From: Julien Olivain <ju.o@free.fr>
To: Peter Seiderer <ps.report@gmx.net>
Cc: buildroot@busybox.net, Samuel Martin <s.martin49@gmail.com>
Subject: Re: [Buildroot] [PATCH v2 2/5] package/xz: bump version to 5.6.2
Date: Wed, 12 Jun 2024 15:48:42 +0000 [thread overview]
Message-ID: <d6f34e673ea426c735c30aede4f36ca2@free.fr> (raw)
In-Reply-To: <20240612135727.11811-2-ps.report@gmx.net>
Hi Peter,
On 12/06/2024 13:57, Peter Seiderer via buildroot wrote:
> - bump version to 5.6.2
> - add BSD-0-Clause and update license file hash accordingly (see [1],
> [2], [3],
> [4], [5], [6], [7] and [8])
>
> For details see [9].
>
> [1]
> https://github.com/tukaani-project/xz/commit/b1ee6cf259bb49ce91abe9f622294524e37edf4c
> [2]
> https://github.com/tukaani-project/xz/commit/689e0228baeb95232430e90d628379db89583d71
> [3]
> https://github.com/tukaani-project/xz/commit/28ce45e38fbed4b5f54f2013e38dab47d22bf699
> [4]
> https://github.com/tukaani-project/xz/commit/17aa2e1a796d3f758802df29afc89dcf335db567
> [5]
> https://github.com/tukaani-project/xz/commit/bfd0c7c478e93a1911b845459549ff94587b6ea2
> [6]
> https://github.com/tukaani-project/xz/commit/fd7faa4c338a42a6a40e854b837d285ae2e8c609
> [7]
> https://github.com/tukaani-project/xz/commit/62733592a1cc6f0b41f46ef52e06d1a6fe1ff38a
> [8]
> https://github.com/tukaani-project/xz/commit/6bbec3bda02bf87d24fa095074456e723589921f
> [9] https://github.com/tukaani-project/xz/releases/tag/v5.6.2
>
> Signed-off-by: Peter Seiderer <ps.report@gmx.net>
> ---
> Changes v1 -> v2:
> - bump version to first one after the backdoor incident
> - omit homepage URL change (reverted upstream)
>
> Notes:
> - while searching the history, detected an previously/alterantive
> patch
> for the initial version bump by Julien Olivain, see
>
> http://lists.busybox.net/pipermail/buildroot/2024-February/371577.html
I confirm I initially proposed a bump to xz 5.6.0. I marked the
patch as "Rejected" the day of the XZ backdoor announce.
On that matter, I would suggest to add a note on commit logs
about this security incident. Basically, your version bumps
from 5.4.6 -> 5.4.7 and 5.4.7 -> 5.6.2 are jumping over the
known backdoored versions (which are 5.6.0 and 5.6.1). So
Buildroot has never been impacted by this issue (without and
with this patch).
See:
https://tukaani.org/xz-backdoor/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-3094
> ---
> package/xz/xz.hash | 8 ++++----
> package/xz/xz.mk | 6 +++---
> 2 files changed, 7 insertions(+), 7 deletions(-)
>
> diff --git a/package/xz/xz.hash b/package/xz/xz.hash
> index ff070f6775..6012e1001b 100644
> --- a/package/xz/xz.hash
> +++ b/package/xz/xz.hash
> @@ -1,11 +1,11 @@
> # Locally calculated after checking pgp signature
> -#
> https://github.com/tukaani-project/xz/releases/download/v5.4.7/xz-5.4.7.tar.bz2.sig
> +#
> https://github.com/tukaani-project/xz/releases/download/v5.6.2/xz-5.6.2.tar.bz2.sig
> # using key 3690C240CE51B4670D30AD1C38EE757D69184620 Lasse Collin
> <lasse.collin@tukaani.org>
> -
> -sha256
> 9976ed9cd0764e962d852d7d519ee1c3a7f87aca3b86e5d021a45650ba3ecb41
> xz-5.4.7.tar.bz2
> +sha256
> e12aa03cbd200597bd4ce11d97be2d09a6e6d39a9311ce72c91ac7deacde3171
> xz-5.6.2.tar.bz2
>
> # Hash for license files
> -sha256
> 72d7ef9c98be319fd34ce88b45203b36d5936f9c49e82bf3198ffee5e0c7d87e
> COPYING
> +sha256
> ee3b35b82f7bb0ba5fd9f13ca34ebbe757a59c05bfde5ab9d50ff4188ed33396
> COPYING
> +sha256
> 0b01625d853911cd0e2e088dcfb743261034a091bb379246cb25a14cc4c74bf1
> COPYING.0BSD
> sha256
> 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643
> COPYING.GPLv2
> sha256
> 3972dc9744f6499f0f9b2dbf76696f2ae7ad8af9b23dde66d6af86c9dfb36986
> COPYING.GPLv3
> sha256
> dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551
> COPYING.LGPLv2.1
> diff --git a/package/xz/xz.mk b/package/xz/xz.mk
> index d5dceb0eae..10590f6be8 100644
> --- a/package/xz/xz.mk
> +++ b/package/xz/xz.mk
> @@ -4,13 +4,13 @@
> #
>
> ################################################################################
>
> -XZ_VERSION = 5.4.7
> +XZ_VERSION = 5.6.2
> XZ_SOURCE = xz-$(XZ_VERSION).tar.bz2
> XZ_SITE =
> https://github.com/tukaani-project/xz/releases/download/v$(XZ_VERSION)
> XZ_INSTALL_STAGING = YES
> XZ_CONF_ENV = ac_cv_prog_cc_c99='-std=gnu99'
> -XZ_LICENSE = Public Domain, GPL-2.0+, GPL-3.0+, LGPL-2.1+
> -XZ_LICENSE_FILES = COPYING COPYING.GPLv2 COPYING.GPLv3
> COPYING.LGPLv2.1
> +XZ_LICENSE = Public Domain, BSD-0-Clause, GPL-2.0+, GPL-3.0+,
> LGPL-2.1+
> +XZ_LICENSE_FILES = COPYING COPYING.0BSD COPYING.GPLv2 COPYING.GPLv3
> COPYING.LGPLv2.1
> XZ_CPE_ID_VENDOR = tukaani
>
> ifeq ($(BR2_TOOLCHAIN_HAS_THREADS),y)
> --
> 2.45.2
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
Best regards,
Julien.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2024-06-12 15:48 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-12 13:57 [Buildroot] [PATCH v2 1/5] package/xz: bump version to 5.4.7 Peter Seiderer via buildroot
2024-06-12 13:57 ` [Buildroot] [PATCH v2 2/5] package/xz: bump version to 5.6.2 Peter Seiderer via buildroot
2024-06-12 15:48 ` Julien Olivain [this message]
2024-06-24 13:42 ` Arnout Vandecappelle via buildroot
2024-06-12 13:57 ` [Buildroot] [PATCH v2 3/5] package/xz: determine all autoconf options Peter Seiderer via buildroot
2024-06-24 13:44 ` Arnout Vandecappelle via buildroot
2024-06-12 13:57 ` [Buildroot] [PATCH v2 4/5] package/xz: enable year2038 option Peter Seiderer via buildroot
2024-06-24 13:46 ` Arnout Vandecappelle via buildroot
2024-06-12 13:57 ` [Buildroot] [PATCH v2 5/5] package/xz: convert to cmake build Peter Seiderer via buildroot
2024-06-24 13:52 ` Arnout Vandecappelle via buildroot
2024-06-25 9:56 ` yann.morin
2024-06-25 11:11 ` yann.morin
2024-06-26 8:36 ` Peter Seiderer via buildroot
2024-06-26 19:32 ` Yann E. MORIN
2024-06-27 7:50 ` Peter Seiderer via buildroot
2024-06-27 7:57 ` Peter Seiderer via buildroot
2024-06-27 8:26 ` Peter Seiderer via buildroot
2024-06-27 11:16 ` yann.morin
2024-07-02 12:47 ` Peter Seiderer via buildroot
2024-06-24 13:41 ` [Buildroot] [PATCH v2 1/5] package/xz: bump version to 5.4.7 Arnout Vandecappelle via buildroot
2024-07-08 10:04 ` Peter Korsgaard
2024-07-08 12:54 ` Peter Seiderer via buildroot
2024-07-08 12:57 ` Peter Seiderer via buildroot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d6f34e673ea426c735c30aede4f36ca2@free.fr \
--to=ju.o@free.fr \
--cc=buildroot@busybox.net \
--cc=ps.report@gmx.net \
--cc=s.martin49@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox