Bug 49850

Summary: Affected >= 5.4.3
Product: Sisyphus Reporter: Sergey V Turchin <zerg>
Component: xzAssignee: placeholder <placeholder>
Status: NEW --- QA Contact: qa-sisyphus
Severity: normal    
Priority: P5 CC: arseny, glebfm, iv, ldv, mcpain, placeholder, vseleznv, vt
Version: unstableKeywords: security
Hardware: x86_64   
OS: Linux   

Description Sergey V Turchin 2024-04-01 10:39:30 MSK
https://packages.gentoo.org/packages/app-arch/xz-utils
"Newer releases were signed by a potentially compromised upstream maintainer. There is no evidence that these releases contain malicious code, but masked out of an abundance of caution. See bug #928134.
Affected packages
>=app-arch/xz-utils-5.4.3"
Comment 1 Dmitry V. Levin 2024-04-01 10:56:31 MSK
Also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024#5

Do you thus suggest reverting the latest "5.2.5-2-gcf1ec551 -> 5.4.5" update?
Comment 2 Sergey V Turchin 2024-04-01 11:10:15 MSK
(Ответ для Dmitry V. Levin на комментарий #1)
> Also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024#5
Там до 5.3.1 предлагают.
Comment 3 Dmitry V. Levin 2024-04-01 12:58:42 MSK
(In reply to Sergey V Turchin from comment #2)
> (Ответ для Dmitry V. Levin на комментарий #1)
> > Also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024#5
> Там до 5.3.1 предлагают.

Там же напоминают, что 5.3.x - это была нестабильная ветка, и если уж всё откатывать, то до 5.2.x.
Comment 4 Arseny Maslennikov 2024-04-01 13:29:59 MSK
(In reply to Dmitry V. Levin from comment #1)
> Also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024#5
> 
> Do you thus suggest reverting the latest "5.2.5-2-gcf1ec551 -> 5.4.5" update?

We won't be able to do that if some package has gotten a dependency on a symbol introduced in that update.

The following dynamic symbols have been introduced in liblzma-5.4.5-alt1:

% wget https://git.altlinux.org/tasks/338177/build/300/x86_64/rpms/liblzma-5.4.5-alt1.x86_64.rpm
<...>
% wget https://git.altlinux.org/tasks/archive/done/_284/291400/build/100/x86_64/rpms/liblzma-5.2.5-alt3.1.x86_64.rpm
<...>
% rpmpeek liblzma-5.2.5-alt3.1.x86_64.rpm eu-nm -B -D --defined-only lib64/liblzma.so.5 | cut -d' ' -f3 > eu-nm-B-D--defined-only-5.2.5-alt3.1.x86_64.txt
% rpmpeek liblzma-5.4.5-alt1.x86_64.rpm eu-nm -B -D --defined-only lib64/liblzma.so.5 | cut -d' ' -f3 > eu-nm-B-D--defined-only-5.4.5-alt1.x86_64.txt
diff -u eu-nm-B-D--defined-only-5.*.txt
--- eu-nm-B-D--defined-only-5.2.5-alt3.1.x86_64.txt	2024-04-01 11:54:22.883000000 +0300
+++ eu-nm-B-D--defined-only-5.4.5-alt1.x86_64.txt	2024-04-01 11:55:46.284000000 +0300
@@ -1,5 +1,8 @@
 XZ_5.0
+XZ_5.1.2alpha
 XZ_5.2
+XZ_5.2.2
+XZ_5.4
 lzma_alone_decoder
 lzma_alone_encoder
 lzma_auto_decoder
@@ -14,11 +17,13 @@
 lzma_block_header_size
 lzma_block_total_size
 lzma_block_uncomp_encode
+lzma_block_uncomp_encode
 lzma_block_unpadded_size
 lzma_check_is_supported
 lzma_check_size
 lzma_code
 lzma_cputhreads
+lzma_cputhreads
 lzma_crc32
 lzma_crc64
 lzma_easy_buffer_encode
@@ -26,15 +31,18 @@
 lzma_easy_encoder
 lzma_easy_encoder_memusage
 lzma_end
+lzma_file_info_decoder
 lzma_filter_decoder_is_supported
 lzma_filter_encoder_is_supported
 lzma_filter_flags_decode
 lzma_filter_flags_encode
 lzma_filter_flags_size
 lzma_filters_copy
+lzma_filters_free
 lzma_filters_update
 lzma_get_check
 lzma_get_progress
+lzma_get_progress
 lzma_index_append
 lzma_index_block_count
 lzma_index_buffer_decode
@@ -65,11 +73,14 @@
 lzma_index_stream_size
 lzma_index_total_size
 lzma_index_uncompressed_size
+lzma_lzip_decoder
 lzma_lzma_preset
 lzma_memlimit_get
 lzma_memlimit_set
 lzma_memusage
 lzma_mf_is_supported
+lzma_microlzma_decoder
+lzma_microlzma_encoder
 lzma_mode_is_supported
 lzma_physmem
 lzma_properties_decode
@@ -81,12 +92,20 @@
 lzma_raw_decoder_memusage
 lzma_raw_encoder
 lzma_raw_encoder_memusage
+lzma_str_from_filters
+lzma_str_list_filters
+lzma_str_to_filters
 lzma_stream_buffer_bound
 lzma_stream_buffer_decode
 lzma_stream_buffer_encode
 lzma_stream_decoder
+lzma_stream_decoder_mt
 lzma_stream_encoder
 lzma_stream_encoder_mt
+lzma_stream_encoder_mt
+lzma_stream_encoder_mt
+lzma_stream_encoder_mt_memusage
+lzma_stream_encoder_mt_memusage
 lzma_stream_encoder_mt_memusage
 lzma_stream_flags_compare
 lzma_stream_footer_decode
Comment 5 Arseny Maslennikov 2024-04-01 13:30:42 MSK
(In reply to Sergey V Turchin from comment #0)
> https://packages.gentoo.org/packages/app-arch/xz-utils
> "Newer releases were signed by a potentially compromised upstream
> maintainer. There is no evidence that these releases contain malicious code,
> but masked out of an abundance of caution. See bug #928134.
> Affected packages
> >=app-arch/xz-utils-5.4.3"

Судя по коммитам от jiat85 начиная с 5.4.1, последнего релиза от Lasse, откатиться именно на 5.4.3 — очень странный вариант. Между 5.4.1 и 5.4.2 было много возни с inline doxygen в .h, в которой довольно легко потеряться. А вот между 5.4.2 и 5.4.5 я, вычитав в меру своего разумения (кроме того, что касается только сборки CMake), нашёл только вот эти подозрительные коммиты:

cf8ba7c
4a4180c
773f1e8
68bda97

Видимо, правило про >= 5.4.3 касается конкретно версий, попавших в gentoo.

С другой стороны, если считать, что начиная с появления у jiat85 коммит-прав весь репозиторий на tukaani.org с этого момента скомпрометирован, то 5.3.* тоже не годится и надо возвращаться на наш предыдущий релиз.
Comment 6 Олег Соловьев 2024-04-01 13:34:10 MSK
(In reply to Arseny Maslennikov from comment #4)
> The following dynamic symbols have been introduced in liblzma-5.4.5-alt1:
> 
>  lzma_block_uncomp_encode
> +lzma_block_uncomp_encode
>  lzma_cputhreads
> +lzma_cputhreads
>  lzma_get_progress
> +lzma_get_progress
>  lzma_stream_encoder_mt
> +lzma_stream_encoder_mt
> +lzma_stream_encoder_mt
> +lzma_stream_encoder_mt_memusage
> +lzma_stream_encoder_mt_memusage
>  lzma_stream_encoder_mt_memusage

Looks suspicious as repeated dynamic symbols being added
Comment 7 Dmitry V. Levin 2024-04-01 13:55:50 MSK
(In reply to Олег Соловьев from comment #6)
> (In reply to Arseny Maslennikov from comment #4)
> > The following dynamic symbols have been introduced in liblzma-5.4.5-alt1:
> > 
> >  lzma_block_uncomp_encode
> > +lzma_block_uncomp_encode
> >  lzma_cputhreads
> > +lzma_cputhreads
> >  lzma_get_progress
> > +lzma_get_progress
> >  lzma_stream_encoder_mt
> > +lzma_stream_encoder_mt
> > +lzma_stream_encoder_mt
> > +lzma_stream_encoder_mt_memusage
> > +lzma_stream_encoder_mt_memusage
> >  lzma_stream_encoder_mt_memusage
> 
> Looks suspicious as repeated dynamic symbols being added

Being versioned, these are the least suspicious.  For example:

src/liblzma/common/common.c:389:LZMA_SYMVER_API("lzma_get_progress@XZ_5.2.2",
src/liblzma/common/common.c:394:LZMA_SYMVER_API("lzma_get_progress@@XZ_5.2",
src/liblzma/liblzma_linux.map:107:      lzma_get_progress;
src/liblzma/liblzma_linux.map:122:      lzma_get_progress;