XZ Utils Compromised Releases
Rainer Müller
raimue at macports.org
Fri Mar 29 17:50:35 UTC 2024
On 29/03/2024 18.40, Fred Wright wrote:
>
> On Fri, 29 Mar 2024, Frank Dean wrote:
>
>> I received a security announcement on the Debian mailing list [1]. It
>> appears versions 5.6.0 of XY Utils and later may be compromised. I
>> also found a discussion on Openwall [2].
>>
>>
>> [1]:
>> https://lists.debian.org/debian-security-announce/2024/msg00057.html
>> <https://lists.debian.org/debian-security-announce/2024/msg00057.html>
>>
>> [2]: https://www.openwall.com/lists/oss-security/2024/03/29/4
>> <https://www.openwall.com/lists/oss-security/2024/03/29/4>
>>
>>
>> I'm afraid that's all I know. Just a heads-up.
Wow. That's an awful story.
The exploit seems to specifically target Linux systems only ("[...] it
is likely the backdoor can only work on glibc based systems.").
> In [1] they mention reverting to 5.4.5 to fix it. It's not 100% clear
> from that whether 5.4.6 is affected, but it sounds like it's not. Since
> MacPorts is currently at 5.4.6, the port is probably OK as long as it
> doesn't do any overzealous upgrading.
The xz port was updated to 5.6.1 just two days ago:
https://github.com/macports/macports-ports/commit/784e59f99e51adbadc663b1b689d66363adf193a
Based on the current information, the risk seems low for macOS system.
Should we still be cautious and revert to version 5.4.6 and bump the
epoch to force a downgrade for everyone? Or do we expect a new upstream
release soon to sort this out?
Rainer
More information about the macports-dev
mailing list