Source: xz-utils
Source-Version: 5.6.1+really5.4.5-1
Severity: important
(Maybe this even deserves to be serious, dunno.)
Hi!
The last upload by the Security Team reverted the version, but that
does not necessarily include regenerating the system initramfs, as
brought up from a comment in LWN but directed to RedHat/Fedora systems.
And detectable in Debian and derivatives with something like:
,---
for i in /boot/initrd.img*; do
echo $i:
lsinitramfs $i | grep liblzma\.so\.5\.6
done
`---
I suggested this to the Security Team some days ago, but I guess they
have their hands full. And a bug report here seems probably more
appropriate.
I initially was thinking that a conditionally triggered activation
when upgrading from the affected versions would be sufficient, but if
people have already upgraded, then that will still leave them with the
malicious stuff in their initramfs.
So I guess adding an unconditional:
,--- liblzma5.triggers ---
activate-noawait update-initramfs
`---
should do, but have not tested the integration.
Thanks,
Guillem
