Re: XZ Utils Compromised Releases

[Fred Wright]

On Fri, 29 Mar 2024, Blair Zajac wrote:


I’m seeing it at 5.6.1 in our GitHub repoisory: 
https://github.com/macports/macports-ports/blob/master/archivers/xz/Portfile


Ah, OK.  The 5.4.6 was based on a selfupdate from two days ago.


On Mar 29, 2024, at 10:40 AM, Fred Wright  wrote:



CCing the users list so they don't panic. :-)


That didn't work since I don't subscribe to that list.  Someone should 
post something there, since the original message was.


Fred Wright

Re: XZ Utils Compromised Releases

[Kirill A . Korinsky]

On Fri, 29 Mar 2024 18:50:35 +0100,
Rainer Müller wrote:
> 
> > In [1] they mention reverting to 5.4.5 to fix it.  It's not 100% clear
> > from that whether 5.4.6 is affected, but it sounds like it's not.  Since
> > MacPorts is currently at 5.4.6, the port is probably OK as long as it
> > doesn't do any overzealous upgrading.
> 
> The xz port was updated to 5.6.1 just two days ago:
> https://github.com/macports/macports-ports/commit/784e59f99e51adbadc663b1b689d66363adf193a
> 
> Based on the current information, the risk seems low for macOS system.
> Should we still be cautious and revert to version 5.4.6 and bump the
> epoch to force a downgrade for everyone? Or do we expect a new upstream
> release soon to sort this out?
> 

Better to rollback version and communicate somehow that it is paranoia.

-- 
wbr, Kirill

Re: XZ Utils Compromised Releases

[Joshua Root]

A friendly reminder: if there's an issue, please file a ticket!

The one exception to that is if there's a vulnerability that has not 
been made public, in which case contacting the port maintainer and 
possibly portmgr privately is appropriate.


Discussing issues on the mailing lists, commenting about them on PRs, or 
chatting about them on IRC are all fine, but none are a substitute for a 
Trac ticket. :)


- Josh

Re: XZ Utils Compromised Releases

[Rainer Müller]

On 29/03/2024 18.52, Blair Zajac wrote:
> In https://www.openwall.com/lists/oss-security/2024/03/29/4
>  it says
> 
> == Bug reports ==
> 
> Given the apparent upstream involvement I have not reported an upstream
> bug….
> 
> 
> I suggest not waiting for an upstream release and instead revert our
> commit and add an epoch line.

You are right. That is the best way as we cannot be sure what else just
has not been discovered in the backdoor-ed releases.

Joshua already pushed the downgrade to xz @5.4.6 with the epoch bumped.
Thank you!

https://trac.macports.org/ticket/69619
https://github.com/macports/macports-ports/commit/a1388aee09c9e921e3a9d47cf9d37e5d3f3c10ad

Rainer

Re: XZ Utils Compromised Releases

[Blair Zajac]

In https://www.openwall.com/lists/oss-security/2024/03/29/4 it says

== Bug reports ==

Given the apparent upstream involvement I have not reported an upstream
bug….

I suggest not waiting for an upstream release and instead revert our commit and 
add an epoch line.

Blair

> On Mar 29, 2024, at 10:50 AM, Rainer Müller  wrote:
> 
> On 29/03/2024 18.40, Fred Wright wrote:
>> 
>> On Fri, 29 Mar 2024, Frank Dean wrote:
>> 
>>> I received a security announcement on the Debian mailing list [1].  It
>>> appears versions 5.6.0 of XY Utils and later may be compromised.  I
>>> also found a discussion on Openwall [2].
>>> 
>>> 
>>> [1]:
>>> https://lists.debian.org/debian-security-announce/2024/msg00057.html
>>> 
>>> 
>>> [2]: https://www.openwall.com/lists/oss-security/2024/03/29/4
>>> 
>>> 
>>> 
>>> I'm afraid that's all I know.  Just a heads-up.
> 
> Wow. That's an awful story.
> 
> The exploit seems to specifically target Linux systems only ("[...] it
> is likely the backdoor can only work on glibc based systems.").
> 
>> In [1] they mention reverting to 5.4.5 to fix it.  It's not 100% clear
>> from that whether 5.4.6 is affected, but it sounds like it's not.  Since
>> MacPorts is currently at 5.4.6, the port is probably OK as long as it
>> doesn't do any overzealous upgrading.
> 
> The xz port was updated to 5.6.1 just two days ago:
> https://github.com/macports/macports-ports/commit/784e59f99e51adbadc663b1b689d66363adf193a
> 
> Based on the current information, the risk seems low for macOS system.
> Should we still be cautious and revert to version 5.4.6 and bump the
> epoch to force a downgrade for everyone? Or do we expect a new upstream
> release soon to sort this out?


> 
> Rainer
> 

Re: XZ Utils Compromised Releases

[Rainer Müller]

On 29/03/2024 18.40, Fred Wright wrote:
> 
> On Fri, 29 Mar 2024, Frank Dean wrote:
> 
>> I received a security announcement on the Debian mailing list [1].  It
>> appears versions 5.6.0 of XY Utils and later may be compromised.  I
>> also found a discussion on Openwall [2].
>>
>>
>> [1]:
>> https://lists.debian.org/debian-security-announce/2024/msg00057.html
>> 
>>
>> [2]: https://www.openwall.com/lists/oss-security/2024/03/29/4
>> 
>>
>>
>> I'm afraid that's all I know.  Just a heads-up.

Wow. That's an awful story.

The exploit seems to specifically target Linux systems only ("[...] it
is likely the backdoor can only work on glibc based systems.").

> In [1] they mention reverting to 5.4.5 to fix it.  It's not 100% clear
> from that whether 5.4.6 is affected, but it sounds like it's not.  Since
> MacPorts is currently at 5.4.6, the port is probably OK as long as it
> doesn't do any overzealous upgrading.

The xz port was updated to 5.6.1 just two days ago:
https://github.com/macports/macports-ports/commit/784e59f99e51adbadc663b1b689d66363adf193a

Based on the current information, the risk seems low for macOS system.
Should we still be cautious and revert to version 5.4.6 and bump the
epoch to force a downgrade for everyone? Or do we expect a new upstream
release soon to sort this out?

Rainer

Re: XZ Utils Compromised Releases

[Blair Zajac]

I’m seeing it at 5.6.1 in our GitHub repoisory: 
https://github.com/macports/macports-ports/blob/master/archivers/xz/Portfile

We should roll it back to an older release and bump the epoch so everyone sees 
the rollback.

Blair

> On Mar 29, 2024, at 10:40 AM, Fred Wright  wrote:
> 
> 
> On Fri, 29 Mar 2024, Frank Dean wrote:
> 
>> I received a security announcement on the Debian mailing list [1].  It 
>> appears versions 5.6.0 of XY Utils and later may be compromised.  I also 
>> found a discussion on Openwall [2].
>> 
>> 
>> [1]: https://lists.debian.org/debian-security-announce/2024/msg00057.html 
>> 
>> 
>> [2]: https://www.openwall.com/lists/oss-security/2024/03/29/4 
>> 
>> 
>> 
>> I'm afraid that's all I know.  Just a heads-up.
> 
> In [1] they mention reverting to 5.4.5 to fix it.  It's not 100% clear from 
> that whether 5.4.6 is affected, but it sounds like it's not.  Since MacPorts 
> is currently at 5.4.6, the port is probably OK as long as it doesn't do any 
> overzealous upgrading.
> 
> CCing the users list so they don't panic. :-)
> 
> Fred Wright
> 

Re: XZ Utils Compromised Releases

[Fred Wright]

On Fri, 29 Mar 2024, Frank Dean wrote:


I received a security announcement on the Debian mailing list [1].  It appears 
versions 5.6.0 of XY Utils and later may be compromised.  I also found a 
discussion on Openwall [2].


[1]: https://lists.debian.org/debian-security-announce/2024/msg00057.html 


[2]: https://www.openwall.com/lists/oss-security/2024/03/29/4 



I'm afraid that's all I know.  Just a heads-up.


In [1] they mention reverting to 5.4.5 to fix it.  It's not 100% clear 
from that whether 5.4.6 is affected, but it sounds like it's not.  Since 
MacPorts is currently at 5.4.6, the port is probably OK as long as it 
doesn't do any overzealous upgrading.


CCing the users list so they don't panic. :-)

Fred Wright

XZ Utils Compromised Releases

[Frank Dean]

I received a security announcement on the Debian mailing list [1].  It appears 
versions 5.6.0 of XY Utils and later may be compromised.  I also found a 
discussion on Openwall [2].


[1]: https://lists.debian.org/debian-security-announce/2024/msg00057.html 


[2]: https://www.openwall.com/lists/oss-security/2024/03/29/4 



I'm afraid that's all I know.  Just a heads-up.