Re: archivers/xz: update to 5.6.1
El Fri, 29 Mar 2024 22:55:26 +0100 Christian Weisgerber escribió: > Christian Weisgerber: > > > > It sounds like a backdoor made it into the upstream repository: > > > https://www.openwall.com/lists/oss-security/2024/03/29/4 > > > > Yes, I just learned. I am investigating. > > The xz 5.6.1 update hasn't been committed yet, so this mostly > concerns only me anyway. > > * A malicious m4/build-to-host.m4 has been inserted and its code > is used in the generated configure script. > > * This extracts and executes a shell script from > tests/files/bad-3-corrupt_lzma2.xz. > That script aborts if $(uname) is not Linux. <=== IT ENDS HERE. > If the script continued, it would fail because it uses "head -c" > and "tail -c" which are a nonstandard extension that the > corresponding OpenBSD commands don't support. > > * The script extracts the next stage shell script from > tests/files/good-large_compressed.lzma. > This stage aborts again early when $(uname) is not Linux. > It then proceeds to manipulate the build in some way I won't waste > my time to figure out. > > In short, it's a supply chain attack on Linux that doesn't concern > OpenBSD. > > > PS: > If anybody wants to compare build-to-host.m4, here's the GNU upstream: > https://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob;f=m4/build-to-host.m4;h=f928e9ab403b3633e3d1d974abcf478e65d4b0aa;hb=HEAD > Good to know! Thanks for this analysis! -- * Dios en su cielo, todo bien en la Tierra
Re: archivers/xz: update to 5.6.1
Christian Weisgerber: > If the script continued, it would fail because it uses "head -c" > and "tail -c" which are a nonstandard extension that the corresponding > OpenBSD commands don't support. Actually, "tail -c" is in POSIX and available on OpenBSD. Still would fail for "head -c", though. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: archivers/xz: update to 5.6.1
Christian Weisgerber: > > It sounds like a backdoor made it into the upstream repository: > > https://www.openwall.com/lists/oss-security/2024/03/29/4 > > Yes, I just learned. I am investigating. The xz 5.6.1 update hasn't been committed yet, so this mostly concerns only me anyway. * A malicious m4/build-to-host.m4 has been inserted and its code is used in the generated configure script. * This extracts and executes a shell script from tests/files/bad-3-corrupt_lzma2.xz. That script aborts if $(uname) is not Linux. <=== IT ENDS HERE. If the script continued, it would fail because it uses "head -c" and "tail -c" which are a nonstandard extension that the corresponding OpenBSD commands don't support. * The script extracts the next stage shell script from tests/files/good-large_compressed.lzma. This stage aborts again early when $(uname) is not Linux. It then proceeds to manipulate the build in some way I won't waste my time to figure out. In short, it's a supply chain attack on Linux that doesn't concern OpenBSD. PS: If anybody wants to compare build-to-host.m4, here's the GNU upstream: https://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob;f=m4/build-to-host.m4;h=f928e9ab403b3633e3d1d974abcf478e65d4b0aa;hb=HEAD -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: archivers/xz: update to 5.6.1
Thanks, Christian! On Fri, Mar 29, 2024 at 4:35 PM Christian Weisgerber wrote: > Jesse Darrone: > > > I hate to raise the alarm, but it looks like this should be scrutinized. > > > > It sounds like a backdoor made it into the upstream repository: > > https://www.openwall.com/lists/oss-security/2024/03/29/4 > > Yes, I just learned. I am investigating. > > FWIW, I did look over the complete 5.4.5 -> 5.6.1 diff as part of > my regular update procedure, but didn't catch this in the 144028-line > diff. > > -- > Christian "naddy" Weisgerber na...@mips.inka.de >
Re: archivers/xz: update to 5.6.1
Jesse Darrone: > I hate to raise the alarm, but it looks like this should be scrutinized. > > It sounds like a backdoor made it into the upstream repository: > https://www.openwall.com/lists/oss-security/2024/03/29/4 Yes, I just learned. I am investigating. FWIW, I did look over the complete 5.4.5 -> 5.6.1 diff as part of my regular update procedure, but didn't catch this in the 144028-line diff. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: archivers/xz: update to 5.6.1
Hello, I hate to raise the alarm, but it looks like this should be scrutinized. It sounds like a backdoor made it into the upstream repository: https://www.openwall.com/lists/oss-security/2024/03/29/4 On Mon, Mar 18, 2024 at 4:15 AM Christian Weisgerber wrote: > archivers/xz: update to 5.6.1 > > * Multithreaded mode is now the default. > * New command line options to set filter chains using the liblzma filter > string syntax. > * Significant speed optimizations to the LZMA decoder. > > > I have added runtime detection code to check for CRC32 instructions > to speed up CRC32 integrity checks on arm64. I intend to submit > this upstream, so if anybody has comments on that, let me know. > (xz defaults to CRC64 anyway, so this has little practical value, > but it is supported on other operating systems.) > > Upstream has added pledge() support to xzdec, rendering our previous > patch obsolete. > > ok? > > > diff d65615b6802f8ddeb4536c340034d07be3df3483 > 41fabc9987fb853589f2dd0de774d8f5cdbd0b69 > commit - d65615b6802f8ddeb4536c340034d07be3df3483 > commit + 41fabc9987fb853589f2dd0de774d8f5cdbd0b69 > blob - d1f7ac3fc25e3152944c4efae9a179e35ab504dc > blob + 40addd5d055828107dd9fdb477184ffa605b5fd1 > --- archivers/xz/Makefile > +++ archivers/xz/Makefile > @@ -1,18 +1,19 @@ > COMMENT= library and tools for XZ and LZMA compressed files > > -DISTNAME= xz-5.4.5 > -SHARED_LIBS= lzma 2.2 # 9.4 > +VERSION= 5.6.1 > +DISTNAME= xz-${VERSION} > +SHARED_LIBS= lzma 2.3 # 11.1 > CATEGORIES=archivers > DPB_PROPERTIES=parallel > > -HOMEPAGE= https://tukaani.org/xz/ > +HOMEPAGE= https://xz.tukaani.org/xz-utils/ > > MAINTAINER=Christian Weisgerber > > # GPLv2+ > PERMIT_PACKAGE=Yes > > -SITES= ${SITE_SOURCEFORGE:=lzmautils/} > +SITES= > https://github.com/tukaani-project/xz/releases/download/v${VERSION}/ > > # uses pledge() > WANTLIB= c pthread > blob - 98b88e2abbfec958489da8fba87fb00df54b8532 > blob + 83ae5ae9b49b503f0bcb1672db69e161dbb814b0 > --- archivers/xz/distinfo > +++ archivers/xz/distinfo > @@ -1,2 +1,2 @@ > -SHA256 (xz-5.4.5.tar.gz) = E1yQuTSu6PvA1Gfeh6Bctw1ifaNqvlGMNXqHNwnlt9Y= > -SIZE (xz-5.4.5.tar.gz) = 2884510 > +SHA256 (xz-5.6.1.tar.gz) = I5j0qOUzRTJfRL3Z8Mx0Ab2QJdc2xtQ7Ny9N6ne/dbg= > +SIZE (xz-5.6.1.tar.gz) = 3045434 > blob - 6061c7f3c22f7e992a2b66ff5cd7082eb1ffd5c8 (mode 644) > blob + /dev/null > --- archivers/xz/patches/patch-config_h_in > +++ /dev/null > @@ -1,16 +0,0 @@ > -Index: config.h.in > config.h.in.orig > -+++ config.h.in > -@@ -409,7 +409,11 @@ > - > - /* Define to 1 if the system supports fast unaligned access to 16-bit, > 32-bit, > -and 64-bit integers. */ > --#undef TUKLIB_FAST_UNALIGNED_ACCESS > -+#include > -+#if !defined(__STRICT_ALIGNMENT) > -+#define \ > -+TUKLIB_FAST_UNALIGNED_ACCESS 1 > -+#endif > - > - /* Define to 1 if the amount of physical memory can be detected with > -_system_configuration.physmem. */ > blob - /dev/null > blob + a4b473567a4e085aa4ae0b4af893e51eed1e2014 (mode 644) > --- /dev/null > +++ archivers/xz/patches/patch-src_liblzma_check_crc32_arm64_h > @@ -0,0 +1,30 @@ > +Index: src/liblzma/check/crc32_arm64.h > +--- src/liblzma/check/crc32_arm64.h.orig > src/liblzma/check/crc32_arm64.h > +@@ -28,6 +28,11 @@ > + # include > + # elif defined(__APPLE__) && defined(HAVE_SYSCTLBYNAME) > + # include > ++# elif defined(__OpenBSD__) > ++# include > ++# include > ++# include > ++# include > + # endif > + #endif > + > +@@ -103,6 +108,14 @@ is_arch_extension_supported(void) > + , NULL, 0); > + > + return !err && has_crc32; > ++ > ++#elif defined(__OpenBSD__) > ++ const int isar0_mib[] = { CTL_MACHDEP, CPU_ID_AA64ISAR0 }; > ++ uint64_t isar0; > ++ size_t len = sizeof(isar0); > ++ > ++ return sysctl(isar0_mib, 2, , , NULL, 0) != -1 && > ++ ID_AA64ISAR0_CRC32(isar0) >= ID_AA64ISAR0_CRC32_BASE; > + > + #else > + // If a runtime detection method cannot be found, then this must > blob - 399cb3be7c7e9134963d36b0858d09da5dc0e3ff (mode 644) > blob + /dev/null > --- archivers/xz/patches/patch-src_xzdec_xzdec_c > +++ /dev/null > @@ -1,21 +0,0 @@ > -Index: src/xzdec/xzdec.c > src/xzdec/xzdec.c.orig > -+++ src/xzdec/xzdec.c > -@@ -295,9 +295,17 @@ main(int argc, char **argv) > - > - if (optind == argc) { > - // No filenames given, decode from
archivers/xz: update to 5.6.1
archivers/xz: update to 5.6.1 * Multithreaded mode is now the default. * New command line options to set filter chains using the liblzma filter string syntax. * Significant speed optimizations to the LZMA decoder. I have added runtime detection code to check for CRC32 instructions to speed up CRC32 integrity checks on arm64. I intend to submit this upstream, so if anybody has comments on that, let me know. (xz defaults to CRC64 anyway, so this has little practical value, but it is supported on other operating systems.) Upstream has added pledge() support to xzdec, rendering our previous patch obsolete. ok? diff d65615b6802f8ddeb4536c340034d07be3df3483 41fabc9987fb853589f2dd0de774d8f5cdbd0b69 commit - d65615b6802f8ddeb4536c340034d07be3df3483 commit + 41fabc9987fb853589f2dd0de774d8f5cdbd0b69 blob - d1f7ac3fc25e3152944c4efae9a179e35ab504dc blob + 40addd5d055828107dd9fdb477184ffa605b5fd1 --- archivers/xz/Makefile +++ archivers/xz/Makefile @@ -1,18 +1,19 @@ COMMENT= library and tools for XZ and LZMA compressed files -DISTNAME= xz-5.4.5 -SHARED_LIBS= lzma 2.2 # 9.4 +VERSION= 5.6.1 +DISTNAME= xz-${VERSION} +SHARED_LIBS= lzma 2.3 # 11.1 CATEGORIES=archivers DPB_PROPERTIES=parallel -HOMEPAGE= https://tukaani.org/xz/ +HOMEPAGE= https://xz.tukaani.org/xz-utils/ MAINTAINER=Christian Weisgerber # GPLv2+ PERMIT_PACKAGE=Yes -SITES= ${SITE_SOURCEFORGE:=lzmautils/} +SITES= https://github.com/tukaani-project/xz/releases/download/v${VERSION}/ # uses pledge() WANTLIB= c pthread blob - 98b88e2abbfec958489da8fba87fb00df54b8532 blob + 83ae5ae9b49b503f0bcb1672db69e161dbb814b0 --- archivers/xz/distinfo +++ archivers/xz/distinfo @@ -1,2 +1,2 @@ -SHA256 (xz-5.4.5.tar.gz) = E1yQuTSu6PvA1Gfeh6Bctw1ifaNqvlGMNXqHNwnlt9Y= -SIZE (xz-5.4.5.tar.gz) = 2884510 +SHA256 (xz-5.6.1.tar.gz) = I5j0qOUzRTJfRL3Z8Mx0Ab2QJdc2xtQ7Ny9N6ne/dbg= +SIZE (xz-5.6.1.tar.gz) = 3045434 blob - 6061c7f3c22f7e992a2b66ff5cd7082eb1ffd5c8 (mode 644) blob + /dev/null --- archivers/xz/patches/patch-config_h_in +++ /dev/null @@ -1,16 +0,0 @@ -Index: config.h.in config.h.in.orig -+++ config.h.in -@@ -409,7 +409,11 @@ - - /* Define to 1 if the system supports fast unaligned access to 16-bit, 32-bit, -and 64-bit integers. */ --#undef TUKLIB_FAST_UNALIGNED_ACCESS -+#include -+#if !defined(__STRICT_ALIGNMENT) -+#define \ -+TUKLIB_FAST_UNALIGNED_ACCESS 1 -+#endif - - /* Define to 1 if the amount of physical memory can be detected with -_system_configuration.physmem. */ blob - /dev/null blob + a4b473567a4e085aa4ae0b4af893e51eed1e2014 (mode 644) --- /dev/null +++ archivers/xz/patches/patch-src_liblzma_check_crc32_arm64_h @@ -0,0 +1,30 @@ +Index: src/liblzma/check/crc32_arm64.h +--- src/liblzma/check/crc32_arm64.h.orig src/liblzma/check/crc32_arm64.h +@@ -28,6 +28,11 @@ + # include + # elif defined(__APPLE__) && defined(HAVE_SYSCTLBYNAME) + # include ++# elif defined(__OpenBSD__) ++# include ++# include ++# include ++# include + # endif + #endif + +@@ -103,6 +108,14 @@ is_arch_extension_supported(void) + , NULL, 0); + + return !err && has_crc32; ++ ++#elif defined(__OpenBSD__) ++ const int isar0_mib[] = { CTL_MACHDEP, CPU_ID_AA64ISAR0 }; ++ uint64_t isar0; ++ size_t len = sizeof(isar0); ++ ++ return sysctl(isar0_mib, 2, , , NULL, 0) != -1 && ++ ID_AA64ISAR0_CRC32(isar0) >= ID_AA64ISAR0_CRC32_BASE; + + #else + // If a runtime detection method cannot be found, then this must blob - 399cb3be7c7e9134963d36b0858d09da5dc0e3ff (mode 644) blob + /dev/null --- archivers/xz/patches/patch-src_xzdec_xzdec_c +++ /dev/null @@ -1,21 +0,0 @@ -Index: src/xzdec/xzdec.c src/xzdec/xzdec.c.orig -+++ src/xzdec/xzdec.c -@@ -295,9 +295,17 @@ main(int argc, char **argv) - - if (optind == argc) { - // No filenames given, decode from stdin. -+ if (pledge("stdio", NULL) == -1) { -+ my_errorf("pledge"); -+ exit(EXIT_FAILURE); -+ } - uncompress(, stdin, "(stdin)"); - } else { - // Loop through the filenames given on the command line. -+ if (pledge("stdio rpath", NULL) == -1) { -+ my_errorf("pledge"); -+ exit(EXIT_FAILURE); -+ } - do { - // "-" indicates stdin. - if (strcmp(argv[optind], "-") == 0) { blob - /dev/null blob + c2a62aaeb707f0b281f921f3b2064334f94de22b (mode 644) --- /dev/null +++ archivers/xz/patches/patch-src_liblzma_check_crc_common_h @@ -0,0 +1,13 @@ +Index: src/liblzma/check/crc_common.h +--- src/liblzma/chec