From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms8.migadu.com with LMTPS id yLpyBa97CWae/QAAqHPOHw:P1 (envelope-from ) for ; Sun, 31 Mar 2024 17:05:19 +0200 Received: from aspmx1.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0.migadu.com with LMTPS id yLpyBa97CWae/QAAqHPOHw (envelope-from ) for ; Sun, 31 Mar 2024 17:05:19 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=h4z3SNNK; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1711897518; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=2ilyDz3oXWPpu0P2pbPFZzbIRsd5DpwK2JGcbNSFe4U=; b=Z7/Q7bpB1fEBs/OOfQPj5NMJnvgYlKbByrroqEEIml8wAhDfJ5d1LGnlm0Jfy0goFVZ3/O 1T8TXNbd32kURZekSxKXST0fAZvMu9aNZPHfKbb8LE1g1dZ6d1/KSc08EdzewK38wpn9nD O4J6cv8wDZvGd9o+04asqJuzVueR5/WpeeltFUEnD8IheAxxIhTbCCGXI3CA3wrZW4smef +JTEwaDSYwsFCXEXECgYceDSCzANx1uxLNqfDpfIt0bUM/T/C//SrGpiphuJy6HMNfsoHQ j4FKsNkmHnHvkOp6kpvETGVCGYLH4Ba8Qo7AtM6oWXb9zXXg+iIlCfDu2V2WaQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=h4z3SNNK; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gmail.com ARC-Seal: i=1; s=key1; d=yhetil.org; t=1711897518; a=rsa-sha256; cv=none; b=L26m88u9sdJbVRN94czij9WifX1OtzpZhcB8E288O/ZT8lGdCjW3l9HVPMVw80ySNy+itu XMXOMoLcIXvqWXgaVNwsWb6+zt72owzSeKtPMvs7PCEvsU8ybCvNYUnpRTQQNA6vRGJSj9 UiTzJ+rG+6VGeyC/oc+ICQH75PKNhSen+E8mMaH8869xiKbO6ii4RflGt1OGrEFWbnV8kb Cd2+M684WhL9WCoTpp0gja+eIHJ41IKGWRtMsXCKNvOuNwuZ9QBf8D3FVBeq33oelYnB7R 6mgcVAwVbxt9BQojqsCTlFRIwuYFJTuPz5ySpnTLqvbp9Lh4+tB/mUW3abq4BA== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id D695E10EFF for ; Sun, 31 Mar 2024 17:05:18 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rqwk0-0002kr-5B; Sun, 31 Mar 2024 11:05:00 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rqwjt-0002ke-66; Sun, 31 Mar 2024 11:04:54 -0400 Received: from mail-qt1-x82d.google.com ([2607:f8b0:4864:20::82d]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rqwjq-000582-CE; Sun, 31 Mar 2024 11:04:52 -0400 Received: by mail-qt1-x82d.google.com with SMTP id d75a77b69052e-432c7ecc79eso10712381cf.2; Sun, 31 Mar 2024 08:04:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711897487; x=1712502287; darn=gnu.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=2ilyDz3oXWPpu0P2pbPFZzbIRsd5DpwK2JGcbNSFe4U=; b=h4z3SNNKq7A5BAhGxqIqNYlhiXZMxErGg20sRg7Gn2XGnIIK4dWoGLYPaH+qhwEhWf usBQC1WlKx0syKnjb0kTVVPGozLdujUpCg1ggLGVzeeVs02XeRe7zAK3PF4kwh1h6sR4 DqBgN+IAkMCqLMu+GqyN3NuMIHPBNkU2BhI4vYiN+pM7mvk6o7V4fJ5NH6sPCyFGQsEX LZ4AYLj+MgIJW6lz+9c+fHGjjiduAVzsITBGmjwhMz7fAuVO/fLIhYK65+7ysRbQrd4M WnODap9ED4oDQI1dOy471oSwPEakQcyItSiNCqwDm1YB6WCcB+HOZ/YBgkKjwBFKr2ON TVDg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711897487; x=1712502287; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=2ilyDz3oXWPpu0P2pbPFZzbIRsd5DpwK2JGcbNSFe4U=; b=hGptKst594RMyvG2oRsroxq7aXr15o/JxeAl9qblHOS4el8r1vdclJ5joV98V8AsiX l2dg54Fj81FJ8iQTKuiotnOJnj/C+19oXUtEf3SFJPAXZUyzt0GbdbZ4skodA0NHIJWK w72x7gINwLh+E581eSc7ayUCfwleHBHshd9zeZ0j0E6tiTpbyE7YV6KEanjPjpo2WNi/ 6X3tDHtRDZ4dt/4exiCmkhsFGE69NEBsBNS1EqrNaEpi1QaioYeQVAJLmncwxnFdacup aIeQQkzjS+6i0iS3TPeAxfW4VxQXNkuafEtvoq3HToWex0GlT1FCMjshCSKzytER60WE XQAQ== X-Forwarded-Encrypted: i=1; AJvYcCV5DWLZFyWrSVEDsGPDbU3uEpuBWUYJkkzDH+nC+vRUpM7wmR0xOdG2ZAsNUxi4U/bOG2zj4USrwTjwfoh5zz4wZD/WlbAoQ4RnKQIF9d4rtJxkSHc9eTInhQ== X-Gm-Message-State: AOJu0Yy9ZDPruTy/8wLZP7IGvULMJQhaZSTv8332OrHdB7AJY77kNe+q ZQm8HRR4jhqPz8clyf4XIkpevZGHcL2up93xwO03XtCBjtBPZsrgkE6gFvs53fjPTabkrT5a4je K6qCLJ7gokORx/riPeQiZ53bF7RY= X-Google-Smtp-Source: AGHT+IEerqyO/DuNukHnI+Uz3OLYtQ8iIQG4omlcQBcs4yPBWlxEPlBjuFxvg6SJ9YZ3Unm9MER1PZzwsb3RFaexLIs= X-Received: by 2002:a05:622a:c1:b0:432:b960:b14 with SMTP id p1-20020a05622a00c100b00432b9600b14mr9601595qtw.55.1711897487132; Sun, 31 Mar 2024 08:04:47 -0700 (PDT) MIME-Version: 1.0 References: <87ttkon4c4.fsf@protonmail.com> In-Reply-To: <87ttkon4c4.fsf@protonmail.com> From: Rostislav Svoboda Date: Sun, 31 Mar 2024 17:04:10 +0200 Message-ID: Subject: Re: Backdoor in upstream xz-utils To: John Kehayias Cc: Felix Lechner , Ryan Prior , Guix Devel , guix-security@gnu.org Content-Type: text/plain; charset="UTF-8" Received-SPF: pass client-ip=2607:f8b0:4864:20::82d; envelope-from=rostislav.svoboda@gmail.com; helo=mail-qt1-x82d.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Spam-Score: -9.64 X-Migadu-Queue-Id: D695E10EFF X-Migadu-Scanner: mx13.migadu.com X-Migadu-Spam-Score: -9.64 X-TUID: WwJhciPlWbsg > >> Is there a way we can blacklist known bad versions? > > I'm not sure what you mean, but I don't think so. For beginning, what about adding a short comment: diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm index 5de17b6b51..fd5ab7ba00 100644 --- a/gnu/packages/compression.scm +++ b/gnu/packages/compression.scm @@ -493,6 +493,8 @@ (define-public pbzip2 (define-public xz (package (name "xz") +;;; Be reminded of the xz/liblzma backdoor in the versions 5.6.0 and 5.6.1! +;;; See https://www.openwall.com/lists/oss-security/2024/03/29/4 (version "5.2.8") (source (origin (method url-fetch) as a single commit, with an appropriate commit message. That's a bang for pretty much no money. > The main danger is in guix time-machine to the past Good point. So then a little note here, too: diff --git a/doc/guix.texi b/doc/guix.texi index 69a904473c..60909adf5f 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -5012,10 +5012,13 @@ Invoking guix time-machine @quotation Note The history of Guix is immutable and @command{guix time-machine} provides the exact same software as they are in a specific Guix -revision. Naturally, no security fixes are provided for old versions -of Guix or its channels. A careless use of @command{guix time-machine} -opens the door to security vulnerabilities. @xref{Invoking guix pull, -@option{--allow-downgrades}}. +revision. Naturally, no security fixes are provided for old versions of +Guix or its channels. A careless use of @command{guix time-machine} +opens the door to security vulnerabilities, or potentially even +backdoors. (Do you remember the +@uref{https://www.openwall.com/lists/oss-security/2024/03/29/4, backdoor +in upstream xz/liblzma leading to ssh server compromise}?) +@xref{Invoking guix pull, @option{--allow-downgrades}}. @end quotation Cheers Bost