XZ Utils Compromised Releases

Blair Zajac blair at orcaware.com
Fri Mar 29 17:52:49 UTC 2024 

In https://www.openwall.com/lists/oss-security/2024/03/29/4 it says

== Bug reports ==

Given the apparent upstream involvement I have not reported an upstream
bug….

I suggest not waiting for an upstream release and instead revert our commit and add an epoch line.

Blair

> On Mar 29, 2024, at 10:50 AM, Rainer Müller <raimue at macports.org> wrote:
> 
> On 29/03/2024 18.40, Fred Wright wrote:
>> 
>> On Fri, 29 Mar 2024, Frank Dean wrote:
>> 
>>> I received a security announcement on the Debian mailing list [1].  It
>>> appears versions 5.6.0 of XY Utils and later may be compromised.  I
>>> also found a discussion on Openwall [2].
>>> 
>>> 
>>> [1]:
>>> https://lists.debian.org/debian-security-announce/2024/msg00057.html
>>> <https://lists.debian.org/debian-security-announce/2024/msg00057.html>
>>> 
>>> [2]: https://www.openwall.com/lists/oss-security/2024/03/29/4
>>> <https://www.openwall.com/lists/oss-security/2024/03/29/4>
>>> 
>>> 
>>> I'm afraid that's all I know.  Just a heads-up.
> 
> Wow. That's an awful story.
> 
> The exploit seems to specifically target Linux systems only ("[...] it
> is likely the backdoor can only work on glibc based systems.").
> 
>> In [1] they mention reverting to 5.4.5 to fix it.  It's not 100% clear
>> from that whether 5.4.6 is affected, but it sounds like it's not.  Since
>> MacPorts is currently at 5.4.6, the port is probably OK as long as it
>> doesn't do any overzealous upgrading.
> 
> The xz port was updated to 5.6.1 just two days ago:
> https://github.com/macports/macports-ports/commit/784e59f99e51adbadc663b1b689d66363adf193a
> 
> Based on the current information, the risk seems low for macOS system.
> Should we still be cautious and revert to version 5.4.6 and bump the
> epoch to force a downgrade for everyone? Or do we expect a new upstream
> release soon to sort this out?


> 
> Rainer
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macports.org/pipermail/macports-dev/attachments/20240329/104c6976/attachment.htm>

More information about the macports-dev mailing list