dividebysandwich
commented
6 months ago Just to clearly state what @agiUnderground found: this PR attempts to introduce a version of xz/liblzma that has been backdoored.
Closed Larhzu closed 2 months ago
dividebysandwich
commented
6 months ago Just to clearly state what @agiUnderground found: this PR attempts to introduce a version of xz/liblzma that has been backdoored.
plougher
commented
6 months ago @dividebysandwich I'm following the discussion. At the moment to be safe I consider anything relating to the backdoored versions suspect and blocked.
plougher
commented
6 months ago @dividebysandwich Also to be 100% safe I have reverted a PR from XZ Utils from November last year, commit 0becdf326a129e22a537ba1a54bc8a1f4e62292c
evrial
commented
6 months ago I guess that's not 100% safe as long as xz project isn't audited and you use xz wrapper
adrien-n
commented
6 months ago Well, it's not trying to introduce the affected versions but it uses APIs from it which might still be an incentive to use it.
But also, note that @Larhzu's github account is suspended so an answer is unlikely in the short term. I don't think the API will be available in an actually released version soon however.
GrandNewbien
commented
6 months ago @dividebysandwich Also to be 100% safe I have reverted a PR from XZ Utils from November last year, commit 0becdf3
People are wary of using things from the past two year. You might need to go even further back to find something that isn't malicious.
plougher
commented
6 months ago @dividebysandwich Also to be 100% safe I have reverted a PR from XZ Utils from November last year, commit 0becdf3
People are wary of using things from the past two year. You might need to go even further back to find something that isn't malicious.
I mentioned in the commit checks went back to 2010.
"Due to the on-going issues with the XZ Utils backdooring, to be 100% on the safe-side I am reverting all PRs from that project.
This is the only PR since I wrote the original code in 2010".
Larhzu
commented
2 months ago I learned about the ARM64 filter revert only two weeks ago. I understand it as little information was available at the end of March 2024.
I hope to finally get ARM64 and RISC-V filters into Linux 6.11. I would like to know if support for these filters can be added to Squashfs-tools.
Thanks!
plougher
commented
2 months ago I'm keen to get things back to normal after what happened. So I have no objection to (re-)adding support for these filters. Do you want to raise new pull requests for both?
Larhzu
commented
2 months ago I can do a new PR for XZ updates in a few days. Thanks!
This requires liblzma >= 5.6.0. The LZMA2 options are set with the assumption that the RISC-V C extension is in use.
I have submitted the RISC-V filter to Linux. It's in the -mm mm-nonmm-unstable branch at the moment.
The ARM64 filter is there too, that is, it didn't get into Linux 6.7 or 6.8. I failed to ensure that it would get included. Sorry.
(Not about this PR but it could be good if the default LZMA2 options could be changed for the old filters too: ARM, PowerPC, and SPARC would use the same as ARM64, and ARM-Thumb the same as RISC-V. IA-64 would need pb=4,lp=4,lc=0 but the IA-64 filter was disabled in Linux 6.7, possibly by accident, when support for the IA-64 arch was removed.)