Open ChanTsune opened 3 months ago
Will liblzma-sys 0.2.x reject system's liblzma from xz 5.6.0?
According to the build script, it checks that the version is 5.4.4 or greater.
thanks for your questions @eduardosm
As you say, even in 0.2.x, if xz is installed on the system, it may be used. Even in 0.2.x, need to enable the static feature to avoid using the system's xz. I will correct this to avoid any misunderstanding.
Announcement
CVE-2024-3094 reported for upstream xz
https://nvd.nist.gov/vuln/detail/CVE-2024-3094 https://www.openwall.com/lists/oss-security/2024/03/29/4
This project has a version (liblzma-sys 0.3.0, 0.3.1) that depends on xz 5.6.0 and 5.6.1, but we have confirmed that it does not use a tarball with a backdoor and is not directly affected.
However, if xz 5.6.0 or 5.6.1 is already installed on the system, it may be linked to the xz already installed on the system. In this case, you can avoid using the xz installed on your system and build from sources that do not contain malicious code by enabling the
static
future of liblzma-sys (this build process does not use upstream build scripts, and this project's own method of secure build).If you are concerned, avoid using the versions (0.3.x, 0.3.1) that depend on xz 5.6.0, 5.6.1 and use liblzma-sys 0.2.x instead. liblzma-sys 0.2.x depends on xz 5.4.x before this affected.
even in 0.2.x, if xz is installed on the system, it may be used. Even in 0.2.x, need to enable the
static
feature to avoid using the system's xz.Related issue
95 thank you for report @amousset