From: Julien Olivain <ju.o@free.fr>
To: Peter Seiderer <ps.report@gmx.net>
Cc: buildroot@busybox.net, Samuel Martin <s.martin49@gmail.com>
Subject: Re: [Buildroot] [PATCH v2 2/5] package/xz: bump version to 5.6.2
Date: Wed, 12 Jun 2024 15:48:42 +0000 [thread overview]
Message-ID: <d6f34e673ea426c735c30aede4f36ca2@free.fr> (raw)
In-Reply-To: <20240612135727.11811-2-ps.report@gmx.net>
Hi Peter,
On 12/06/2024 13:57, Peter Seiderer via buildroot wrote:
> - bump version to 5.6.2
> - add BSD-0-Clause and update license file hash accordingly (see [1],
> [2], [3],
> [4], [5], [6], [7] and [8])
>
> For details see [9].
>
> [1]
> https://github.com/tukaani-project/xz/commit/b1ee6cf259bb49ce91abe9f622294524e37edf4c
> [2]
> https://github.com/tukaani-project/xz/commit/689e0228baeb95232430e90d628379db89583d71
> [3]
> https://github.com/tukaani-project/xz/commit/28ce45e38fbed4b5f54f2013e38dab47d22bf699
> [4]
> https://github.com/tukaani-project/xz/commit/17aa2e1a796d3f758802df29afc89dcf335db567
> [5]
> https://github.com/tukaani-project/xz/commit/bfd0c7c478e93a1911b845459549ff94587b6ea2
> [6]
> https://github.com/tukaani-project/xz/commit/fd7faa4c338a42a6a40e854b837d285ae2e8c609
> [7]
> https://github.com/tukaani-project/xz/commit/62733592a1cc6f0b41f46ef52e06d1a6fe1ff38a
> [8]
> https://github.com/tukaani-project/xz/commit/6bbec3bda02bf87d24fa095074456e723589921f
> [9] https://github.com/tukaani-project/xz/releases/tag/v5.6.2
>
> Signed-off-by: Peter Seiderer <ps.report@gmx.net>
> ---
> Changes v1 -> v2:
> - bump version to first one after the backdoor incident
> - omit homepage URL change (reverted upstream)
>
> Notes:
> - while searching the history, detected an previously/alterantive
> patch
> for the initial version bump by Julien Olivain, see
>
> http://lists.busybox.net/pipermail/buildroot/2024-February/371577.html
I confirm I initially proposed a bump to xz 5.6.0. I marked the
patch as "Rejected" the day of the XZ backdoor announce.
On that matter, I would suggest to add a note on commit logs
about this security incident. Basically, your version bumps
from 5.4.6 -> 5.4.7 and 5.4.7 -> 5.6.2 are jumping over the
known backdoored versions (which are 5.6.0 and 5.6.1). So
Buildroot has never been impacted by this issue (without and
with this patch).
See:
https://tukaani.org/xz-backdoor/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-3094
> ---
> package/xz/xz.hash | 8 ++++----
> package/xz/xz.mk | 6 +++---
> 2 files changed, 7 insertions(+), 7 deletions(-)
>
> diff --git a/package/xz/xz.hash b/package/xz/xz.hash
> index ff070f6775..6012e1001b 100644
> --- a/package/xz/xz.hash
> +++ b/package/xz/xz.hash
> @@ -1,11 +1,11 @@
> # Locally calculated after checking pgp signature
> -#
> https://github.com/tukaani-project/xz/releases/download/v5.4.7/xz-5.4.7.tar.bz2.sig
> +#
> https://github.com/tukaani-project/xz/releases/download/v5.6.2/xz-5.6.2.tar.bz2.sig
> # using key 3690C240CE51B4670D30AD1C38EE757D69184620 Lasse Collin
> <lasse.collin@tukaani.org>
> -
> -sha256
> 9976ed9cd0764e962d852d7d519ee1c3a7f87aca3b86e5d021a45650ba3ecb41
> xz-5.4.7.tar.bz2
> +sha256
> e12aa03cbd200597bd4ce11d97be2d09a6e6d39a9311ce72c91ac7deacde3171
> xz-5.6.2.tar.bz2
>
> # Hash for license files
> -sha256
> 72d7ef9c98be319fd34ce88b45203b36d5936f9c49e82bf3198ffee5e0c7d87e
> COPYING
> +sha256
> ee3b35b82f7bb0ba5fd9f13ca34ebbe757a59c05bfde5ab9d50ff4188ed33396
> COPYING
> +sha256
> 0b01625d853911cd0e2e088dcfb743261034a091bb379246cb25a14cc4c74bf1
> COPYING.0BSD
> sha256
> 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643
> COPYING.GPLv2
> sha256
> 3972dc9744f6499f0f9b2dbf76696f2ae7ad8af9b23dde66d6af86c9dfb36986
> COPYING.GPLv3
> sha256
> dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551
> COPYING.LGPLv2.1
> diff --git a/package/xz/xz.mk b/package/xz/xz.mk
> index d5dceb0eae..10590f6be8 100644
> --- a/package/xz/xz.mk
> +++ b/package/xz/xz.mk
> @@ -4,13 +4,13 @@
> #
>
> ################################################################################
>
> -XZ_VERSION = 5.4.7
> +XZ_VERSION = 5.6.2
> XZ_SOURCE = xz-$(XZ_VERSION).tar.bz2
> XZ_SITE =
> https://github.com/tukaani-project/xz/releases/download/v$(XZ_VERSION)
> XZ_INSTALL_STAGING = YES
> XZ_CONF_ENV = ac_cv_prog_cc_c99='-std=gnu99'
> -XZ_LICENSE = Public Domain, GPL-2.0+, GPL-3.0+, LGPL-2.1+
> -XZ_LICENSE_FILES = COPYING COPYING.GPLv2 COPYING.GPLv3
> COPYING.LGPLv2.1
> +XZ_LICENSE = Public Domain, BSD-0-Clause, GPL-2.0+, GPL-3.0+,
> LGPL-2.1+
> +XZ_LICENSE_FILES = COPYING COPYING.0BSD COPYING.GPLv2 COPYING.GPLv3
> COPYING.LGPLv2.1
> XZ_CPE_ID_VENDOR = tukaani
>
> ifeq ($(BR2_TOOLCHAIN_HAS_THREADS),y)
> --
> 2.45.2
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
Best regards,
Julien.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2024-06-12 15:48 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-12 13:57 [Buildroot] [PATCH v2 1/5] package/xz: bump version to 5.4.7 Peter Seiderer via buildroot
2024-06-12 13:57 ` [Buildroot] [PATCH v2 2/5] package/xz: bump version to 5.6.2 Peter Seiderer via buildroot
2024-06-12 15:48 ` Julien Olivain [this message]
2024-06-24 13:42 ` Arnout Vandecappelle via buildroot
2024-06-12 13:57 ` [Buildroot] [PATCH v2 3/5] package/xz: determine all autoconf options Peter Seiderer via buildroot
2024-06-24 13:44 ` Arnout Vandecappelle via buildroot
2024-06-12 13:57 ` [Buildroot] [PATCH v2 4/5] package/xz: enable year2038 option Peter Seiderer via buildroot
2024-06-24 13:46 ` Arnout Vandecappelle via buildroot
2024-06-12 13:57 ` [Buildroot] [PATCH v2 5/5] package/xz: convert to cmake build Peter Seiderer via buildroot
2024-06-24 13:52 ` Arnout Vandecappelle via buildroot
2024-06-25 9:56 ` yann.morin
2024-06-25 11:11 ` yann.morin
2024-06-26 8:36 ` Peter Seiderer via buildroot
2024-06-26 19:32 ` Yann E. MORIN
2024-06-27 7:50 ` Peter Seiderer via buildroot
2024-06-27 7:57 ` Peter Seiderer via buildroot
2024-06-27 8:26 ` Peter Seiderer via buildroot
2024-06-27 11:16 ` yann.morin
2024-07-02 12:47 ` Peter Seiderer via buildroot
2024-06-24 13:41 ` [Buildroot] [PATCH v2 1/5] package/xz: bump version to 5.4.7 Arnout Vandecappelle via buildroot
2024-07-08 10:04 ` Peter Korsgaard
2024-07-08 12:54 ` Peter Seiderer via buildroot
2024-07-08 12:57 ` Peter Seiderer via buildroot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d6f34e673ea426c735c30aede4f36ca2@free.fr \
--to=ju.o@free.fr \
--cc=buildroot@busybox.net \
--cc=ps.report@gmx.net \
--cc=s.martin49@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.