On Fri, Mar 29, 2024 at 02:40:48PM -0500, Michael Catanzaro wrote: > On Fri, Mar 29 2024 at 06:46:59 PM +00:00:00, Christopher Klooz > <py0xc3@xxxxxxxxxx> wrote: > >Yes, F40 beta is affected, along with rawhide, but not F38/F39. > > Unless I'm misunderstanding something, it looks xz-5.6.0-1.fc40 and > 5.6.0-2.fc40 are backdoored, yes? Then rjones unknowingly broke the > backdoor in two different ways in 5.6.0-3.fc40, (a) by adding the > --disable-ifunc configure flag [1], Yes. > and also (b) by running > everything through autoreconf to regenerate the malicious autogoo > files [2]. Sadly this on its own was not sufficient. You also have to delete m4/build-to-host.m4 first. But (a) was sufficient to prevent the backdoor on its own. > So F40 stable was never affected, but F40 updates-testing > looks like it really was backdoored for about one week, between > February 27 [3] and March 4 [4]. > > Hey Richard, if you agree with my quick assessment, then we should > ask secalert@xxxxxxxxxx to update the warning article [5]. (I also > don't like the confusing references to "Fedora 41" in that article, > since Fedora 41 does not yet exist as something separate from > rawhide.) secalert are already well aware and have approved the update. Kevin Fenzi, myself and others were working on it late last night :-( Rich. > [1] https://src.fedoraproject.org/rpms/xz/c/c837ae96c716c6d63da2b4a016e9034ade2a01f7?branch=f40 > [2] https://src.fedoraproject.org/rpms/xz/c/d2408dde878851ca6350297a738a72496a9558c4?branch=f40 > [3] https://bodhi.fedoraproject.org/updates/FEDORA-2024-a7fba89402 > [4] https://bodhi.fedoraproject.org/updates/FEDORA-2024-f5033032b8 > [5] https://access.redhat.com/security/cve/CVE-2024-3094 > -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com libguestfs lets you edit virtual machines. Supports shell scripting, bindings from many languages. http://libguestfs.org -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
