On 3/29/24 17:50, Oliver Webb wrote: >> > ah, crap, that's another thing to put on the riscv64 to-do list... >> > (thanks for bringing that to light!) >> >> so, TIL that upstream already added a risc-v bcj implementation... > > I always thought that the xz decompresser we use in toybox ("xx-embeded") and > the main > one (The one with the CVE) were different projects (Separate git repos, one > is much slower > than the other, etc).
The exploit was somebody checked a "test case" into the build system that hacked the rest of the build with an x86-64 binary blob that linked before the other functions? https://youtu.be/jqjtNDtbDNI I was only halfway paying attention once I was sure it didn't affect toybox. My systems here use dropbear for ssh anyway, yes including my laptop. :) > That being said, There are 0BSD licensed parts in the xz repo > (one of SIX different licenses). Huh, really? Cool... >> (rob will of course be delighted to hear of systemd's involvement in >> the exploit chain :-) ) > > Who would've known that a over-complicated, extremely large hairball with a > massive dependency chain > that tries to consume _everything_ makes it easy to perform exploits. Deleted long grumbling about adding complexity probably means you're _reducing_ security because the system is less auditable: a signing chain of custody is still GIGO it just means it was delivered to you by TIVO with a mandatory EULA so you can't personally FIX it... Ahem. Tangent. Not going there. Rob _______________________________________________ Toybox mailing list Toybox@lists.landley.net http://lists.landley.net/listinfo.cgi/toybox-landley.net