From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms8.migadu.com with LMTPS id QEw3ABArB2arDwEA62LTzQ:P1 (envelope-from ) for ; Fri, 29 Mar 2024 21:56:48 +0100 Received: from aspmx1.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1.migadu.com with LMTPS id QEw3ABArB2arDwEA62LTzQ (envelope-from ) for ; Fri, 29 Mar 2024 21:56:48 +0100 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=wolfsden.cz header.s=mail header.b=aBHlrB+T; dkim=pass header.d=wolfsden.cz header.s=mail header.b=Q4WDcyEV; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=wolfsden.cz ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1711745807; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=L4Ok74tsIbwTlh9J/PDsuCtt4JX3zqxEYda0txIm2I4=; b=YYS7fCfixht8xhxAP3p8IcuorJbE9fyDydjJ9qCrN/slL5cEdd5iQNlQFRbL/GGi4RI20O jmk5pXGhR85/Jrm10LC9bl4+tRO344aAgB9RzZXq3GRlTzPbZtQl5C6OOLZHP8u3sMYEyJ FPyprGywPHYWF0dSMhc3G6+nIBfzIO0FoJo3DJZxht2nRJ5JG+DUW3wRZwZ3J+u5NYbjVV fw/Wb0PXu/8JgG2aEIGym1otuHfBVz+LS3dfQ2/thowFB64hRhSPy0G5HooAY8h5mUK1Rg mc81CAmHqdxRnHJ54l6/HAEHQboDGb+bTi1ayo3oYENKUQr7ZeH61Je0Fuoq8Q== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=wolfsden.cz header.s=mail header.b=aBHlrB+T; dkim=pass header.d=wolfsden.cz header.s=mail header.b=Q4WDcyEV; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=wolfsden.cz ARC-Seal: i=1; s=key1; d=yhetil.org; t=1711745807; a=rsa-sha256; cv=none; b=FtoCRjl4oM80cZj5x/YHeq5D1siiNEMI7TtI8p6X135nH7PvXsfbbeSUIWI426u+qwbWM1 GKwF+bYeyoxv0FDSkgqaFXr5dsuQhp/wnOkWzamFCW+kKQ0zdd2A0i59mALk/b3SSRHP+F KjR7HDNrGC74aABN3w3tCmKy1aExj/N7FbZ5TAnH9WbzvnPyDOT7jnmifE+bVjSYdVzQ8U 2VYRKfL5lwEjxaQPD6CqEQq6wyh77LxhfJPfRzlRyd6FlNMea2E0HJpQySn7rZOXtoC7AE p0o/rny/+jWjKMMzjJQ/WCt3u6ePxN25V+UpBhc3wq2fgv72RYtAsnWLlRufhA== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id E45D83CA83 for ; Fri, 29 Mar 2024 21:56:47 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rqJGn-0001RW-Ft; Fri, 29 Mar 2024 16:56:13 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <~@wolfsden.cz>) id 1rqJGl-0001Qy-0j; Fri, 29 Mar 2024 16:56:11 -0400 Received: from wolfsden.cz ([37.205.8.62]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <~@wolfsden.cz>) id 1rqJGg-0001D1-Iv; Fri, 29 Mar 2024 16:56:10 -0400 Received: by wolfsden.cz (Postfix, from userid 104) id 3680C29F781; Fri, 29 Mar 2024 20:56:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1711745761; bh=Xy8rQNuXVDovTYKv9at7+dAcPS0fIQccu3eIrNo8M8M=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=aBHlrB+T8/ANn+0csEtItrkBi2yzHqyM7zFD5UUsaNLWLK3UkLX3t62q7H2a2I1Pq Qn6WV2KsVpSTlCwmhkkPPtEFSjV+zBFZvrGqfkMjoQ62bhf8JIjQq1Aomql7X+GXy2 tA9gj9TP6zLmY3stIcrBWSnOuexNOWvtlscflwLo3ghVCn/Uu4G5T2f5cUxuDnaBBy wGLO6nMNoKTlmTpYV/F299PVcFRKUnju/f6IIBGeBAakIHpTbSE5JsSKkRkv1i/c63 zVpKAvNWdLBw+u4zG+zuxpufO34aqQuyXZDa/zQNTeIFqKcRQCvX4w+ycrjqjxvuxR 4WkZuvHx7KmiB5ucNmgSTobp09IllLfwHKcLdN/yvKOjdvekA0tKQn9z/jdtPZ1Lji 2lV6BawntAeVlEmHvCMdZh1PqEQSEzkQ2mkS2iYV5Irwe3ibVVijUEiBeBACaPwSbH oYyokY7Grqt4IuMgGycImRb3ndmQUMDaftfiM/ckc4qF6dD9kgBA50FJlJlJ/eK8yF Ygn5KyOc6F2Dz5yYeFqwj3xee/pwv2dieLRJQ3VWPviYPcYssi5VKWUP3W3LEIEW1V v8XGENYASLCy2zg6403tFN2afBVm9oWEafw8f2Z2YM+/vNH8pFKizkJQVTMZVyr4/d L9KiWYpPQGchwqyQBVVkzDds= Received: from localhost (unknown [193.32.127.154]) by wolfsden.cz (Postfix) with ESMTPSA id 5678729E9D1; Fri, 29 Mar 2024 20:56:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1711745760; bh=Xy8rQNuXVDovTYKv9at7+dAcPS0fIQccu3eIrNo8M8M=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=Q4WDcyEVfblVTx2A988hZZsVOF/qH30xjBGNIftyYphOWB+pRlvSJ1DbO5Sadxa6+ 4scXvGULkmlmerr2LJdkUhEAgVprXmTIaX64RwgMWEL12YA2G8yNiOxX+s9gEUmkam mAr/hOMRbRcNyMCfbCdVoBF2wUpxuycAf/Ab5KmHYKmKb/f3GcxZoc5cJ8h1Un/NE9 hcIw2iYayRJ7RSKfX/2x4rE7mWH4wX5S3pa8zp5MRj+zMbLNt8T4J7QRFGp4CX1zen 3KPkBISXVZl1I5I2ruOuXrFTxOQ7S8winwXinGRqFdtTGve5dnEdBVijZwUh01im54 hgbh7BLkyYEJLxwnqfG3Qh+0t2o1tSoXxA3HCJAO12BPEeyAqan+365jzkjuRVDb+Z 5kLY4iOJahyU1yYX9pqvCKv3PmkiwiaKy/hDTGcX9H+Y7to18FPgWRArcn0oq/cxKg HVmLMzXCOXhaY5A5ow/YlF5xdjvMQ6IE6uGgO4jgdIBHYFzd363U0Z4Da5ulD3TRy6 T0L3t7hZEm3Eo8pcmYNGlLzDOGQEVxInCcY+PGXj4bb+cUp7mzeZp36uZcBm95+R7N 1DSD9kn0NyEqVStEnGJXpx3ZTgW6jyWGf3EXH8pC9oAQOq7yKwD2M4wTgKnBMacER0 ezoCLEGNO3N1QbNe18smg5pg= Date: Fri, 29 Mar 2024 21:55:59 +0100 From: Tomas Volf <~@wolfsden.cz> To: Felix Lechner Cc: Ryan Prior , Guix Devel , guix-security@gnu.org Subject: Re: Backdoor in upstream xz-utils Message-ID: Mail-Followup-To: Felix Lechner , Ryan Prior , Guix Devel , guix-security@gnu.org References: <878r203h7k.fsf@lease-up.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="45o/SH58xfyOS2K3" Content-Disposition: inline In-Reply-To: <878r203h7k.fsf@lease-up.com> Received-SPF: pass client-ip=37.205.8.62; envelope-from=~@wolfsden.cz; helo=wolfsden.cz X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Spam-Score: -10.65 X-Migadu-Queue-Id: E45D83CA83 X-Migadu-Scanner: mx13.migadu.com X-Migadu-Spam-Score: -10.65 X-TUID: iqLf/bixGi9q --45o/SH58xfyOS2K3 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hello, On 2024-03-29 13:39:59 -0700, Felix Lechner via Development of GNU Guix and the GNU System distribution. wrote: > > Is there a way we can blacklist known bad versions? > > Having said all that, I am not sure Guix is affected. > > On my systems, the 'detect.sh' script shows no referece to liblzma in > sshd. Everyone, please send additional reports. If nothing else, our xz is at 5.2.8. I think the question was if there is a way to blacklist specific known tarball to ensure no-one updates to it by accident. (I do not believe Guix would be vulnerable even when built from the malicious tarball, but that is a separate issue.) Have a nice day, Tomas -- There are only two hard things in Computer Science: cache invalidation, naming things and off-by-one errors. --45o/SH58xfyOS2K3 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEt4NJs4wUfTYpiGikL7/ufbZ/wakFAmYHKt8ACgkQL7/ufbZ/ walkVg//ZFl7ztYB2/gneZh1h19nrshj0dWPIqOCHjxBGYaL64HUjyfx7ScLt1Ad OJ3gNFbGMI17Jxnr5qXQeAbmNe9t/WMgSgfYY8gFRa5ly0xrGE/VdiHTLFtTP736 TIkHykC90iW9+9wu6nMpy8jz965uPnlpE+hUVjZ8DdgwIquUy5kVLMzGyW3sy87n GYMunrMSIQgcebICiIIokPsDcENW/PYM5lJEd62M7fcclrjP1wqT3BdbSufVedzO wVqDXfQcx6DCTrKDDQ5ZsHfuuCj7gUqC5nkIvGQwBZnniOO7j6M7J3sy0nxelDkm NJzUr1qznkckW40jktCu2w+RQ2wlZmdv1qxoryqaKKZs/rXZEZtAh35LS9/o0UBJ +TsWnsU9ZsylwjSubi2k7hXGE4Kt5wioFGnT1yyqIWI2KK22+EPWsirjj6Rq1od/ BoeQynMPckqt4QYY1EEHU0a5Fv4YfjgdVtCZosewd4OcAPz0kUJW3YZR8bb9+YWz oox5wLDJ9n2UJswqOKam7pr1Jas5YNADBfKn7TmcYpFwxeyWh08u2V6lgNfAGaem DyPCgBJr7Y/LqS+VCxlGdWCOKqwXzDYXEATuykpkFyRlR6Q95wrlwwNTgo0MZFCH 4Srzb/r9NTYksQMUcVLskRkwUBbz6F/QAuZkN8dgbH6TO/iIX5M= =JpS7 -----END PGP SIGNATURE----- --45o/SH58xfyOS2K3--