-
Notifications
You must be signed in to change notification settings - Fork 6.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Revert [liblzma] update to version 5.6.0 (#37199) #37841
Conversation
Please note that the malicious actor has also been responsible for quite a few earlier xz releases including 5.4.4 and contributed somewhat suspicious PRs against libarchive, so it might be prudent to take a closer look at 5.4.4 or revert to an even older release still made by Lasse Collin (even though the |
@@ -42,7 +41,7 @@ set(exec_prefix "\${prefix}") | |||
set(libdir "\${prefix}/lib") | |||
set(includedir "\${prefix}/include") | |||
set(PACKAGE_URL https://tukaani.org/xz/) | |||
set(PACKAGE_VERSION "${VERSION}") | |||
set(PACKAGE_VERSION 5.4.3) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
btw. this mismatches with the actually installed version 5.4.4
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's true; I'm trying to keep the same git-tree here though. Will look at fixing that after this lands
Oh dear. Was there anything that I could have done to spot this? @Neustradamus, as the one requesting the update, you might be affected by this. Edit: For clarification, I am not casting blame on @Neustradamus here for requesting the update. That would be silly. I am mentioning them as I am worried that they might need to take measures to protect themselves from the backdoor. |
Their repo's down - no versions of the port work now. Does anyone know what's going on, did GitHub themselves do it or if not, have they made any announcements on when they'll put it back up? |
Yea GitHub has probably just broken many many many many things by doing something that rash. I imagine every Linux distro is now unable to build lol. Libxz is not a small time dependency. Vcpkg will now have to keep its own source copy somewhere. |
They must have had very good reasons. If I had distributed software with an affected version of liblzma, I would now be unable to distribute an update with an unaffected version. |
And now they are about to have a few thousand forks of liblzma on github with no forking history because people are copying https://git.tukaani.org/xz.git and backing it up got github to get their build systems going. |
Before it got down I git cloned it (from github): https://github.com/gastonmorixe/xz |
This appears to be version 5.6.1 that contains the backdoor. I do not see any measures to remove it. This might be harmful. You might at the very least want to at least revert all changes since the last version that is known not to be affected. |
Well I wrote in the repo description that it is a backup. It's for researchers and that's why I published here so it helps. I personally reported the authors of the vulnerability on GitHub but I don't agree with Github action of completely taking it down, there was a lot of constructive discussion and it's all gone. |
I don't think so. Clearly they got into Debian and Fedora and SUSE and a few other things too. Our stance has always been that we give you what upstream gives you. There's really no defense from upstream becoming malicious. |
It's hard decision to choose between breaking people or continuing to distribute malicious code. I would have made the same one. |
I think they should have reverted it (to the last safe commit), but I guess that's probably not possible |
My understanding (based partially on Alpine Linux's patch) is that it should be fine, because only half of the backdoor was actually committed, and the other half was injected into the official tarballs (which that repo isn't distributing)
XZ is very widely used. It's absolutely not your job to audit every update. Literally none of the package maintainers noticed it, it was accidentally spotted by someone doing some benchmarking |
This PR doesn't seem to work. When I run:
I get this error, which is still pointing to the disabled tukaani-project/xz repository, so the URL fails to load.
|
@BillyONeal I think you should reference this mirror https://github.com/bminor/xz/archive/refs/tags/v5.4.4.tar.gz rather than the original repo https://github.com/tukaani-project/xz/archive/v5.4.4.tar.gz which has been disabled by GitHub. |
Hello all, I have found it :/ |
This PR does not attempt to change the source from github to anything else, it just changes it to not try to grab the known vulnerable one. We don't have a path forward for a canonical source at this time. |
@BillyONeal agreed but for anyone who just wants to get their build working again, please make the following one-liner change: |
Warning, some people attack me because I have requested the XZ update. Linked to: |
@Neustradamus I hope you did not mistake my mention of you as an attack. It was never meant as such and I am sorry, if you felt that way. I was/am worried that you might be affected by the backdoor and need to take measures on your end. If you meant that somebody else was attacking you, then that is just silly. They might as well attack me for updating the version here without noticing a backdoor. |
As far as i know, the official git https://git.tukaani.org/ still works. |
... but shouldn't be trusted in this case. |
The official XZ team announcement is here: Important to know: There is no problem with contributors here like @carsten-grimm. But several people mix all because I have requested the XZ update in vcpkg. @gowthamgts has participated on HN against me badly and I have commented on two places where he has commented (on my SCRAM request publications):
You can look here the original comment:
You can follow my announcements here:
The good point, people speak about SCRAM "Salted Challenge Response Authentication Mechanism" security ;) Badly, some people or projects like only old unsecure mechanisms, some would like security improvements. |
However, we don't know if it has the load balancing to feed everybody's CI. |
This didn't work for me. However, when I added this to my top level "overrides":[
{"name": "liblzma", "version": "5.4.0"}
] |
Commits were made today, April 9, to the xz.git repository on the Tukaani website to remove the files responsible for the xz backdoor. See the shortlog and this commit. A new tag (release) has not yet been posted. According to the xz backdoor status page on the Takaani site:
|
The GitHub repository has done a comeback too: Note that there are 5.4.5 (2023-11-01) and 5.4.6 (2024-01-26) release builds too: |
@teo-tsirpanis has done a PR about the new XZ version (5.6.2) here: cc: @carsten-grimm. Linked to:
Official XZ links: |
Resolves #37839
Reverts #37199
See https://www.openwall.com/lists/oss-security/2024/03/29/4
Note that the version database is unmodified, only the baseline is changed.
Because vcpkg builds liblzma from cmake sources downloaded from github and this backdoor required modifications only present in the release tarballs, it is our belief that vcpkg customers are not affected by this problem. However, we are reverting this version out of an abundance of caution as the threat actor clearly has broad access to liblzma infrastructure, and because we believe customers will start flagging this package by version as being a problem.