From: Denys Dmytriyenko <denis@denix.org>
To: Fathi Boudra <fathi.boudra@linaro.org>
Cc: Richard Purdie <richard.purdie@linuxfoundation.org>,
Martin Jansa <martin.jansa@gmail.com>,
Alexander Kanavin <alex.kanavin@gmail.com>,
Mark Hatle <mark.hatle@kernel.crashing.org>,
Marta Rybczynska <rybczynska@gmail.com>,
OE-core <openembedded-core@lists.openembedded.org>,
wangmy@fujitsu.com
Subject: Re: [OE-core] [PATCH 36/36] xz: upgrade 5.4.6 -> 5.6.1 _WARNING_
Date: Mon, 1 Apr 2024 15:02:10 -0400 [thread overview]
Message-ID: <20240401190210.GQ6072@denix.org> (raw)
In-Reply-To: <CAGNsrLBM7DptiF-7t_B5aK=v_uBcYD52Ksp2ebgS44Ny0NvxaA@mail.gmail.com>
On Mon, Apr 01, 2024 at 11:42:51AM +0200, Fathi Boudra wrote:
> On Sat, 30 Mar 2024 at 17:18, Richard Purdie
> <richard.purdie@linuxfoundation.org> wrote:
> >
> > On Sat, 2024-03-30 at 14:06 +0100, Martin Jansa wrote:
> > > From what is publicly known it injected malicious code (through m4
> > > macro using payload hidden in obfuscated compressed test file) into
> > > built liblzma.so.5 which then hijacks RSA_public_decrypt call e.g. in
> > > sshd (when sshd is built with patch adding systemd notifications
> > > which brings liblzma dependency to sshd e.g. on debian and ubuntu
> > > based systems).
> > >
> > > The build systems which just built this xz version shouldn't be
> > > affected (as it won't be using the liblzma.so from the OE build on
> > > the host).
> > >
> > > This publicly known part should be OK for OE, but it's right to be
> > > worried about the other things which aren't known (not only from
> > > these guys or from xz project).
> >
> > I concur.
> >
> > It is worrying but I've kind of been expecting something like this for
> > a while unfortunately.
> >
> > We need to watch what is going on and act accordingly if/as anything
> > else becomes known.
>
> https://nvd.nist.gov/vuln/detail/CVE-2024-3094
>
> Distros have downgraded to older releases, still trying to figure out
> which version to use.
While 5.4.6 version we've upgraded to in February was not yet compromised,
it was already being taken over by Jia Tan, moving releases to controlled
subdomain of xz.tukaani.org hosted off of GitHub directly, preparing for the
malicious release of 5.6.0 and 5.6.1. So, we've pointed to GitHub location
accordingly:
https://git.openembedded.org/openembedded-core/commit/?id=9cc6c809c154019afe3bf6e6d617eab640faa4d0
https://git.openembedded.org/openembedded-core/commit/?id=5be69fc3ff6296411c736e5c7c9522d99c0be2c6
But GitHub has suspended the project and associated developer accounts. The
original maintainer has posted some details on this matter here:
https://tukaani.org/xz-backdoor/
Again, 5.4.6 tarball wasn't compromised, but it is no longer accessible from
GitHub - should we revert back to 5.4.5 that was hosted on the original site?
Though it should be mirrored...
--
Denys
next prev parent reply other threads:[~2024-04-01 19:02 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-13 7:07 [OE-core] [PATCH 01/36] debianutils: upgrade 5.16 -> 5.17 wangmy
2024-03-13 7:08 ` [OE-core] [PATCH 02/36] diffoscope: upgrade 259 -> 260 wangmy
2024-03-13 7:08 ` [OE-core] [PATCH 03/36] encodings: upgrade 1.0.7 -> 1.1.0 wangmy
2024-03-13 7:08 ` [OE-core] [PATCH 04/36] gcr: upgrade 4.2.0 -> 4.2.1 wangmy
2024-03-13 7:08 ` [OE-core] [PATCH 05/36] ghostscript: upgrade 10.02.1 -> 10.03.0 wangmy
2024-03-13 7:08 ` [OE-core] [PATCH 06/36] gnupg: upgrade 2.4.4 -> 2.4.5 wangmy
2024-03-14 13:39 ` Richard Purdie
2024-03-13 7:08 ` [OE-core] [PATCH 07/36] libadwaita: upgrade 1.4.3 -> 1.4.4 wangmy
2024-03-13 7:08 ` [OE-core] [PATCH 08/36] libassuan: upgrade 2.5.6 -> 2.5.7 wangmy
2024-03-13 7:08 ` [OE-core] [PATCH 09/36] libfontenc: upgrade 1.1.7 -> 1.1.8 wangmy
2024-03-13 7:08 ` [OE-core] [PATCH 10/36] libpng: upgrade 1.6.42 -> 1.6.43 wangmy
2024-03-13 7:08 ` [OE-core] [PATCH 11/36] libsdl2: upgrade 2.30.0 -> 2.30.1 wangmy
2024-03-13 7:08 ` [OE-core] [PATCH 12/36] libxcb: upgrade 1.16 -> 1.16.1 wangmy
2024-03-13 7:08 ` [OE-core] [PATCH 13/36] libxcursor: upgrade 1.2.1 -> 1.2.2 wangmy
2024-03-13 7:08 ` [OE-core] [PATCH 14/36] libxdmcp: upgrade 1.1.4 -> 1.1.5 wangmy
2024-03-13 7:08 ` [OE-core] [PATCH 15/36] lzip: upgrade 1.24 -> 1.24.1 wangmy
2024-03-13 7:08 ` [OE-core] [PATCH 16/36] mkfontscale: upgrade 1.2.2 -> 1.2.3 wangmy
2024-03-13 7:08 ` [OE-core] [PATCH 17/36] pango: upgrade 1.52.0 -> 1.52.1 wangmy
2024-03-13 7:08 ` [OE-core] [PATCH 18/36] psmisc: upgrade 23.6 -> 23.7 wangmy
2024-03-13 7:08 ` [OE-core] [PATCH 19/36] python3-cython: upgrade 3.0.8 -> 3.0.9 wangmy
2024-03-13 7:08 ` [OE-core] [PATCH 20/36] python3-hypothesis: upgrade 6.98.15 -> 6.99.4 wangmy
2024-03-13 7:08 ` [OE-core] [PATCH 21/36] python3-importlib-metadata: upgrade 7.0.1 -> 7.0.2 wangmy
2024-03-13 7:08 ` [OE-core] [PATCH 22/36] python3-libarchive-c: upgrade 5.0 -> 5.1 wangmy
2024-03-13 7:08 ` [OE-core] [PATCH 23/36] python3-maturin: upgrade 1.4.0 -> 1.5.0 wangmy
2024-03-19 10:21 ` Alexandre Belloni
2024-03-13 7:08 ` [OE-core] [PATCH 24/36] python3-pygobject: update 3.46.0 -> 3.48.1 wangmy
2024-03-13 7:08 ` [OE-core] [PATCH 25/36] python3-pyopenssl: upgrade 24.0.0 -> 24.1.0 wangmy
2024-03-13 7:08 ` [OE-core] [PATCH 26/36] python3-pyparsing: upgrade 3.1.1 -> 3.1.2 wangmy
2024-03-13 7:08 ` [OE-core] [PATCH 27/36] python3-pytest-subtests: upgrade 0.11.0 -> 0.12.1 wangmy
2024-03-13 7:08 ` [OE-core] [PATCH 28/36] python3-pytest: upgrade 8.0.2 -> 8.1.1 wangmy
2024-03-13 7:08 ` [OE-core] [PATCH 29/36] python3-trove-classifiers: upgrade 2024.2.23 -> 2024.3.3 wangmy
2024-03-13 7:08 ` [OE-core] [PATCH 30/36] repo: upgrade 2.42 -> 2.44 wangmy
2024-03-13 7:08 ` [OE-core] [PATCH 31/36] shaderc: update 2023.8 -> 2024.0 wangmy
2024-03-13 7:08 ` [OE-core] [PATCH 32/36] stress-ng: upgrade 0.17.05 -> 0.17.06 wangmy
2024-03-13 7:08 ` [OE-core] [PATCH 33/36] tcl: upgrade 8.6.13 -> 8.6.14 wangmy
2024-03-13 7:08 ` [OE-core] [PATCH 34/36] xauth: upgrade 1.1.2 -> 1.1.3 wangmy
2024-03-13 7:08 ` [OE-core] [PATCH 35/36] xev: update 1.2.5 -> 1.2.6 wangmy
2024-03-13 7:08 ` [OE-core] [PATCH 36/36] xz: upgrade 5.4.6 -> 5.6.1 wangmy
2024-03-14 13:40 ` Richard Purdie
2024-03-30 1:03 ` [OE-core] [PATCH 36/36] xz: upgrade 5.4.6 -> 5.6.1 _WARNING_ Mark Hatle
2024-03-30 12:08 ` Marta Rybczynska
2024-03-30 12:26 ` Richard Purdie
2024-03-30 12:52 ` Alexander Kanavin
2024-03-30 13:06 ` Martin Jansa
2024-03-30 16:18 ` Richard Purdie
2024-04-01 9:42 ` Fathi Boudra
2024-04-01 19:02 ` Denys Dmytriyenko [this message]
2024-04-01 19:57 ` Marta Rybczynska
2024-04-02 5:41 ` Marta Rybczynska
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240401190210.GQ6072@denix.org \
--to=denis@denix.org \
--cc=alex.kanavin@gmail.com \
--cc=fathi.boudra@linaro.org \
--cc=mark.hatle@kernel.crashing.org \
--cc=martin.jansa@gmail.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=richard.purdie@linuxfoundation.org \
--cc=rybczynska@gmail.com \
--cc=wangmy@fujitsu.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox