[MacPorts] #69619: xz @5.6.1 reportedly backdoored
MacPorts
noreply at macports.org
Sat Mar 30 02:39:42 UTC 2024
#69619: xz @5.6.1 reportedly backdoored
---------------------+------------------------
Reporter: jmroot | Owner: ryandesign
Type: defect | Status: assigned
Priority: High | Milestone:
Component: ports | Version:
Resolution: | Keywords: security
Port: xz |
---------------------+------------------------
Comment (by ryandesign):
The main breakage that would result from downgrading further is that older
versions of the library, of course, have older version numbers, so we
would need to rebuild (i.e. increase the revision of) every port that
links with the library. To do that, we would first have to identify which
ports those are. There are 81 ports having xz in their `depends_lib`. If
we don't want to manually check each one to see whether it actually links
with the library, revbumping all 81 would be safest. For the 5.6.1->5.4.6
downgrade it was easy since 5.6.1 was only in MacPorts for a couple days
and based on the timestamps of the Portfiles that have xz in `depends_lib`
I think I've identified and rebuilt all two of the ports that were
modified during that time. Downgrading to earlier than 5.4.x would require
rebuilding every port that links with liblzma.
--
Ticket URL: <https://trac.macports.org/ticket/69619#comment:9>
MacPorts <https://www.macports.org/>
Ports system for macOS
More information about the macports-tickets
mailing list