From: Rostislav Svoboda <rostislav.svoboda@gmail.com>
To: John Kehayias <john.kehayias@protonmail.com>
Cc: Felix Lechner <felix.lechner@lease-up.com>,
Ryan Prior <rprior@protonmail.com>,
Guix Devel <guix-devel@gnu.org>,
guix-security@gnu.org
Subject: Re: Backdoor in upstream xz-utils
Date: Sun, 31 Mar 2024 17:04:10 +0200 [thread overview]
Message-ID: <CAEtmmeyvTfc9aGNyWYYrRtVfsQUvOhP=2TNXnxZN=QWZbkuXtw@mail.gmail.com> (raw)
In-Reply-To: <87ttkon4c4.fsf@protonmail.com>
> >> Is there a way we can blacklist known bad versions?
>
> I'm not sure what you mean, but I don't think so.
For beginning, what about adding a short comment:
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index 5de17b6b51..fd5ab7ba00 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -493,6 +493,8 @@ (define-public pbzip2
(define-public xz
(package
(name "xz")
+;;; Be reminded of the xz/liblzma backdoor in the versions 5.6.0 and 5.6.1!
+;;; See https://www.openwall.com/lists/oss-security/2024/03/29/4
(version "5.2.8")
(source (origin
(method url-fetch)
as a single commit, with an appropriate commit message. That's a bang
for pretty much no money.
> The main danger is in guix time-machine to the past
Good point. So then a little note here, too:
diff --git a/doc/guix.texi b/doc/guix.texi
index 69a904473c..60909adf5f 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -5012,10 +5012,13 @@ Invoking guix time-machine
@quotation Note
The history of Guix is immutable and @command{guix time-machine}
provides the exact same software as they are in a specific Guix
-revision. Naturally, no security fixes are provided for old versions
-of Guix or its channels. A careless use of @command{guix time-machine}
-opens the door to security vulnerabilities. @xref{Invoking guix pull,
-@option{--allow-downgrades}}.
+revision. Naturally, no security fixes are provided for old versions of
+Guix or its channels. A careless use of @command{guix time-machine}
+opens the door to security vulnerabilities, or potentially even
+backdoors. (Do you remember the
+@uref{https://www.openwall.com/lists/oss-security/2024/03/29/4, backdoor
+in upstream xz/liblzma leading to ssh server compromise}?)
+@xref{Invoking guix pull, @option{--allow-downgrades}}.
@end quotation
Cheers Bost
prev parent reply other threads:[~2024-03-31 15:05 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-29 20:57 Backdoor in upstream xz-utils John Kehayias
2024-03-29 17:51 ` Ryan Prior
2024-03-29 20:39 ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
2024-03-29 20:55 ` Tomas Volf
2024-03-30 21:02 ` Ricardo Wurmus
2024-04-04 10:34 ` backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils) Giovanni Biscuolo
2024-04-04 15:12 ` Attila Lendvai
2024-04-04 16:47 ` Giovanni Biscuolo
2024-04-04 15:47 ` Giovanni Biscuolo
2024-04-04 19:48 ` Attila Lendvai
2024-04-04 20:32 ` Ekaitz Zarraga
2024-04-10 13:57 ` Ludovic Courtès
2024-04-11 12:43 ` Andreas Enge
2024-04-11 12:56 ` Ekaitz Zarraga
2024-04-11 13:49 ` Andreas Enge
2024-04-11 14:05 ` Ekaitz Zarraga
2024-04-13 0:14 ` Skyler Ferris
2024-04-19 14:31 ` Ludovic Courtès
2024-04-13 6:50 ` Giovanni Biscuolo
2024-04-13 10:26 ` Skyler Ferris
2024-04-13 12:47 ` Giovanni Biscuolo
2024-04-14 16:22 ` Skyler Ferris
2024-04-12 13:09 ` Attila Lendvai
2024-04-12 20:42 ` Ludovic Courtès
2024-04-13 6:13 ` Giovanni Biscuolo
2024-05-07 18:22 ` 3 kinds of bootstrap (was Re: backdoor injection via release tarballs combined with binary artifacts) Simon Tournier
2024-04-05 10:13 ` backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils) Giovanni Biscuolo
2024-04-05 14:51 ` Attila Lendvai
2024-04-13 7:42 ` Giovanni Biscuolo
2024-04-04 23:03 ` Ricardo Wurmus
2024-04-05 7:06 ` Giovanni Biscuolo
2024-04-05 7:39 ` Ricardo Wurmus
2024-04-05 16:52 ` Jan Wielkiewicz
2024-03-31 15:04 ` Rostislav Svoboda [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAEtmmeyvTfc9aGNyWYYrRtVfsQUvOhP=2TNXnxZN=QWZbkuXtw@mail.gmail.com' \
--to=rostislav.svoboda@gmail.com \
--cc=felix.lechner@lease-up.com \
--cc=guix-devel@gnu.org \
--cc=guix-security@gnu.org \
--cc=john.kehayias@protonmail.com \
--cc=rprior@protonmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.