[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Backdoor in upstream xz-utils
From: |
Felix Lechner |
Subject: |
Re: Backdoor in upstream xz-utils |
Date: |
Fri, 29 Mar 2024 13:39:59 -0700 |
Hi Ryan,
On Fri, Mar 29 2024, Ryan Prior wrote:
> I'm reading today that a backdoor is present in xz's upstream tarball
> (but not in git), starting at version 5.6.0. Source:
> https://www.openwall.com/lists/oss-security/2024/03/29/4
Thanks for sending this! This is an extremely serious vulnerability
with criminal intent. I cc'd guix-security@gnu.org just in case you
haven't.
> Guix currently packages xz-utils 5.2.8 as "xz" using the upstream
> tarball. [...] Should we switch from using upstream tarballs to some
> fork with more responsible maintainers?
Guix's habit of building from tarballs is a poor idea because tarballs
often differ. For example, maintainers may choose to ship a ./configure
script that is otherwise not present in Git (although a configure.ac
might be). Guix should build from Git.
> Is there a way we can blacklist known bad versions?
Having said all that, I am not sure Guix is affected.
On my systems, the 'detect.sh' script shows no referece to liblzma in
sshd. Everyone, please send additional reports.
Kind regards
Felix