Received: from mail-oo1-xc33.google.com (mail-oo1-xc33.google.com [IPv6:2607:f8b0:4864:20::c33])
	by gbr-app-1.alpinelinux.org (Postfix) with ESMTPS id 7CF97225925
	for <~alpine/users@lists.alpinelinux.org>; Sun, 31 Mar 2024 00:49:06 +0000 (UTC)
Received: by mail-oo1-xc33.google.com with SMTP id 006d021491bc7-5a56a22004cso1652485eaf.3
        for <~alpine/users@lists.alpinelinux.org>; Sat, 30 Mar 2024 17:49:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1711846145; x=1712450945; darn=lists.alpinelinux.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :reply-to:in-reply-to:references:mime-version:from:to:cc:subject
         :date:message-id:reply-to;
        bh=FKhsZWu2BFNFc9pcrY3tSEmLDNbbZKivw4b4+vsRlG8=;
        b=OmVFjShjBV01rpE26TAgul1LjoMMk2JPsOElj5ynbVgcV2hKOzdbuYu9u3txLOjMaM
         Rl46O7D9IMY2s5qJPDH6z7jokY5WcKYbrvMIIFrX22gdbar5GU8DgY2tuXgEWTb1lMMF
         7NQe6bUv1n0xRIFjC+S7DK3Kft5UNC/VcNLUjiVO3zylbY3U3lH0pk6ICB5KibNIDw/6
         7I6x6BCZAY/ApGpq0qS2zCEeKjdI4d+ryVBx/hnWXLGjoZyAiFsAqNhE4EIn2FxbYwMS
         PshhGWCv5Qvd1anX6JAqhidh8mZDS0Yj0UmwW1Rrqid+XCNoLhFs94U3oAxiXC1G3MVb
         SP/g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1711846145; x=1712450945;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :reply-to:in-reply-to:references:mime-version:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=FKhsZWu2BFNFc9pcrY3tSEmLDNbbZKivw4b4+vsRlG8=;
        b=gUNpn3HDY21BVHoQz7swn8cTUgvN8ojRz5Q7hPr45qW3Ybivg5KUNMyufjR++fha8b
         b4n1zAcfRG3I+CyoDdatdHqJonZO41HGx+lCLwmv+PgRlExg0EJDVSPrawJqU9KXDVY3
         CbYUQFictraVxHXsODJMiye0ut7cFpxQYGS7AgIqnqdSdWr8o/SYUAKCmT9FzoV4dfRl
         ULgCOE2Tq4LsCC1Jd9lU7097Bb7yRcRj7YxTDJ5c8kqHu8pZ0ZGbIBxMz0isa+vYTtFz
         BntIKMeIhGZqCUhx7mXgAyKg44pBrie4xiz2EtEWEQSuOM2TmcWelKe1TXeNjhiwBUq4
         N/BQ==
X-Forwarded-Encrypted: i=1; AJvYcCU/uPjMBzvhMKWnav+HsaLdO5lS8d4EjMue5O23fONCgFDIsGbX5nPnYJwySxljASbCMEGiUAiAbucgG7PcPENT1JzSjdvLQ9QJGBFdNLaF/2UIyA==
X-Gm-Message-State: AOJu0YyTCvpGCbpwoj7yEdIQOo7rZPSfVPsvSrIt+DAcsWwjKX4vTMIQ
	gVvYLfy8GXw/OTVxuReuyd20blYQ1VDDJyeyZyhhajdnWXF87j9lPcLyhg9gRs8c5l8+q4/B/9X
	N8j49UlEWEoIhhsdo0+yHGVtMZC4=
X-Google-Smtp-Source: AGHT+IHmYyLfePv88CUW7l1T9k/1584MAFrkYzI7kGWNs7yzgLj7kRx6xWE7oZaZM0VkDW9PhU7SxP5qLTFJlAt4jvM=
X-Received: by 2002:a05:6820:981:b0:5a4:93b6:9a5 with SMTP id
 cg1-20020a056820098100b005a493b609a5mr6093892oob.4.1711846144990; Sat, 30 Mar
 2024 17:49:04 -0700 (PDT)
MIME-Version: 1.0
References: <1c614505-92f2-42b4-ba46-b227777e0d5b@lodispoto.com>
 <974c079f-8e90-495c-a9f8-c266eb458f09@vk4msl.com> <9950f380892dea7134b69901f5ee5f7c9283ca47.camel@riseup.net>
 <9c66ab07-c48f-4735-a213-ac4935ba3f2e@vk4msl.com>
In-Reply-To: <9c66ab07-c48f-4735-a213-ac4935ba3f2e@vk4msl.com>
Reply-To: noloader@gmail.com
From: Jeffrey Walton <noloader@gmail.com>
Date: Sat, 30 Mar 2024 20:48:53 -0400
Message-ID: <CAH8yC8nq0eaF5mMxTgYYGH4vDj1m4x_f+OYG_1ZzN4Bfkq5aPg@mail.gmail.com>
Subject: Re: XZ force downgrade led to removal of many packages
To: Stuart Longland VK4MSL <me@vk4msl.com>
Cc: Ralf Mardorf <ralf-mardorf@riseup.net>, 
	"~alpine/users@lists.alpinelinux.org" <~alpine/users@lists.alpinelinux.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Sat, Mar 30, 2024 at 5:26=E2=80=AFPM Stuart Longland VK4MSL <me@vk4msl.c=
om> wrote:
>
> On 30/3/24 20:39, Ralf Mardorf wrote:
> > security through naivety is new to me.
> >
> > For example, Arch uses systemd by default, but does not link openssh
> > directly to liblzma. Arch uses neither RPM nor DEB. From a naive
> > point of view, Arch is not affected either.
> >
> > "However, out of an abundance of caution, we advise users to remove
> > the malicious code from their system by upgrading either way. This
> > is because other yet-to-be discovered methods to exploit the backdoor
> > could exist." -
> > https://lists.archlinux.org/archives/list/arch-announce@lists.archlinux=
.org/thread/MX363534MGK44R5UIYPK4GABKHF76TYC/
>
> If possible.  Now, if you're running 3.19, according to
> pkgs.alpinelinux.org, the latest release of xz is 5.4.5:
>
> https://pkgs.alpinelinux.org/packages?name=3Dxz*&branch=3Dv3.19&repo=3D&a=
rch=3D&maintainer=3D

Jia Tan started contributing to xz circa the development version 5.3.
To get untainted code, you have to go back to version 5.2. But rolling
back to version 5.2 means ABI and symbol breaks. If you don't want to
go back to 5.2, then it means you have to audit over 700 commits in
xz. Also see <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D1068024#5=
>.

Maybe worth mentioning... Jia Tan also compromised libarchive. See
<https://github.com/libarchive/libarchive/pull/1609>.

> Meaning, the vulnerable version *should not be present*.
>
> The only way a vulnerable version could be there would be if someone
> installed it from `edge`: the *unstable* distribution.  It comes with
> this warning:
>
> > Warning: edge is under constant development so be careful using it in
> > production. It is possible that bugs in edge could cause data loss or
> > could break your system.
> -- https://wiki.alpinelinux.org/wiki/Repositories#Edge
>
> I'd imagine that those "bugs" can include security vulnerabilities.
> Especially those from upstream releases, which is what we have here.
> This isn't the fault of the AlpineLinux developers: few of us have the
> resources to manually inspect every release of every package for such
> vulnerabilities.  I've been there: I used to do it on the Mozilla and
> MIPS teams for Gentoo.
>
> So it would seem for the OP, the options are:
>
> 1. roll back to release 3.19, which does not include the vulnerability
> 2. hold tight until a fixed release can trickle down from upstream

Jeff