz/Makefile
@@ -1,18 +1,19 @@
 COMMENT=   library and tools for XZ and LZMA compressed files
 
-DISTNAME=  xz-5.4.5
-SHARED_LIBS=   lzma 2.2  # 9.4
+VERSION=   5.6.1
+DISTNAME=  xz-${VERSION}
+SHARED_LIBS=   lzma 2.3  # 11.1
 CATEGORIES=archivers
 DPB_PROPERTIES=parallel
 
-HOMEPAGE=  https://tukaani.org/xz/
+HOMEPAGE=  https://xz.tukaani.org/xz-utils/
 
 MAINTAINER=Christian Weisgerber 
 
 # GPLv2+
 PERMIT_PACKAGE=Yes
 
-SITES= ${SITE_SOURCEFORGE:=lzmautils/}
+SITES= https://github.com/tukaani-project/xz/releases/download/v${VERSION}/
 
 # uses pledge()
 WANTLIB=   c pthread
blob - 98b88e2abbfec958489da8fba87fb00df54b8532
blob + 83ae5ae9b49b503f0bcb1672db69e161dbb814b0
--- archivers/xz/distinfo
+++ archivers/xz/distinfo
@@ -1,2 +1,2 @@
-SHA256 (xz-5.4.5.tar.gz) = E1yQuTSu6PvA1Gfeh6Bctw1ifaNqvlGMNXqHNwnlt9Y=
-SIZE (xz-5.4.5.tar.gz) = 2884510
+SHA256 (xz-5.6.1.tar.gz) = I5j0qOUzRTJfRL3Z8Mx0Ab2QJdc2xtQ7Ny9N6ne/dbg=
+SIZE (xz-5.6.1.tar.gz) = 3045434
blob - 6061c7f3c22f7e992a2b66ff5cd7082eb1ffd5c8 (mode 644)
blob + /dev/null
--- archivers/xz/patches/patch-config_h_in
+++ /dev/null
@@ -1,16 +0,0 @@
-Index: config.h.in
 config.h.in.orig
-+++ config.h.in
-@@ -409,7 +409,11 @@
- 
- /* Define to 1 if the system supports fast unaligned access to 16-bit, 32-bit,
-and 64-bit integers. */
--#undef TUKLIB_FAST_UNALIGNED_ACCESS
-+#include 
-+#if !defined(__STRICT_ALIGNMENT)
-+#define \
-+TUKLIB_FAST_UNALIGNED_ACCESS 1
-+#endif
- 
- /* Define to 1 if the amount of physical memory can be detected with
-_system_configuration.physmem. */
blob - /dev/null
blob + a4b473567a4e085aa4ae0b4af893e51eed1e2014 (mode 644)
--- /dev/null
+++ archivers/xz/patches/patch-src_liblzma_check_crc32_arm64_h
@@ -0,0 +1,30 @@
+Index: src/liblzma/check/crc32_arm64.h
+--- src/liblzma/check/crc32_arm64.h.orig
 src/liblzma/check/crc32_arm64.h
+@@ -28,6 +28,11 @@
+ # include 
+ # elif defined(__APPLE__) && defined(HAVE_SYSCTLBYNAME)
+ # include 
++# elif defined(__OpenBSD__)
++# include 
++# include 
++# include 
++# include 
+ # endif
+ #endif
+ 
+@@ -103,6 +108,14 @@ is_arch_extension_supported(void)
+   , NULL, 0);
+ 
+   return !err && has_crc32;
++
++#elif defined(__OpenBSD__)
++  const int isar0_mib[] = { CTL_MACHDEP, CPU_ID_AA64ISAR0 };
++  uint64_t isar0;
++  size_t len = sizeof(isar0);
++
++  return sysctl(isar0_mib, 2, , , NULL, 0) != -1 &&
++  ID_AA64ISAR0_CRC32(isar0) >= ID_AA64ISAR0_CRC32_BASE;
+ 
+ #else
+   // If a runtime detection method cannot be found, then this must
blob - 399cb3be7c7e9134963d36b0858d09da5dc0e3ff (mode 644)
blob + /dev/null
--- archivers/xz/patches/patch-src_xzdec_xzdec_c
+++ /dev/null
@@ -1,21 +0,0 @@
-Index: src/xzdec/xzdec.c
 src/xzdec/xzdec.c.orig
-+++ src/xzdec/xzdec.c
-@@ -295,9 +295,17 @@ main(int argc, char **argv)
- 
-   if (optind == argc) {
-   // No filenames given, decode from stdin.
-+  if (pledge("stdio", NULL) == -1) {
-+  my_errorf("pledge");
-+  exit(EXIT_FAILURE);
-+  }
-   uncompress(, stdin, "(stdin)");
-   } else {
-   // Loop through the filenames given on the command line.
-+  if (pledge("stdio rpath", NULL) == -1) {
-+  my_errorf("pledge");
-+  exit(EXIT_FAILURE);
-+  }
-   do {
-   // "-" indicates stdin.
-   if (strcmp(argv[optind], "-") == 0) {
blob - /dev/null
blob + c2a62aaeb707f0b281f921f3b2064334f94de22b (mode 644)
--- /dev/null
+++ archivers/xz/patches/patch-src_liblzma_check_crc_common_h
@@ -0,0 +1,13 @@
+Index: src/liblzma/check/crc_common.h
+--- src/liblzma/chec