| Message ID | 20240307165218.10027-1-ps.report@gmx.net |
|---|---|
| State | Rejected |
| Headers | show |
| Series | [v1,1/4] package/xz: bump version to 5.6.0 | expand |
On Thu, Mar 7, 2024 at 9:52 AM Peter Seiderer via buildroot < buildroot@buildroot.org> wrote: > - bump version to 5.6.0 > - change homepage URL to https://xz.tukaani.org/xz-utils/ > - add BSD-0-Clause and update license file hash accordingly (see [1], [2], > and [3]) > > For details see [4]. > > [1] > https://github.com/tukaani-project/xz/commit/b1ee6cf259bb49ce91abe9f622294524e37edf4c > [2] > https://github.com/tukaani-project/xz/commit/689e0228baeb95232430e90d628379db89583d71 > [3] > https://github.com/tukaani-project/xz/commit/28ce45e38fbed4b5f54f2013e38dab47d22bf699 > [4] https://github.com/tukaani-project/xz/blob/master/NEWS > > Signed-off-by: Peter Seiderer <ps.report@gmx.net> > --- > package/xz/Config.in | 2 +- > package/xz/xz.hash | 7 ++++--- > package/xz/xz.mk | 6 +++--- > 3 files changed, 8 insertions(+), 7 deletions(-) > > diff --git a/package/xz/Config.in b/package/xz/Config.in > index 687bd55482..7130fa5e8e 100644 > --- a/package/xz/Config.in > +++ b/package/xz/Config.in > @@ -12,4 +12,4 @@ config BR2_PACKAGE_XZ > invoked via appropriate symlinks will emulate the behavior > of the commands in the lzma package. > > - https://tukaani.org/xz/ > + https://xz.tukaani.org/xz-utils/ > diff --git a/package/xz/xz.hash b/package/xz/xz.hash > index e8025a8065..71c2c65a3e 100644 > --- a/package/xz/xz.hash > +++ b/package/xz/xz.hash > @@ -1,9 +1,10 @@ > # Locally calculated after checking pgp signature > -# > https://github.com/tukaani-project/xz/releases/download/v5.4.6/xz-5.4.6.tar.bz2.sig > -sha256 > <https://github.com/tukaani-project/xz/releases/download/v5.4.6/xz-5.4.6.tar.bz2.sig-sha256> > 913851b274e8e1d31781ec949f1c23e8dbcf0ecf6e73a2436dc21769dd3e6f49 > xz-5.4.6.tar.bz2 > +# > https://github.com/tukaani-project/xz/releases/download/v5.6.0/xz-5.6.0.tar.bz2.sig > +sha256 > <https://github.com/tukaani-project/xz/releases/download/v5.6.0/xz-5.6.0.tar.bz2.sig+sha256> > 88c8631cefba91664fdc47b14bb753e1876f4964a07db650821d203992b1e1ea > xz-5.6.0.tar.bz2 > > # Hash for license files > -sha256 29a1e305b2e34eefe5d4602d00cde1d528b71c5d9f2eec5106972cf6ddb6f73f > COPYING > +sha256 0864e508475f20b43a2393957fdb5a966558099ffa8fed1e3e73fe2b3eebb145 > COPYING > +sha256 0b01625d853911cd0e2e088dcfb743261034a091bb379246cb25a14cc4c74bf1 > COPYING.0BSD > sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 > COPYING.GPLv2 > sha256 3972dc9744f6499f0f9b2dbf76696f2ae7ad8af9b23dde66d6af86c9dfb36986 > COPYING.GPLv3 > sha256 dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551 > COPYING.LGPLv2.1 > diff --git a/package/xz/xz.mk b/package/xz/xz.mk > index 40fa59ca7c..e35fbc0268 100644 > --- a/package/xz/xz.mk > +++ b/package/xz/xz.mk > @@ -4,13 +4,13 @@ > # > > ################################################################################ > > -XZ_VERSION = 5.4.6 > +XZ_VERSION = 5.6.0 > Is this version backdoored? https://www.openwall.com/lists/oss-security/2024/03/29/4 > XZ_SOURCE = xz-$(XZ_VERSION).tar.bz2 > XZ_SITE = > https://github.com/tukaani-project/xz/releases/download/v$(XZ_VERSION) > XZ_INSTALL_STAGING = YES > XZ_CONF_ENV = ac_cv_prog_cc_c99='-std=gnu99' > -XZ_LICENSE = Public Domain, GPL-2.0+, GPL-3.0+, LGPL-2.1+ > -XZ_LICENSE_FILES = COPYING COPYING.GPLv2 COPYING.GPLv3 COPYING.LGPLv2.1 > +XZ_LICENSE = Public Domain, BSD-0-Clause, GPL-2.0+, GPL-3.0+, LGPL-2.1+ > +XZ_LICENSE_FILES = COPYING COPYING.0BSD COPYING.GPLv2 COPYING.GPLv3 > COPYING.LGPLv2.1 > XZ_CPE_ID_VENDOR = tukaani > > ifeq ($(BR2_TOOLCHAIN_HAS_THREADS),y) > -- > 2.44.0 > > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot >
James, all, On 2024-03-29 11:21 -0600, James Hilliard spake thusly: [--SNIP--] > -XZ_VERSION = 5.4.6 > +XZ_VERSION = 5.6.0 > Is this version backdoored? > [17]https://www.openwall.com/lists/oss-security/2024/03/29/4 Wahoo. Just, wahoo... thanks for pointing this out, I've marked the series rejected. I've been reading on this story, and it is just, well, I don't have words. I'm stomached. Thanks a lot for pointing this out. Regards, Yann E. MORIN.
Hello, On Fri, 29 Mar 2024 20:54:07 +0100 "Yann E. MORIN" <yann.morin.1998@free.fr> wrote: > On 2024-03-29 11:21 -0600, James Hilliard spake thusly: > [--SNIP--] > > -XZ_VERSION = 5.4.6 > > +XZ_VERSION = 5.6.0 > > Is this version backdoored? > > [17]https://www.openwall.com/lists/oss-security/2024/03/29/4 > > Wahoo. Just, wahoo... thanks for pointing this out, I've marked the > series rejected. > > I've been reading on this story, and it is just, well, I don't have > words. I'm stomached. The story is indeed crazy. For once, the fact that we are somewhat slow at merging patches ensured this didn't get applied before the backdoor was discovered :-) Thomas
diff --git a/package/xz/Config.in b/package/xz/Config.in index 687bd55482..7130fa5e8e 100644 --- a/package/xz/Config.in +++ b/package/xz/Config.in @@ -12,4 +12,4 @@ config BR2_PACKAGE_XZ invoked via appropriate symlinks will emulate the behavior of the commands in the lzma package. - https://tukaani.org/xz/ + https://xz.tukaani.org/xz-utils/ diff --git a/package/xz/xz.hash b/package/xz/xz.hash index e8025a8065..71c2c65a3e 100644 --- a/package/xz/xz.hash +++ b/package/xz/xz.hash @@ -1,9 +1,10 @@ # Locally calculated after checking pgp signature -# https://github.com/tukaani-project/xz/releases/download/v5.4.6/xz-5.4.6.tar.bz2.sig -sha256 913851b274e8e1d31781ec949f1c23e8dbcf0ecf6e73a2436dc21769dd3e6f49 xz-5.4.6.tar.bz2 +# https://github.com/tukaani-project/xz/releases/download/v5.6.0/xz-5.6.0.tar.bz2.sig +sha256 88c8631cefba91664fdc47b14bb753e1876f4964a07db650821d203992b1e1ea xz-5.6.0.tar.bz2 # Hash for license files -sha256 29a1e305b2e34eefe5d4602d00cde1d528b71c5d9f2eec5106972cf6ddb6f73f COPYING +sha256 0864e508475f20b43a2393957fdb5a966558099ffa8fed1e3e73fe2b3eebb145 COPYING +sha256 0b01625d853911cd0e2e088dcfb743261034a091bb379246cb25a14cc4c74bf1 COPYING.0BSD sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING.GPLv2 sha256 3972dc9744f6499f0f9b2dbf76696f2ae7ad8af9b23dde66d6af86c9dfb36986 COPYING.GPLv3 sha256 dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551 COPYING.LGPLv2.1 diff --git a/package/xz/xz.mk b/package/xz/xz.mk index 40fa59ca7c..e35fbc0268 100644 --- a/package/xz/xz.mk +++ b/package/xz/xz.mk @@ -4,13 +4,13 @@ # ################################################################################ -XZ_VERSION = 5.4.6 +XZ_VERSION = 5.6.0 XZ_SOURCE = xz-$(XZ_VERSION).tar.bz2 XZ_SITE = https://github.com/tukaani-project/xz/releases/download/v$(XZ_VERSION) XZ_INSTALL_STAGING = YES XZ_CONF_ENV = ac_cv_prog_cc_c99='-std=gnu99' -XZ_LICENSE = Public Domain, GPL-2.0+, GPL-3.0+, LGPL-2.1+ -XZ_LICENSE_FILES = COPYING COPYING.GPLv2 COPYING.GPLv3 COPYING.LGPLv2.1 +XZ_LICENSE = Public Domain, BSD-0-Clause, GPL-2.0+, GPL-3.0+, LGPL-2.1+ +XZ_LICENSE_FILES = COPYING COPYING.0BSD COPYING.GPLv2 COPYING.GPLv3 COPYING.LGPLv2.1 XZ_CPE_ID_VENDOR = tukaani ifeq ($(BR2_TOOLCHAIN_HAS_THREADS),y)
- bump version to 5.6.0 - change homepage URL to https://xz.tukaani.org/xz-utils/ - add BSD-0-Clause and update license file hash accordingly (see [1], [2], and [3]) For details see [4]. [1] https://github.com/tukaani-project/xz/commit/b1ee6cf259bb49ce91abe9f622294524e37edf4c [2] https://github.com/tukaani-project/xz/commit/689e0228baeb95232430e90d628379db89583d71 [3] https://github.com/tukaani-project/xz/commit/28ce45e38fbed4b5f54f2013e38dab47d22bf699 [4] https://github.com/tukaani-project/xz/blob/master/NEWS Signed-off-by: Peter Seiderer <ps.report@gmx.net> --- package/xz/Config.in | 2 +- package/xz/xz.hash | 7 ++++--- package/xz/xz.mk | 6 +++--- 3 files changed, 8 insertions(+), 7 deletions(-)