jperkin: xz was compromized: openwall.com/lists/oss-security/2024/03/29/4, v5.6.0 ist in trunk :-(

xz was downgrade to 5.4.6: pkgsrc.se/archivers/xz

jfqd1: jperkin is aware, and there's a Mastodon toot about it (and SmartOS):

danmc: didnt saw the toot, will take a look now, thx for pointing it out!

jfqd1: Only trunk is affected, and builds are in progress for the downgrades (some are already done and published)

bahamat: yeah saw the one for i386, waiting for x86_64

Yeah, that one should be soon, I think. The mac ones take much longer, unfortunately.

In OmniOS, we are initially taking the same path as Arch and using the github-generated archive and generating all of the autoconf files ourselves. The problem is that there is no obvious "safe" downgrade target as they have all been released and signed by the same person back as far as 5.4.3

We are not vulnerable anyway (and the binaries from this new process match the old, which confirms that) since we fail all of the checks that the exploit performs - not debian/rpm, not linux, not GNU ld etc.

* not vulnerable to /this/ explicit exploit, it's possible there are more..

i've seen (it's on the internet, so it must be true :P) that the same person might have also contributed to other projects as well...

so i guess we'll find out if there's anything else impacted

The pkgsrc decision is interesting - if downgrading, I think the only version I'd pick is 5.4.2

jbk: and it seems that this person put effords into to get it widly deployed: news.ycombinator.com/item?id=39866275

v5.4.3 seem to be the latest release signed not by this person.

s/latest/last/

5.4.3 was signed by this person - github.com/tukaani-project/xz/releases/tag/v5.4.3

andyf: yes, you are right!

did you track the history to see 5.4.3 signer did not pull from the suspicious stuff? (rhetorical)