Dnia Sat, Mar 30, 2024 at 01:57:22PM +0100, Jan Palus napisał(a): > On 30.03.2024 01:49, arekm wrote: > > commit b369fe78b7b4a02e900fb6fe7ac035a9bba39436 > > Author: Arkadiusz Miśkiewicz <ar...@maven.pl> > > Date: Fri Mar 29 23:50:59 2024 +0100 > > > > Revert back to 5.4.6 as 5.6.x are BACKDOORED! > > https://www.openwall.com/lists/oss-security/2024/03/29/4 > > > > xz.spec | 4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > --- > > diff --git a/xz.spec b/xz.spec > > index a36b5df..8094d11 100644 > > --- a/xz.spec > > +++ b/xz.spec > > @@ -19,8 +19,8 @@ Summary: LZMA Encoder/Decoder > > Summary(pl.UTF-8): Koder/Dekoder LZMA > > Name: xz > > Version: 5.4.6 > > -Release: 1 > > -Epoch: 1 > > +Release: 2 > > +Epoch: 2 > > License: LGPL v2.1+, helper scripts on GPL v2+ > > Group: Applications/Archiving > > Source0: > > https://github.com/tukaani-project/xz/releases/download/v%{version}/%{name}-%{version}.tar.bz2 > > Some notes from what I've gathered so far from a rather lengthy HN > thread: > > - main backdoor appears to affect /usr/sbin/sshd on x86_64 with liblzma > being pulled in as an indirect dependency. liblzma can be loaded by > libsystemd if sshd was built with additional systemd patches which PLD > does not use (unlike Debian and Fedora). So _possibly_ PLD is not > affected > > - despite that some claims start to surface that going back to 5.4.6 > might not be enough so let's see how this drama develops
Hi there, I checked manually that the 5.6.1 version from this build [1] seems not to be vulnerable (I verified it using the signature provided in the original post [2]). My suspicion regarding why it was not activated is due to the failure of the following check on the build machine. The check is a part of the malicious script which decides if backdoor should be planted. [...] if test "x$CC" != 'xgcc' > /dev/null 2>&1;then exit 0 fi [...] The condition fails because CC set during the build is different: 'CC=x86_64-pld-linux-gcc' However, please note that there might be additional components within the package unknown to us at present. Regards, Mateusz [1] http://buildlogs.pld-linux.org//index.php?dist=th&arch=x86_64&ok=1&ns=&cnt=50&off=0&name=xz&id=0a127d4c-eda2-4f14-aedf-4a69d79b5b80&action=text [2] https://seclists.org/oss-sec/2024/q1/268 _______________________________________________ pld-devel-en mailing list pld-devel-en@lists.pld-linux.org http://lists.pld-linux.org/mailman/listinfo/pld-devel-en