[prev in list] [next in list] [prev in thread] [next in thread]
List: ipfire-development
Subject: Re: [PATCH] xz: Revert back to version 5.4.5 due to backdoor issue
From: Michael Tremer <michael.tremer () ipfire ! org>
Date: 2024-03-30 13:05:33
Message-ID: 0C997945-E0C7-4C7D-B339-DA2FC33D6AC1 () ipfire ! org
[Download RAW message or body]
Ah okay, I do that all the time :) I just wanted to make sure that the configuration \
change you made didn't get lost.
> On 30 Mar 2024, at 12:56, Adolf Belka <adolf.belka@ipfire.org> wrote:
>
> Hi Michael,
>
> On 30/03/2024 13:28, Michael Tremer wrote:
> > Hello,
> > Thank you. I merged this. The patch did add a couple of empty new lines at the \
> > end of the file again?!
> I think that was just a plain and simple error on my part.
>
> So that I didn't have to do a build then get the updated rootfile from the log and \
> then repeat the build with the new rootfile, I copy and pasted the rootfile from \
> CU183. I did see two blank lines at the end of the file and I deleted them and then \
> "saved the file". I think I didn't correctly save the file with the two blank lines \
> deleted.
> No problem with the editor only with the fingers controlling the editor faster than \
> the brain controlling the fingers :-)
> Regards,
>
> Adolf.
> > -Michael
> > > On 30 Mar 2024, at 08:14, Adolf Belka <adolf.belka@ipfire.org> wrote:
> > >
> > > - xz version 5.6.0 and 5.6.1 discovered to have been backdoored by what looks \
> > > to have been one of the xz devs.
> > > - IPFire looks not to be affected by the problem as we don't patch openssh to \
> > > be linked with liblzma
> > > - However due to question marks about what else might be in these 5.6.x \
> > > versions it is better to revert back to a version that did not have the \
> > > build-to-host.m4 file with the code that modifies the build if it meets certain \
> > > criteria.
> > > Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
> > > ---
> > > config/rootfiles/common/xz | 34 +++++++++++++++++++++++-----------
> > > lfs/xz | 6 ++++--
> > > 2 files changed, 27 insertions(+), 13 deletions(-)
> > >
> > > diff --git a/config/rootfiles/common/xz b/config/rootfiles/common/xz
> > > index 73c0e4d24..f3818a083 100644
> > > --- a/config/rootfiles/common/xz
> > > +++ b/config/rootfiles/common/xz
> > > @@ -41,18 +41,17 @@ usr/bin/xzmore
> > > #usr/lib/liblzma.la
> > > #usr/lib/liblzma.so
> > > usr/lib/liblzma.so.5
> > > -usr/lib/liblzma.so.5.6.1
> > > +usr/lib/liblzma.so.5.4.5
> > > #usr/lib/pkgconfig/liblzma.pc
> > > #usr/share/doc/xz
> > > #usr/share/doc/xz/AUTHORS
> > > #usr/share/doc/xz/COPYING
> > > -#usr/share/doc/xz/COPYING.0BSD
> > > #usr/share/doc/xz/COPYING.GPLv2
> > > #usr/share/doc/xz/NEWS
> > > #usr/share/doc/xz/README
> > > #usr/share/doc/xz/THANKS
> > > +#usr/share/doc/xz/TODO
> > > #usr/share/doc/xz/api
> > > -#usr/share/doc/xz/api/COPYING.CC-BY-SA-4.0
> > > #usr/share/doc/xz/api/annotated.html
> > > #usr/share/doc/xz/api/base_8h.html
> > > #usr/share/doc/xz/api/bc_s.png
> > > @@ -121,15 +120,16 @@ usr/lib/liblzma.so.5.6.1
> > > #usr/share/doc/xz/api/tabs.css
> > > #usr/share/doc/xz/api/version_8h.html
> > > #usr/share/doc/xz/api/vli_8h.html
> > > -#usr/share/doc/xz/api/xz-logo.png
> > > #usr/share/doc/xz/examples
> > > #usr/share/doc/xz/examples/00_README.txt
> > > #usr/share/doc/xz/examples/01_compress_easy.c
> > > #usr/share/doc/xz/examples/02_decompress.c
> > > #usr/share/doc/xz/examples/03_compress_custom.c
> > > #usr/share/doc/xz/examples/04_compress_easy_mt.c
> > > -#usr/share/doc/xz/examples/11_file_info.c
> > > #usr/share/doc/xz/examples/Makefile
> > > +#usr/share/doc/xz/examples_old
> > > +#usr/share/doc/xz/examples_old/xz_pipe_comp.c
> > > +#usr/share/doc/xz/examples_old/xz_pipe_decomp.c
> > > #usr/share/doc/xz/faq.txt
> > > #usr/share/doc/xz/history.txt
> > > #usr/share/doc/xz/lzma-file-format.txt
> > > @@ -168,7 +168,6 @@ usr/lib/liblzma.so.5.6.1
> > > #usr/share/man/de/man1/lzless.1
> > > #usr/share/man/de/man1/lzma.1
> > > #usr/share/man/de/man1/lzmadec.1
> > > -#usr/share/man/de/man1/lzmainfo.1
> > > #usr/share/man/de/man1/lzmore.1
> > > #usr/share/man/de/man1/unlzma.1
> > > #usr/share/man/de/man1/unxz.1
> > > @@ -185,16 +184,21 @@ usr/lib/liblzma.so.5.6.1
> > > #usr/share/man/fr
> > > #usr/share/man/fr/man1
> > > #usr/share/man/fr/man1/lzcat.1
> > > +#usr/share/man/fr/man1/lzcmp.1
> > > +#usr/share/man/fr/man1/lzdiff.1
> > > #usr/share/man/fr/man1/lzless.1
> > > #usr/share/man/fr/man1/lzma.1
> > > #usr/share/man/fr/man1/lzmadec.1
> > > -#usr/share/man/fr/man1/lzmainfo.1
> > > +#usr/share/man/fr/man1/lzmore.1
> > > #usr/share/man/fr/man1/unlzma.1
> > > #usr/share/man/fr/man1/unxz.1
> > > #usr/share/man/fr/man1/xz.1
> > > #usr/share/man/fr/man1/xzcat.1
> > > +#usr/share/man/fr/man1/xzcmp.1
> > > #usr/share/man/fr/man1/xzdec.1
> > > +#usr/share/man/fr/man1/xzdiff.1
> > > #usr/share/man/fr/man1/xzless.1
> > > +#usr/share/man/fr/man1/xzmore.1
> > > #usr/share/man/ko
> > > #usr/share/man/ko/man1
> > > #usr/share/man/ko/man1/lzcat.1
> > > @@ -206,7 +210,6 @@ usr/lib/liblzma.so.5.6.1
> > > #usr/share/man/ko/man1/lzless.1
> > > #usr/share/man/ko/man1/lzma.1
> > > #usr/share/man/ko/man1/lzmadec.1
> > > -#usr/share/man/ko/man1/lzmainfo.1
> > > #usr/share/man/ko/man1/lzmore.1
> > > #usr/share/man/ko/man1/unlzma.1
> > > #usr/share/man/ko/man1/unxz.1
> > > @@ -246,16 +249,27 @@ usr/lib/liblzma.so.5.6.1
> > > #usr/share/man/pt_BR
> > > #usr/share/man/pt_BR/man1
> > > #usr/share/man/pt_BR/man1/lzcat.1
> > > +#usr/share/man/pt_BR/man1/lzcmp.1
> > > +#usr/share/man/pt_BR/man1/lzdiff.1
> > > +#usr/share/man/pt_BR/man1/lzegrep.1
> > > +#usr/share/man/pt_BR/man1/lzfgrep.1
> > > +#usr/share/man/pt_BR/man1/lzgrep.1
> > > #usr/share/man/pt_BR/man1/lzless.1
> > > #usr/share/man/pt_BR/man1/lzma.1
> > > #usr/share/man/pt_BR/man1/lzmadec.1
> > > -#usr/share/man/pt_BR/man1/lzmainfo.1
> > > +#usr/share/man/pt_BR/man1/lzmore.1
> > > #usr/share/man/pt_BR/man1/unlzma.1
> > > #usr/share/man/pt_BR/man1/unxz.1
> > > #usr/share/man/pt_BR/man1/xz.1
> > > #usr/share/man/pt_BR/man1/xzcat.1
> > > +#usr/share/man/pt_BR/man1/xzcmp.1
> > > #usr/share/man/pt_BR/man1/xzdec.1
> > > +#usr/share/man/pt_BR/man1/xzdiff.1
> > > +#usr/share/man/pt_BR/man1/xzegrep.1
> > > +#usr/share/man/pt_BR/man1/xzfgrep.1
> > > +#usr/share/man/pt_BR/man1/xzgrep.1
> > > #usr/share/man/pt_BR/man1/xzless.1
> > > +#usr/share/man/pt_BR/man1/xzmore.1
> > > #usr/share/man/ro
> > > #usr/share/man/ro/man1
> > > #usr/share/man/ro/man1/lzcat.1
> > > @@ -267,7 +281,6 @@ usr/lib/liblzma.so.5.6.1
> > > #usr/share/man/ro/man1/lzless.1
> > > #usr/share/man/ro/man1/lzma.1
> > > #usr/share/man/ro/man1/lzmadec.1
> > > -#usr/share/man/ro/man1/lzmainfo.1
> > > #usr/share/man/ro/man1/lzmore.1
> > > #usr/share/man/ro/man1/unlzma.1
> > > #usr/share/man/ro/man1/unxz.1
> > > @@ -292,7 +305,6 @@ usr/lib/liblzma.so.5.6.1
> > > #usr/share/man/uk/man1/lzless.1
> > > #usr/share/man/uk/man1/lzma.1
> > > #usr/share/man/uk/man1/lzmadec.1
> > > -#usr/share/man/uk/man1/lzmainfo.1
> > > #usr/share/man/uk/man1/lzmore.1
> > > #usr/share/man/uk/man1/unlzma.1
> > > #usr/share/man/uk/man1/unxz.1
> > > diff --git a/lfs/xz b/lfs/xz
> > > index cbec430d4..982392aa0 100644
> > > --- a/lfs/xz
> > > +++ b/lfs/xz
> > > @@ -24,7 +24,7 @@
> > >
> > > include Config
> > >
> > > -VER = 5.6.1
> > > +VER = 5.4.5
> > >
> > > THISAPP = xz-$(VER)
> > > DL_FILE = $(THISAPP).tar.xz
> > > @@ -45,7 +45,7 @@ objects = $(DL_FILE)
> > >
> > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
> > >
> > > -$(DL_FILE)_BLAKE2 = \
> > > 3a1cf93d7223eb57e78eabe828a3d623acac5824ada299470e3126692ef89d1648293aef32468d70a5289611969d5299180c1b373dfbda002a49f3afc729d925
> > > +$(DL_FILE)_BLAKE2 = \
> > > 08d9afebd927ea5d155515a4c9eedda4d1a249f2b1ab6ada11f50e5b7a3c90b389b32378ab1c0872c7f4627de8dff37149d85e49f7f4d30614add37320ec4f3e
> > >
> > > install : $(TARGET)
> > >
> > > @@ -80,3 +80,5 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> > > cd $(DIR_APP) && make install
> > > @rm -rf $(DIR_APP)
> > > @$(POSTBUILD)
> > > +
> > > +
> > > --
> > > 2.44.0
> > >
>
> --
> Sent from my laptop
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic