Statement on backdoor in xz package

2024-04-02 Thread Ihsan Dogan via users 
Recently, a backdoor [1] was discovered in the xz compression library. 
xz/liblzma [2] are packaged by the OpenCSW project and various other packages 
are depending on the liblzma library [3]. 

I have released today the version 5.6.0r529 to the repository, which is based 
on the 5.2.9. This is the last release before Jian Tian got active in the xz 
project [4] (Thanks to Jeffrey Walton for the hint). Be aware that the 5.2.9 
release might contain other security related issues. 

The downgrade might break ABIs to other packages and we are currently 
verifying, if any packages are affected by the downgrade.

I am constantly monitoring the current development about xz and I will update 
the package accordingly.

[1] https://www.openwall.com/lists/oss-security/2024/03/29/4 

[2] https://www.opencsw.org/packages/CSWxz/ 

[3] https://www.opencsw.org/packages/liblzma5/ 

[4] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024#5 





Regards

Ihsan

Re: CSWxz and CVE-2024-3094

2024-04-02 Thread Ihsan Dogan via users 
Hi

> Am 02.04.2024 um 14:37 schrieb Jeffrey Walton via users 
> :

 what about CVE-2024-3094 and current version CSWxz?
 
 https://nvd.nist.gov/vuln/detail/CVE-2024-3094
>>> 
>>> Ihsan already prepared an updated package which should show up soon.
>> 
>> Yes, I am on it. I am preparing a rollback to the last 5.4 release. Should 
>> be out either today or tomorrow.
> 
> Jia Tan started contributing to xz circa the development version 5.3.
> To get untainted code, you have to go back to version 5.2. But rolling
> back to version 5.2 means ABI and symbol breaks. If you don't want to
> go back to 5.2, then it means you have to audit over 700 commits in
> xz. Also see .
> 
> Jia Tan started influencing code before the persona (he/she/it?) had
> check-in privileges. Also see
> .

Thanks for the hint. In this case, I am going back to 5.2.9. 5.2.9 does contain 
security issues, but at least it should not have any code from Jian Tian.




-Ihsan

Re: CSWxz and CVE-2024-3094

2024-04-02 Thread Jeffrey Walton via users 
On Tue, Apr 2, 2024 at 8:23 AM Ihsan Dogan via users
 wrote:
>
> > Am 02.04.2024 um 14:03 schrieb Dagobert Michelsen :
> >
> >> what about CVE-2024-3094 and current version CSWxz?
> >>
> >> https://nvd.nist.gov/vuln/detail/CVE-2024-3094
> >
> > Ihsan already prepared an updated package which should show up soon.
>
> Yes, I am on it. I am preparing a rollback to the last 5.4 release. Should be 
> out either today or tomorrow.

Jia Tan started contributing to xz circa the development version 5.3.
To get untainted code, you have to go back to version 5.2. But rolling
back to version 5.2 means ABI and symbol breaks. If you don't want to
go back to 5.2, then it means you have to audit over 700 commits in
xz. Also see .

Jia Tan started influencing code before the persona (he/she/it?) had
check-in privileges. Also see
.

Jeff

Re: CSWxz and CVE-2024-3094

2024-04-02 Thread Ihsan Dogan via users 
Hi Yuri

> Am 02.04.2024 um 14:03 schrieb Dagobert Michelsen :
> 
>> what about CVE-2024-3094 and current version CSWxz?
>> 
>> https://nvd.nist.gov/vuln/detail/CVE-2024-3094
> 
> Ihsan already prepared an updated package which should show up soon.

Yes, I am on it. I am preparing a rollback to the last 5.4 release. Should be 
out either today or tomorrow.



Regards

Ihsan

Re: CSWxz and CVE-2024-3094

2024-04-02 Thread Yuri via users 

Well, waiting for. Thank you.

02.04.2024 17:03, Dagobert Michelsen пишет:

Hi Yuri,


Am 02.04.2024 um 13:37 schrieb Yuri via users :
what about CVE-2024-3094 and current version CSWxz?

https://nvd.nist.gov/vuln/detail/CVE-2024-3094

Ihsan already prepared an updated package which should show up soon.


Best regards

   — Dago

Re: CSWxz and CVE-2024-3094

2024-04-02 Thread Dagobert Michelsen via users 
Hi Yuri,

> Am 02.04.2024 um 13:37 schrieb Yuri via users :
> what about CVE-2024-3094 and current version CSWxz?
> 
> https://nvd.nist.gov/vuln/detail/CVE-2024-3094

Ihsan already prepared an updated package which should show up soon.


Best regards

  — Dago

-- 
"You don't become great by trying to be great, you become great by wanting to 
do something,
and then doing it so hard that you become great in the process." - xkcd #896

CSWxz and CVE-2024-3094

2024-04-02 Thread Yuri via users 

Hi there,

what about CVE-2024-3094 and current version CSWxz?

https://nvd.nist.gov/vuln/detail/CVE-2024-3094

Just FYI.

WBR, Yuri



OpenPGP_0x4BEE94A33E3743A7.asc
Description: OpenPGP public key


OpenPGP_signature.asc
Description: OpenPGP digital signature