Skip to main content
Topic: xz updates (Read 609 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

xz updates

Is the current xz package now secure?  I find I can't easily remove xz with breaking most of my most used packages like the gimp

Code: [Select]
[ruben]:~$ sudo pacman -R xz
[sudo] password for ruben:
checking dependencies...
error: failed to prepare transaction (could not satisfy dependencies)
:: removing xz breaks dependency 'xz' required by base
:: removing xz breaks dependency 'xz' required by bind
:: removing xz breaks dependency 'xz' required by botan2
:: removing xz breaks dependency 'xz' required by ffmpeg
:: removing xz breaks dependency 'xz' required by ffmpeg4.4
:: removing xz breaks dependency 'xz' required by file
:: removing xz breaks dependency 'xz' required by gimp
:: removing xz breaks dependency 'xz' required by grub
:: removing xz breaks dependency 'xz' required by imagemagick
:: removing xz breaks dependency 'xz' required by imlib2
:: removing xz breaks dependency 'xz' required by karchive
:: removing xz breaks dependency 'xz' required by kexec-tools
:: removing xz breaks dependency 'xz' required by kmod
:: removing xz breaks dependency 'xz' required by libarchive
:: removing xz breaks dependency 'xz' required by libelf
:: removing xz breaks dependency 'liblzma.so=5-64' required by libelf
:: removing xz breaks dependency 'xz' required by libtiff
:: removing xz breaks dependency 'xz' required by libunwind
:: removing xz breaks dependency 'xz' required by libxml2
:: removing xz breaks dependency 'xz' required by libxmlb
:: removing xz breaks dependency 'xz' required by libxslt
:: removing xz breaks dependency 'xz' required by raptor
:: removing xz breaks dependency 'xz' required by zstd
flatbush:[ruben]:~$

Re: xz updates

Reply #1
What are we at, three xz threads now? The backdoor never made it into Artix. If that's your concern you can rest easy.

Re: xz updates

Reply #2
Thanks.

Maybe a forum pinned announcement is worth posting?

 

Re: xz updates

Reply #4
http://linuxmafia.com/pipermail/conspire/2024-April/012752.html

I am sort of confused as to why systemd needs ssh for journaling application.  I can see why it would need xz if it wants to compress something, but why rebuild ssh with external xz?  Doesn't unix have its own internal sockets any longer for IPC?


Re: xz updates

Reply #5
I am sort of confused as to why systemd needs ssh for journaling application.  I can see why it would need xz if it wants to compress something, but why rebuild ssh with external xz?  Doesn't unix have its own internal sockets any longer for IPC?
We should be able to ask this question to the sponsors of systemd.

Re: xz updates

Reply #6
http://linuxmafia.com/pipermail/conspire/2024-April/012752.html
I am sort of confused as to why systemd needs ssh for journaling application.  I can see why it would need xz if it wants to compress something, but why rebuild ssh with external xz?  Doesn't unix have its own internal sockets any longer for IPC?
I read somewhere that xz was used for compressing the journal.

Re: xz updates

Reply #7
It's prime time in our news section of the main site.

FWIW, I would mirror those news bullets on the front page to the top of the forum.  I imagine I am not the only person who never reads that page and comes straight to the forum.

That being said, xz is a core library and i am puzzled about a coupe of things.  Why does this affect only sssd.  Is that because the binary was ONLY EMBEDED into sshd on github for the debian binary?

Secondly, at its core, this was a social hack.  This could had happened to nearly any library, especially older libs like this that have been part of the core for decades.  There is no glamour in their maintenance.   To my understanding, this should trigger a complete audit for the core GNU/Linux ecosystem.  The likelihood that this is the sole exploit is slim.