Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Confirmation of package safty regarding to recent xz vulnerability #8161

Open
erisu opened this issue Mar 31, 2024 · 2 comments
Open

Confirmation of package safty regarding to recent xz vulnerability #8161

erisu opened this issue Mar 31, 2024 · 2 comments

Comments

@erisu
Copy link

erisu commented Mar 31, 2024
edited

Sorry in advance if this is not the best location to bring up this question and concern. I've noticed that the community isn't very active on Zulip, and there doesn't seem to be a discussion page on GitHub.

With the recent security vulnerability involving the xz backdoor (liblzma, xz, or libarchive), could you confirm if there are any concerns related to this package?

I attempted to dig into this package and its dependencies to assess any potential issues but couldn't conclusively confirm.

I observed that it utilizes the 7zip-bin package, which bundles the 7zip and p7zip binaries, although it seems to be two years old. Perhaps this isn't an issue?

Additionally, I noticed that app-builder-bin is used to build various packages, and I see the xz compression flag being set. However, I presume it relies on the version of xz installed on the user's system.

From what I could gather, we neither download, bundle or utilize a package that includes the liblzma, xz, or libarchive binaries for any specific version of the binaries.

If you could provide any additional information or confirm that there are no concerns, that would be greatly appreciated.
@erisu erisu changed the title Confirmation of package safty regarding to recent xy vulnerability Confirmation of package safty regarding to recent xz vulnerability Mar 31, 2024
@mmaietta
Copy link
Collaborator

mmaietta commented Apr 3, 2024

Ah, great callout! This is certainly a great topic to bring up 🙂

Re: the discussion page, I found it impossible for me to monitor as I wasn't receiving proper notifications for it any community members weren't actively contributing to it, so I deactivated it to consolidate in Issues as it was being used as previously

Re: 7zip-bin, I don't manage that project so I'm not familiar with how the binaries were provided/committed. When was the xz backdoor introduced? The last commits on the 7zip-bin project are 2+ years old as you mentioned, so I'd like to correlate timestamps with that first.

For app-builder-bin, I'm also not too positive as I'm not familiar with the implementation, so I would encourage opening a GH Issue on that repo and link back here. We can ping the owner of the repo to do a thorough investigation of that. From what I gather, it does use the xz installed on the system, but worth pinging the owner anyhow to double check.

@erisu erisu mentioned this issue Apr 7, 2024
Open
@erisu
Copy link
Author

erisu commented Apr 7, 2024
edited

Re: 7zip-bin, I don't manage that project so I'm not familiar with how the binaries were provided/committed. When was the xz backdoor introduced? The last commits on the 7zip-bin project are 2+ years old as you mentioned, so I'd like to correlate timestamps with that first.

From what I read, the compromised xz packages were versions 5.6.0, released on 2024-02-24, and version 5.6.1, released on 2024-03-09.

For app-builder-bin, I'm also not too positive as I'm not familiar with the implementation, so I would encourage opening a GH Issue on that repo and link back here.

I created a ticket here: develar/app-builder#115

This was referenced May 8, 2024
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@erisu @mmaietta