undefined | Better HN

0 pointsMacha2y ago0 comments

5.6.1-2 is not an attempted fix, it's just some tweaks to Arch's own build script to improve reproducibility. Arch's build script ultimately delegates to the compromised build script unfortunately, but it also appears the payload itself is specifically targeting deb/RPM based distros, so a narrow miss for Arch here.

(EDIT: as others have pointed out, part of the exploit is in the artifact from libxz, which Arch is now avoiding by switching to building from a git checkout)

0 comments

gpm2y ago

Are you sure about that? The diff moves away from using the compromised tarballs to the not-compromised (by this) git source. The comment message says it's about reproducibility, but especially combined with the timing it looks to me like that was just to avoid breaking an embargo.

tutfbhuf2y ago

So, you suggest that Frederik Schwan had prior knowledge of the security issues but hid the real purpose of the commit under "improve reproducibility"?

gpm2y ago

Yes.

I've never had to do it myself but I believe that's common practice with embargos on security vulnerabilities.

jethro_tell2y ago

And, If you break the embargo too many times then you just find out with the rest of us and that's not a great way to run a distro. I believe openbsd is or was in that position around the time of the intel speculative execution bugs.

bombcar2y ago

It can lead to amusing cases where the intentional vuln comes in "to improve x" and the quiet fix comes in "to improve x".

Starlevel0042y ago

xz was masked in the Gentoo repositories earlier today with the stated reason of "Investigating serious bug". No mention of security. It's pretty likely.

donio2y ago

5.6.1 is masked specifically.

Also, https://mastodon.social/@mgorny@treehouse.systems/1121802382... from a Gentoo dev mentions that Gentoo doesn't use the patch that results in sshd getting linked against liblzma.

As far as I know this is not an official communication channel so don't take it as such.

NekkoDroid2y ago

This is very likely the case. Arch maintainers do get early information on CVEs just like any other major distro.

But with pacman/makepkg 6.1 (which recently released) git sources can also now be check summed IIRC which is a funny coincidence.

j / k navigate · click thread line to collapse

0 comments

gpm2y ago

tutfbhuf2y ago

So, you suggest that Frederik Schwan had prior knowledge of the security issues but hid the real purpose of the commit under "improve reproducibility"?

gpm2y ago

Yes.

I've never had to do it myself but I believe that's common practice with embargos on security vulnerabilities.

jethro_tell2y ago

bombcar2y ago

It can lead to amusing cases where the intentional vuln comes in "to improve x" and the quiet fix comes in "to improve x".

Starlevel0042y ago

xz was masked in the Gentoo repositories earlier today with the stated reason of "Investigating serious bug". No mention of security. It's pretty likely.

donio2y ago

5.6.1 is masked specifically.

Also, https://mastodon.social/@mgorny@treehouse.systems/1121802382... from a Gentoo dev mentions that Gentoo doesn't use the patch that results in sshd getting linked against liblzma.

As far as I know this is not an official communication channel so don't take it as such.

NekkoDroid2y ago

This is very likely the case. Arch maintainers do get early information on CVEs just like any other major distro.

But with pacman/makepkg 6.1 (which recently released) git sources can also now be check summed IIRC which is a funny coincidence.

j / k navigate · click thread line to collapse