49850 2024-04-01 10:39:30 +0300 Affected >= 5.4.3 2024-04-02 08:40:06 +0300 1 1 4 Development Sisyphus xz unstable x86_64 Linux NEW security P5 normal --- 1 zerg placeholder arseny glebfm iv ldv mcpain placeholder vt qa-sisyphus oldest_to_newest 243818 0 zerg 2024-04-01 10:39:30 +0300 https://packages.gentoo.org/packages/app-arch/xz-utils "Newer releases were signed by a potentially compromised upstream maintainer. There is no evidence that these releases contain malicious code, but masked out of an abundance of caution. See bug #928134. Affected packages >=app-arch/xz-utils-5.4.3" 243820 1 ldv 2024-04-01 10:56:31 +0300 Also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024#5 Do you thus suggest reverting the latest "5.2.5-2-gcf1ec551 -> 5.4.5" update? 243821 2 zerg 2024-04-01 11:10:15 +0300 (Ответ для Dmitry V. Levin на комментарий #1) > Also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024#5 Там до 5.3.1 предлагают. 243832 3 ldv 2024-04-01 12:58:42 +0300 (In reply to Sergey V Turchin from comment #2) > (Ответ для Dmitry V. Levin на комментарий #1) > > Also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024#5 > Там до 5.3.1 предлагают. Там же напоминают, что 5.3.x - это была нестабильная ветка, и если уж всё откатывать, то до 5.2.x. 243834 4 arseny 2024-04-01 13:29:59 +0300 (In reply to Dmitry V. Levin from comment #1) > Also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024#5 > > Do you thus suggest reverting the latest "5.2.5-2-gcf1ec551 -> 5.4.5" update? We won't be able to do that if some package has gotten a dependency on a symbol introduced in that update. The following dynamic symbols have been introduced in liblzma-5.4.5-alt1: % wget https://git.altlinux.org/tasks/338177/build/300/x86_64/rpms/liblzma-5.4.5-alt1.x86_64.rpm <...> % wget https://git.altlinux.org/tasks/archive/done/_284/291400/build/100/x86_64/rpms/liblzma-5.2.5-alt3.1.x86_64.rpm <...> % rpmpeek liblzma-5.2.5-alt3.1.x86_64.rpm eu-nm -B -D --defined-only lib64/liblzma.so.5 | cut -d' ' -f3 > eu-nm-B-D--defined-only-5.2.5-alt3.1.x86_64.txt % rpmpeek liblzma-5.4.5-alt1.x86_64.rpm eu-nm -B -D --defined-only lib64/liblzma.so.5 | cut -d' ' -f3 > eu-nm-B-D--defined-only-5.4.5-alt1.x86_64.txt diff -u eu-nm-B-D--defined-only-5.*.txt --- eu-nm-B-D--defined-only-5.2.5-alt3.1.x86_64.txt 2024-04-01 11:54:22.883000000 +0300 +++ eu-nm-B-D--defined-only-5.4.5-alt1.x86_64.txt 2024-04-01 11:55:46.284000000 +0300 @@ -1,5 +1,8 @@ XZ_5.0 +XZ_5.1.2alpha XZ_5.2 +XZ_5.2.2 +XZ_5.4 lzma_alone_decoder lzma_alone_encoder lzma_auto_decoder @@ -14,11 +17,13 @@ lzma_block_header_size lzma_block_total_size lzma_block_uncomp_encode +lzma_block_uncomp_encode lzma_block_unpadded_size lzma_check_is_supported lzma_check_size lzma_code lzma_cputhreads +lzma_cputhreads lzma_crc32 lzma_crc64 lzma_easy_buffer_encode @@ -26,15 +31,18 @@ lzma_easy_encoder lzma_easy_encoder_memusage lzma_end +lzma_file_info_decoder lzma_filter_decoder_is_supported lzma_filter_encoder_is_supported lzma_filter_flags_decode lzma_filter_flags_encode lzma_filter_flags_size lzma_filters_copy +lzma_filters_free lzma_filters_update lzma_get_check lzma_get_progress +lzma_get_progress lzma_index_append lzma_index_block_count lzma_index_buffer_decode @@ -65,11 +73,14 @@ lzma_index_stream_size lzma_index_total_size lzma_index_uncompressed_size +lzma_lzip_decoder lzma_lzma_preset lzma_memlimit_get lzma_memlimit_set lzma_memusage lzma_mf_is_supported +lzma_microlzma_decoder +lzma_microlzma_encoder lzma_mode_is_supported lzma_physmem lzma_properties_decode @@ -81,12 +92,20 @@ lzma_raw_decoder_memusage lzma_raw_encoder lzma_raw_encoder_memusage +lzma_str_from_filters +lzma_str_list_filters +lzma_str_to_filters lzma_stream_buffer_bound lzma_stream_buffer_decode lzma_stream_buffer_encode lzma_stream_decoder +lzma_stream_decoder_mt lzma_stream_encoder lzma_stream_encoder_mt +lzma_stream_encoder_mt +lzma_stream_encoder_mt +lzma_stream_encoder_mt_memusage +lzma_stream_encoder_mt_memusage lzma_stream_encoder_mt_memusage lzma_stream_flags_compare lzma_stream_footer_decode 243835 5 arseny 2024-04-01 13:30:42 +0300 (In reply to Sergey V Turchin from comment #0) > https://packages.gentoo.org/packages/app-arch/xz-utils > "Newer releases were signed by a potentially compromised upstream > maintainer. There is no evidence that these releases contain malicious code, > but masked out of an abundance of caution. See bug #928134. > Affected packages > >=app-arch/xz-utils-5.4.3" Судя по коммитам от jiat85 начиная с 5.4.1, последнего релиза от Lasse, откатиться именно на 5.4.3 — очень странный вариант. Между 5.4.1 и 5.4.2 было много возни с inline doxygen в .h, в которой довольно легко потеряться. А вот между 5.4.2 и 5.4.5 я, вычитав в меру своего разумения (кроме того, что касается только сборки CMake), нашёл только вот эти подозрительные коммиты: cf8ba7c 4a4180c 773f1e8 68bda97 Видимо, правило про >= 5.4.3 касается конкретно версий, попавших в gentoo. С другой стороны, если считать, что начиная с появления у jiat85 коммит-прав весь репозиторий на tukaani.org с этого момента скомпрометирован, то 5.3.* тоже не годится и надо возвращаться на наш предыдущий релиз. 243837 6 mcpain 2024-04-01 13:34:10 +0300 (In reply to Arseny Maslennikov from comment #4) > The following dynamic symbols have been introduced in liblzma-5.4.5-alt1: > > lzma_block_uncomp_encode > +lzma_block_uncomp_encode > lzma_cputhreads > +lzma_cputhreads > lzma_get_progress > +lzma_get_progress > lzma_stream_encoder_mt > +lzma_stream_encoder_mt > +lzma_stream_encoder_mt > +lzma_stream_encoder_mt_memusage > +lzma_stream_encoder_mt_memusage > lzma_stream_encoder_mt_memusage Looks suspicious as repeated dynamic symbols being added 243838 7 ldv 2024-04-01 13:55:50 +0300 (In reply to Олег Соловьев from comment #6) > (In reply to Arseny Maslennikov from comment #4) > > The following dynamic symbols have been introduced in liblzma-5.4.5-alt1: > > > > lzma_block_uncomp_encode > > +lzma_block_uncomp_encode > > lzma_cputhreads > > +lzma_cputhreads > > lzma_get_progress > > +lzma_get_progress > > lzma_stream_encoder_mt > > +lzma_stream_encoder_mt > > +lzma_stream_encoder_mt > > +lzma_stream_encoder_mt_memusage > > +lzma_stream_encoder_mt_memusage > > lzma_stream_encoder_mt_memusage > > Looks suspicious as repeated dynamic symbols being added Being versioned, these are the least suspicious. For example: src/liblzma/common/common.c:389:LZMA_SYMVER_API("lzma_get_progress@XZ_5.2.2", src/liblzma/common/common.c:394:LZMA_SYMVER_API("lzma_get_progress@@XZ_5.2", src/liblzma/liblzma_linux.map:107: lzma_get_progress; src/liblzma/liblzma_linux.map:122: lzma_get_progress;