undefined | Better HN

0 pointstreffer2y ago0 comments

Ubuntu still ships 5.4.5 on 24.03 (atm).

I did a quick diff of the source (.orig file from packages.ubuntu.com) and the content mostly matched the 5.4.5 github tag except for Changelog and some translation files. It does match the tarball content, though.

So for 5.4.5 the tagged release and download on github differ.

It does change format strings, e.g.

   +#: src/xz/args.c:735
   +#, fuzzy
   +#| msgid "%s: With --format=raw, --suffix=.SUF is required unless writing to stdout"
   +msgid "With --format=raw, --suffix=.SUF is required unless writing to stdout"
   +msgstr "%s: amb --format=raw, --suffix=.SUF és necessari si no s'escriu a la sortida estàndard"

There is no second argument to that printf for example. I think there is at least a format string injection in the older tarballs.

[Edit] formatting

0 comments

mort962y ago

FYI, your formatting is broken. Hacker News doesn't support backtick code blocks, you have to indent code.

Anyway, so... the xz project has been compromised for a long time, at least since 5.4.5. I see that this JiaT75 guy has been the primary guy in charge of at least the GitHub releases for years. Should we view all releases after he got involved as probably compromised?

1 more reply

jwilk2y ago

"#, fuzzy" means the translation is out-of-date and it will be discarded at compile time.

1 more reply

chasil2y ago

RHEL9 is shipping 5.2.5; RHEL8 is on 5.2.4.

fransje262y ago

Thanks for the heads up.

j / k navigate · click thread line to collapse