xz-5.6.2

[Xi Ruoyao]

​https://www.openwall.com/lists/oss-security/2024/03/29/4

Though the injected malicious code is inactive for LFS (because we're not building RPM or DEB; see the "Affected Systems" section of the oss-security post), the gentleman introduced the code has made many commits to xz and we are not sure how many of them are malicious as well.

[Xi Ruoyao]

The most recent release w/o this gentleman's commit is 5.2.5, but if we revert to 5.2.5 we'll need ​https://xz.tukaani.org/xz-utils/xzgrep-ZDI-CAN-16587.patch.

​https://github.com/tukaani-project/xz/pull/95 suggests at least 9 commits are suspicious.

[Bruce Dubbs]

I didn't check all 9 commits, but at least one commit was only spelling and spacing. The reaction seems to be pretty extreme. How do we know that the user wasn't just hacked and it was someone else that injected the malicious code with those credentials.

There is a lot of activity going on with respect to this. Lets give it 24 hours.

[Xi Ruoyao]

Lasse Collin is back on line and working on it: ​https://tukaani.org/xz-backdoor/

[Xi Ruoyao]

Lasse will release 5.8.0 once everything get audited.

Also reset the priority to normal given LFS is not affected by this backdoor. If some other malicious thing is found we can raise the priority again.

[Xi Ruoyao]

The upstream has changed mind and released 5.6.2 with the backdoor removed.

[Bruce Dubbs]

5.6.2 (2024-05-29)

• Remove the backdoor (CVE-2024-3094).

• Not changed: Memory sanitizer (MSAN) has a false positive in the CRC CLMUL code which also makes OSS Fuzz unhappy. Valgrind is smarter and doesn't complain.

A revision to the CLMUL code is coming anyway and this issue will be cleaned up as part of it. It won't be backported to 5.6.x or 5.4.x because the old code isn't wrong. There is no reason to risk introducing regressions in old branches just to silence a false positive.

• liblzma:

• lzma_index_decoder() and lzma_index_buffer_decode(): Fix a missing output pointer initialization (*i = NULL) if the functions are called with invalid arguments. The API docs say that such an initialization is always done. In practice this matters very little because the problem can only occur if the calling application has a bug and these functions return LZMA_PROG_ERROR.

• lzma_str_to_filters(): Fix a missing output pointer initialization (*error_pos = 0). This is very similar to the fix above.

• Fix C standard conformance with function pointer types.

• Remove GNU indirect function (IFUNC) support. This is *NOT* done for security reasons even though the backdoor relied on this code. The performance benefits of IFUNC are too tiny in this project to make the extra complexity worth it.

• FreeBSD on ARM64: Add error checking to CRC32 instruction support detection.

• Fix building with NVIDIA HPC SDK.

• xz:

• Fix a C standard conformance issue in --block-list parsing (arithmetic on a null pointer).

• Fix a warning from GNU groff when processing the man page: "warning: cannot select font 'CW'"

• xzdec: Add support for Linux Landlock ABI version 4. xz already had the v3-to-v4 change but it had been forgotten from xzdec.

• Autotools-based build system (configure):

• Symbol versioning variant can now be overridden with --enable-symbol-versions. Documentation in INSTALL was updated to match.

• Add new configure option --enable-doxygen to enable generation and installation of the liblzma API documentation using Doxygen. Documentation in INSTALL and PACKAGERS was updated to match.

CMake:

• Fix detection of Linux Landlock support. The detection code in CMakeLists.txt had been sabotaged.

• Disable symbol versioning on non-glibc Linux to match what the Autotools build does. For example, symbol versioning isn't enabled with musl.

• Symbol versioning variant can now be overridden by setting SYMBOL_VERSIONING to "OFF", "generic", or "linux".

• Add support for all tests in typical build configurations. Now the only difference to the tests coverage to Autotools is that CMake-based build will skip more tests if features are disabled. Such builds are only for special cases like embedded systems.

• Separate the CMake code for the tests into tests/tests.cmake. It is used conditionally, thus it is possible to

rm -rf tests

and the CMake-based build will still work normally except that no tests are then available.

• Add a option ENABLE_DOXYGEN to enable generation and installation of the liblzma API documentation using Doxygen.

• Documentation:

• Omit the Doxygen-generated liblzma API documentation from the package. Instead, the generation and installation of the API docs can be enabled with a configure or CMake option if Doxygen is available.

• Remove the XZ logo which was used in the API documentation. The logo has been retired and isn't used by the project anymore. However, it's OK to use it in contexts that refer to the backdoor incident.

• Remove the PDF versions of the man pages from the source package. These existed primarily for users of operating systems which don't come with tools to render man page source files. The plain text versions are still included in doc/man/txt. PDF files can still be generated to doc/man, if the required tools are available, using "make pdf" after running "configure".

• Update home page URLs back to their old locations on tukaani.org.

• Update maintainer info.

• Tests:

• In tests/files/README, explain how to recreate the ARM64 test files.

• Remove two tests that used tiny x86 and SPARC object files as the input files. The matching .c file was included but the object files aren't easy to reproduce. The test cases weren't great anyway; they were from the early days (2009) of the project when the test suite had very few tests.

• Improve a few tests.

[Bruce Dubbs]

Fixed at commit 6acfe2e81f.