Am 04.04.24 um 21:33 schrieb Andrei
Borzenkov:
On
04.04.2024 21:47, Ben Greiner wrote:
Am 04.04.24 um 18:58 schrieb
Knurpht-openSUSE:
Op donderdag 4 april 2024 18:50:35 CEST
schreef Fritz Hudnut:
I thought that would be "obvious" . .
. the problem . . . and the response
to the problem . . . in regards to efficiency, etc.
It only shows that Manjaro did not yet downgrade and is still
vulnerable.
It only shows that the Archlinux/Manjaro Maintainers are less
than
knowledgeable about their packages. Inspite if not building rpm
or
debian packages they claim to have "fixed" the backdoor while
going from
5.6.1-1 to 5.6.2-2 [1].
According to the available information, backdoor was injected by
code in the release tarball which was not present in the git. Arch
switched from using release tarball to using git:
https://gitlab.archlinux.org/archlinux/packaging/packages/xz/-/commit/881385757abdc39d3cfea1c3e34ec09f637424ad
Which made absolutely no difference in the final shared library.
The disassembly of liblzma didn't even
change
between those package versions.
You mean you built both versions and they were identical?
I didn't, but others did and reported back. Which is not surprising,
as the analysis of the backdoor revealed the line:
if test -f "$srcdir/debian/rules" || test "x$RPM_ARCH" = "xx86_64";then
https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27#design
Archlinux xz-5.6.1-1: pkgbuild evaluates the if statement and does
not include the backdoor into liblzma
Archlinux xz-5.6.1-2: pkgbuild does not include the backdoor into
liblzma
- Ben