delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2024/03/30/06:16:04

X-Recipient: archive-cygwin AT delorie DOT com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org DCA453858418
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
s=default; t=1711793761;
bh=4Utd/zu1BBVJ4GQ+Qqced/Ho1mAsWB+3f8W1gAlFDJc=;
h=To:Subject:Date:References:In-Reply-To:List-Id:List-Unsubscribe:
List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:
From;
b=ItaNByrw6sSERn0sBtluxGbp0mVj9WUEzlHJAR21yz7aiyvYV6S3tki21hDXe1IwK
ntVXtQBnk8ujjDFPDJ7Qu52VclPt7aGSdncMwXqYpPcl+F+1DEYxTmYL5Pyz1jiyJY
zeCUBWNyyH8Gz7OZ8FGlZKef2xMZ9hKXOT0TGPwE=
X-Original-To: cygwin AT cygwin DOT com
Delivered-To: cygwin AT cygwin DOT com
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org F2FAC3858D32
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org F2FAC3858D32
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1711793703; cv=none;
b=cai2DD1dDaD4AeRYyRWFx/shel28s/qimOtzle67nqTh2McWwzJBMvozpPJ0q6BB/KesJXytDEXlQn7z1DmClvU4r6nTGeFne39qR9ArfA2OhMxNad76BII7a1ILaGkip7gFOGU1uV5cLfcDLvmfO24Y0Mvan+Ew37VMdhVxa2A=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
t=1711793703; c=relaxed/simple;
bh=RH2mlCiVtG9lATw872hk4Us84ANhUzrb5C/Aeo+VBkQ=;
h=To:From:Subject:Date:Message-ID:Mime-Version;
b=n9qKvc2FOty+MdDcMAy12C6tPjD0UEMwx2dC7M824fu2fOKzjpIiXPKQGpyaJXodBj8fVsHZvQk0tyH4hSpZyLhOgIerpwO3ZnQGgVpBEPHBVFSHX/8MPwgAo7vs+/DminM62Y1BGUQMstHwLT3XNG3wdrLGFL/fd5Yyp9EfX8w=
ARC-Authentication-Results: i=1; server2.sourceware.org
X-Injected-Via-Gmane: http://gmane.org/
To: cygwin AT cygwin DOT com
Subject: Re: Linux xz issue
Date: Sat, 30 Mar 2024 11:14:53 +0100
Message-ID: <uu8omt$tdd$1@ciao.gmane.io>
References: <em9acc6e7a-921f-4922-a5dd-77cc63657601 AT fece094b DOT com>
Mime-Version: 1.0
User-Agent: Mozilla Thunderbird
In-Reply-To: <em9acc6e7a-921f-4922-a5dd-77cc63657601@fece094b.com>
X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_00, FORGED_MUA_MOZILLA,
HEADER_FROM_DIFFERENT_DOMAINS, KAM_DMARC_STATUS, SPF_HELO_NONE, SPF_PASS,
TXREP autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
server2.sourceware.org
X-BeenThere: cygwin AT cygwin DOT com
X-Mailman-Version: 2.1.30
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe: <https://cygwin.com/mailman/options/cygwin>,
<mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From: Achim Gratz via Cygwin <cygwin AT cygwin DOT com>
Reply-To: Achim Gratz <Stromeko AT Nexgo DOT DE>
Errors-To: cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com
Sender: "Cygwin" <cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com> 

Am 29.03.2024 um 23:43 schrieb Ron Murray via Cygwin:
> There is a serious security issue with xz (and liblzma) versions 5.6.0-1 
> and 5.6.1-1. I note that cywin currently is suggesting an upgrade to 
> 5.6.1-1, which is unsafe. I've looked at the cygwin archives and I don't 
> see a reference to this: sorry if you're already aware of this issue.

Based on what I know so far (and I can't check in detail right now) 
Cygwin is likely not affected: it isn't Linux, nor does it use glibc or 
systemd and also not the patch for OpenSSH that allows the backdoor to 
get activated.  So, the code injection into liblzma5 has very likely not 
been performed during the build (I will check that, but it will take a 
week or so) and even if it did it could not work on Cygwin.

Beyond that, the version 5.4.6 that everybody is currently reverting to 
(and is also still available for Cygwin if you want to go back) was 
already released when the presumed bad actor was co-maintainer and their 
involvement goes back even farther based on the Xz developer mailing 
list.  The repository has been deactivated by GitHub so I can't check 
there, but there is already some discussion about rolling back to 5.3.1 
or thereabouts.

Please note that the account in question has also landed some code in 
libarchive which is likely going to get reverted.  From the looks of it 
there were a few sock-puppet accounts that were supporting the 
activities and it remains to be seen where else these might turn up.

-- 
Achim.

(on the road :-)



-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019