MSYS2-packages
MSYS2-packages copied to clipboard
msys2
malicious xz version
The xz version (5.6.1) being used at xz/PKGBUILD contains a backdoor: https://www.openwall.com/lists/oss-security/2024/03/29/4
I think it should be reverted to (5.4.6) like it was previously: https://github.com/msys2/MSYS2-packages/blob/d7c37ffdadd8513f84a16b1565a5f9df75e37af2/xz/PKGBUILD
I went with what Arch Linux did for now (https://gitlab.archlinux.org/archlinux/packaging/packages/xz/-/commit/881385757abdc39d3cfea1c3e34ec09f637424ad), and went with the git checkout: #4475
btw, the last pacman was built against 5.4.5-1 (relevant since it statically links everything)
https://github.com/tukaani-project/xz
It seems to me that xz repo was blocked by github.
Would it be possible to use Debian repository https://salsa.debian.org/debian/xz-utils ? I am not sure if it includes some changes specific to Debian.
It looks like gentoo went back to 5.4.2, which was the last release signed by the other developer. But there is also some discussion whether they should revert all the way back to a 5.2 release that contains no commits by that developer. (https://bugs.gentoo.org/928134) Of course, not having the repo available to look at makes it rather harder to do that analysis. Have to use something like that debian fork. They do at least have "upstream" tags published, so you can get versions without the debian patches from there if necessary.
@jeremyd2019 you could browse the repo in https://git.tukaani.org/?p=xz.git
@jeremyd2019 you could browse the repo in https://git.tukaani.org/?p=xz.git
is that domain to be trusted
is that domain to be trusted
From https://tukaani.org/xz-backdoor/
Only I have had access to the main tukaani.org website, git.tukaani.org repositories, and related files.
I don't know - at this point I think it's still kind of an open question of who or what to trust 😱.
ArchLinux moved to tukaani-dot-org git repository https://gitlab.archlinux.org/archlinux/packaging/packages/xz/-/blob/main/PKGBUILD?ref_type=heads
AlpineLinux moved to GitHub generated tarball https://git.alpinelinux.org/aports/tree/main/xz/APKBUILD
The website https://tukaani.org/xz-backdoor/ is a brief account of what is happening with the github repo. A lot of the tech websites including wired have written articles on this. The hack wasnt the work of one author it was done by an apt based in Russia. Some of the commit dates did not have the timezone UTC+8 of the singapore vpn they used. Feb 7 2022 is the first date this JiaT75 submitted a patch to XZ Utils repo. The domain is controlled by the orginal author his name is Lasse Collin. The next major version will likely be 5.8
He has got a big job to repatch to fix the real bugs starting from the commit on 12 July 2022.
it was done by an apt based in Russia.
Any proof of that, that contributor started his work since Oct, 2021 (before war)
I don't think this a the right place for speculations. Please try to keep things on topic: xz things relating to the MSYS2 package
I think the issue should be closed. MSYS2 had packaged xz from git which doesn't contain the backdoor. It could be reopened if anything discovered.