From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ciao.gmane.io (ciao.gmane.io [116.202.254.214]) by sourceware.org (Postfix) with ESMTPS id F2FAC3858D32 for ; Sat, 30 Mar 2024 10:15:00 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org F2FAC3858D32 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=Nexgo.DE Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=m.gmane-mx.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org F2FAC3858D32 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=116.202.254.214 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1711793703; cv=none; b=cai2DD1dDaD4AeRYyRWFx/shel28s/qimOtzle67nqTh2McWwzJBMvozpPJ0q6BB/KesJXytDEXlQn7z1DmClvU4r6nTGeFne39qR9ArfA2OhMxNad76BII7a1ILaGkip7gFOGU1uV5cLfcDLvmfO24Y0Mvan+Ew37VMdhVxa2A= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1711793703; c=relaxed/simple; bh=RH2mlCiVtG9lATw872hk4Us84ANhUzrb5C/Aeo+VBkQ=; h=To:From:Subject:Date:Message-ID:Mime-Version; b=n9qKvc2FOty+MdDcMAy12C6tPjD0UEMwx2dC7M824fu2fOKzjpIiXPKQGpyaJXodBj8fVsHZvQk0tyH4hSpZyLhOgIerpwO3ZnQGgVpBEPHBVFSHX/8MPwgAo7vs+/DminM62Y1BGUQMstHwLT3XNG3wdrLGFL/fd5Yyp9EfX8w= ARC-Authentication-Results: i=1; server2.sourceware.org Received: from list by ciao.gmane.io with local (Exim 4.92) (envelope-from ) id 1rqVjm-0000c3-SS for cygwin@cygwin.com; Sat, 30 Mar 2024 11:14:58 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: cygwin@cygwin.com From: Achim Gratz Subject: Re: Linux xz issue Date: Sat, 30 Mar 2024 11:14:53 +0100 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit User-Agent: Mozilla Thunderbird In-Reply-To: X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_00,FORGED_MUA_MOZILLA,HEADER_FROM_DIFFERENT_DOMAINS,KAM_DMARC_STATUS,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Am 29.03.2024 um 23:43 schrieb Ron Murray via Cygwin: > There is a serious security issue with xz (and liblzma) versions 5.6.0-1 > and 5.6.1-1. I note that cywin currently is suggesting an upgrade to > 5.6.1-1, which is unsafe. I've looked at the cygwin archives and I don't > see a reference to this: sorry if you're already aware of this issue. Based on what I know so far (and I can't check in detail right now) Cygwin is likely not affected: it isn't Linux, nor does it use glibc or systemd and also not the patch for OpenSSH that allows the backdoor to get activated. So, the code injection into liblzma5 has very likely not been performed during the build (I will check that, but it will take a week or so) and even if it did it could not work on Cygwin. Beyond that, the version 5.4.6 that everybody is currently reverting to (and is also still available for Cygwin if you want to go back) was already released when the presumed bad actor was co-maintainer and their involvement goes back even farther based on the Xz developer mailing list. The repository has been deactivated by GitHub so I can't check there, but there is already some discussion about rolling back to 5.3.1 or thereabouts. Please note that the account in question has also landed some code in libarchive which is likely going to get reverted. From the looks of it there were a few sock-puppet accounts that were supporting the activities and it remains to be seen where else these might turn up. -- Achim. (on the road :-)