alexkay
commented
3 months ago Spek v0.8.5 binaries were built on 2023-02-11, almost a year before the earliest affected liblzma version was released.
Closed OposDev closed 3 months ago
alexkay
commented
3 months ago Spek v0.8.5 binaries were built on 2023-02-11, almost a year before the earliest affected liblzma version was released.
OposDev
commented
3 months ago oh, sweet :D guess i reported this to the wrong project; gentoo flagged this project, along with wxWidgets and xz-utils as something that may be compromised. sorry for the false alarm ^^'
Hey there :3 I was attempting to compile Spek v0.8.5 this morning and noticed this.
Recently, there has been a supply chain attack on the liblzma library (Level 10.0 crit) that targets Debian and RHEL distros. This vulnerability does have the ability to affect other distros (Basically any system that has systemd + liblzma + SSH).
Afaik, both premade binaries and source code of Spek 0.8.5 include this dependency (Not sure about any older releases of Spek, haven't checked).
Liblzma is included (By default i think) in x11-libs/wxGTK (And app-arch/xz-utils for Gentoo machines).
More info here: https://www.openwall.com/lists/oss-security/2024/03/29/4 and here https://nvd.nist.gov/vuln/detail/CVE-2024-3094
Other OSS projects are taking similar measures; Example: https://github.com/microsoft/vcpkg/issues/37839
This release, as well as any other Spek release that includes 5.6.0/5.6.1 should be reverted.
For users, it's highly recommended to downgrade xz/liblzma from 5.6.0/5.6.1 until a patch is released :3
P.S. Are labels disabled in this project? i'm unable to add the "bug" label to this lol