* Linux xz issue
@ 2024-03-29 22:43 Ron Murray
2024-03-30 10:14 ` Achim Gratz
0 siblings, 1 reply; 4+ messages in thread
From: Ron Murray @ 2024-03-29 22:43 UTC (permalink / raw)
To: cygwin
[-- Attachment #1: Type: text/plain, Size: 773 bytes --]
There is a serious security issue with xz (and liblzma) versions 5.6.0-1
and 5.6.1-1. I note that cywin currently is suggesting an upgrade to
5.6.1-1, which is unsafe. I've looked at the cygwin archives and I don't
see a reference to this: sorry if you're already aware of this issue.
References:
https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094
https://access.redhat.com/security/cve/CVE-2024-3094
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094
https://sysdig.com/blog/cve-2024-3094-detecting-the-sshd-backdoor-in-xz-utils/
Thanks,
.....Ron
--
Ron Murray <rjmx@rjmx.net>
PGP Fingerprint: 4D99 70E3 2317 334B 141E 7B63 12F7 E865 B5E2 E761
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Linux xz issue
2024-03-29 22:43 Linux xz issue Ron Murray
@ 2024-03-30 10:14 ` Achim Gratz
0 siblings, 0 replies; 4+ messages in thread
From: Achim Gratz @ 2024-03-30 10:14 UTC (permalink / raw)
To: cygwin
Am 29.03.2024 um 23:43 schrieb Ron Murray via Cygwin:
> There is a serious security issue with xz (and liblzma) versions 5.6.0-1
> and 5.6.1-1. I note that cywin currently is suggesting an upgrade to
> 5.6.1-1, which is unsafe. I've looked at the cygwin archives and I don't
> see a reference to this: sorry if you're already aware of this issue.
Based on what I know so far (and I can't check in detail right now)
Cygwin is likely not affected: it isn't Linux, nor does it use glibc or
systemd and also not the patch for OpenSSH that allows the backdoor to
get activated. So, the code injection into liblzma5 has very likely not
been performed during the build (I will check that, but it will take a
week or so) and even if it did it could not work on Cygwin.
Beyond that, the version 5.4.6 that everybody is currently reverting to
(and is also still available for Cygwin if you want to go back) was
already released when the presumed bad actor was co-maintainer and their
involvement goes back even farther based on the Xz developer mailing
list. The repository has been deactivated by GitHub so I can't check
there, but there is already some discussion about rolling back to 5.3.1
or thereabouts.
Please note that the account in question has also landed some code in
libarchive which is likely going to get reverted. From the looks of it
there were a few sock-puppet accounts that were supporting the
activities and it remains to be seen where else these might turn up.
--
Achim.
(on the road :-)
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Linux xz issue
2024-04-01 4:15 Keith Thompson
@ 2024-04-01 8:11 ` Keith Thompson
0 siblings, 0 replies; 4+ messages in thread
From: Keith Thompson @ 2024-04-01 8:11 UTC (permalink / raw)
To: The Cygwin Mailing List; +Cc: Keith Thompson
On Sun, Mar 31, 2024 at 9:15 PM Keith Thompson
<Keith.S.Thompson@gmail.com> wrote:
>
> Achim Gratz Stromeko@Nexgo.DE wrote:
> > Beyond that, the version 5.4.6 that everybody is currently reverting to
> > (and is also still available for Cygwin if you want to go back) was
> > already released when the presumed bad actor was co-maintainer and their
> > involvement goes back even farther based on the Xz developer mailing
> > list. The repository has been deactivated by GitHub so I can't check
> > there, but there is already some discussion about rolling back to 5.3.1
> > or thereabouts.
>
> The GitHub repo at <https://github.com/tukaani-project/xz> has been
> deactivated, but there's another xz repo (likely the original one)
> at <https://github.com/tukaani-project/xz>. The most recent commit
> in that repo is "CMake: Fix sabotaged Landlock sandbox check.".
>
> I have no inside knowledge about any of this.
>
> I'm running the Cygwin setup right now. It reverts the xz package
> from 5.6.1-1 to 5.4.6-1. Only 5.4.2-1 and 5.4.6-1 are available.
Sorry, I pasted the same link twice.
The deactivated GitHub repo is:
https://github.com/tukaani-project/xz
The tukaani.org repo (still active) is:
https://git.tukaani.org/xz.git
Thanks to oskar for pointing out my error.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Linux xz issue
@ 2024-04-01 4:15 Keith Thompson
2024-04-01 8:11 ` Keith Thompson
0 siblings, 1 reply; 4+ messages in thread
From: Keith Thompson @ 2024-04-01 4:15 UTC (permalink / raw)
To: The Cygwin Mailing List; +Cc: Keith Thompson
Achim Gratz Stromeko@Nexgo.DE wrote:
> Beyond that, the version 5.4.6 that everybody is currently reverting to
> (and is also still available for Cygwin if you want to go back) was
> already released when the presumed bad actor was co-maintainer and their
> involvement goes back even farther based on the Xz developer mailing
> list. The repository has been deactivated by GitHub so I can't check
> there, but there is already some discussion about rolling back to 5.3.1
> or thereabouts.
The GitHub repo at <https://github.com/tukaani-project/xz> has been
deactivated, but there's another xz repo (likely the original one)
at <https://github.com/tukaani-project/xz>. The most recent commit
in that repo is "CMake: Fix sabotaged Landlock sandbox check.".
I have no inside knowledge about any of this.
I'm running the Cygwin setup right now. It reverts the xz package
from 5.6.1-1 to 5.4.6-1. Only 5.4.2-1 and 5.4.6-1 are available.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-04-01 8:11 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-03-29 22:43 Linux xz issue Ron Murray
2024-03-30 10:14 ` Achim Gratz
2024-04-01 4:15 Keith Thompson
2024-04-01 8:11 ` Keith Thompson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).