oss-sec mailing list archives
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise
From: Loganaden Velvindron <loganaden () gmail com>
Date: Sun, 31 Mar 2024 16:29:01 +0400
Closer look at "Jia Tan" commits show that he/they disabled the Linux landlock sandbox. Lasse Collin is doing good work to audit the commits and I wish Github would reinstate his github account. commit f9cf4c05edd14dedfe63833f8ccbe41b55823b00 (HEAD -> master, origin/master, origin/HEAD) Author: Lasse Collin <lasse.collin () tukaani org> Date: Sat Mar 30 14:36:28 2024 +0200 CMake: Fix sabotaged Landlock sandbox check. It never enabled it. After using git blame: 328c52da8 (Jia Tan 2024-02-26 23:02:06 +0800 1004) . Pulling out git show: commit 328c52da8a2bbb81307644efdb58db2c422d9ba7 Author: Jia Tan <jiat0218 () gmail com> Date: Mon Feb 26 23:02:06 2024 +0800 Build: Fix Linux Landlock feature test in Autotools and CMake builds. The previous Linux Landlock feature test assumed that having the linux/landlock.h header file was enough. The new feature tests also requires that prctl() and the required Landlock system calls are supported. The code to weaken the sandbox was shipped in the 5.6.1 version. On Sat, Mar 30, 2024, 19:42 Jeffrey Walton <noloader () gmail com> wrote:
On Sat, Mar 30, 2024 at 9:38 AM Pierre-Elliott Bécue <peb () debian org> wrote:Bjoern Franke <bjo () schafweide org> wrote on 30/03/2024 at 14:06:38+0100:Am 30.03.24 um 04:50 schrieb Loganaden Velvindron:Github has suspended the repo: https://github.com/tukaani-project/xz Im wondering what is the next step for the xz project as a whole ?https://git.tukaani.org/?p=xz.git;a=summary exists and Lasse said on IRC he thinks he would make a clean 5.6.2 release. RegardsI honestly would like to extend my sympathy to Lasse. This situation must clearly be a hell for him.Lasse published a statement at <https://tukaani.org/xz-backdoor/>.Someone asked what would become of xz as a project. I do hope in light of this event, some people step in to help.Perhaps Lasse should turn over control of the project to an entity like the Linux Foundation. Xz is critical to Linux now, and it needs more oversight than Lasse can provide. (Not to impugn Lasse; he seems to be very busy. Extra [trusted] helping hands would probably be welcomed). Jeff
Current thread:
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise, (continued)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Bo Anderson (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Loganaden Velvindron (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Bjoern Franke (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Pierre-Elliott Bécue (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jeffrey Walton (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Mats Wichmann (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jan Engelhardt (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Pat Gunn (Mar 30)
- SV: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Markus Klyver (Mar 31)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Loganaden Velvindron (Mar 31)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Russ Allbery (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Mike O'Connor (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Florian Weimer (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Axel Beckert (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Salvatore Bonaccorso (Mar 30)