Bug#1068024: revert to version that does not contain changes by bad actor

Sat, 30 Mar 2024 11:21:20 -0700 

I have prepared a git repository that is a fork of xz from the point I
identified before the attacker(s) did anything to it. In my fork, I have
renamed liblzma to liblzmaunscathed. That allows it to be installed
alongside current dpkg without breaking dpkg with an old version of
liblzma. 

My git repository is here (note all my commits are gpg signed):
https://git.joeyh.name/index.cgi/xz-unscathed/

It also has a debian branch which contains a debian directory. I've
built packages of that, as well as building dpkg-1.22.6 against it.
I've attached the patch I used to build dpkg.

My build of dpkg ended up not being linked to a lzma library at all,
because liblzmaunscathed is too old to support concurrent decompression,
which the configure script detects. So dpkg-deb instead uses xz-utils
to decompress debs. I replaced xz-utils.deb with the one built from my
fork, and dpkg seems to work fine using it.

If Debian decided to go this route, you could add xz-utils-unscathed
to unstable, and at the same time update xz-utils to not build
xz-utils.deb. Then build dpkg against it. Then look into forward porting
or re-implementing concurrent decompression if that is really important
to have.

I only plan to maintain this fork minimally, eg backporting security
fixes. The goal is not to take over from xz upstream, but to get the
possibly backdoored code off of production systems ASAP. Presumably xz
upstream will come up with their own solution long-term.

-- 
see shy jo

diff -ur orig/dpkg-1.22.6/Makefile.in dpkg-1.22.6/Makefile.in
--- orig/dpkg-1.22.6/Makefile.in	2024-03-10 15:21:24.000000000 -0400
+++ dpkg-1.22.6/Makefile.in	2024-03-30 13:28:12.823685407 -0400
@@ -344,7 +344,7 @@
 LTLIBINTL = @LTLIBINTL@
 LTLIBOBJS = @LTLIBOBJS@
 LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
-LZMA_LIBS = @LZMA_LIBS@
+LZMAUNSCATHED_LIBS = @LZMAUNSCATHED_LIBS@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MD_LIBS = @MD_LIBS@
diff -ur orig/dpkg-1.22.6/config.h.in dpkg-1.22.6/config.h.in
--- orig/dpkg-1.22.6/config.h.in	2024-03-10 15:21:24.000000000 -0400
+++ dpkg-1.22.6/config.h.in	2024-03-30 13:28:12.563685572 -0400
@@ -511,8 +511,8 @@
 /* Define to 1 to use bz2 library rather than console tool */
 #undef WITH_LIBBZ2
 
-/* Define to 1 to use lzma library rather than console tool */
-#undef WITH_LIBLZMA
+/* Define to 1 to use lzmaunscathed library rather than console tool */
+#undef WITH_LIBLZMAUNSCATHED
 
 /* Define to 1 to compile in SELinux support */
 #undef WITH_LIBSELINUX
diff -ur orig/dpkg-1.22.6/configure.ac dpkg-1.22.6/configure.ac
--- orig/dpkg-1.22.6/configure.ac	2024-03-02 21:30:15.000000000 -0400
+++ dpkg-1.22.6/configure.ac	2024-03-30 13:15:26.981883607 -0400
@@ -113,7 +113,7 @@
 DPKG_LIB_MD
 DPKG_LIB_Z
 DPKG_LIB_BZ2
-DPKG_LIB_LZMA
+DPKG_LIB_LZMAUNSCATHED
 DPKG_LIB_ZSTD
 DPKG_LIB_SELINUX
 AS_IF([test "x$build_dselect" = "xyes"], [
@@ -336,7 +336,7 @@
     libselinux  . . . . . . . . . : $have_libselinux
     libmd . . . . . . . . . . . . : $have_libmd
     libz  . . . . . . . . . . . . : $have_libz_impl
-    liblzma . . . . . . . . . . . : $have_liblzma
+    liblzmaunscathed . . . . . . .: $have_liblzmaunscathed
     libzstd . . . . . . . . . . . : $have_libzstd
     libbz2  . . . . . . . . . . . : $have_libbz2
     libcurses . . . . . . . . . . : ${have_libcurses:-no}
diff -ur orig/dpkg-1.22.6/debian/control dpkg-1.22.6/debian/control
--- orig/dpkg-1.22.6/debian/control	2024-03-02 21:30:15.000000000 -0400
+++ dpkg-1.22.6/debian/control	2024-03-30 13:14:37.746223895 -0400
@@ -20,7 +20,7 @@
  zlib1g-dev,
  libbz2-dev,
 # Version needed for multi-threaded decompressor support.
- liblzma-dev (>= 5.4.0),
+ liblzmaunscathed-dev,
 # Version needed for the new streaming API.
  libzstd-dev (>= 1.4.0),
  libselinux1-dev [linux-any],
@@ -28,7 +28,7 @@
 # Needed for the functional test.
  bzip2 <!nocheck>,
 # Version needed for multi-threaded decompressor support.
- xz-utils (>= 5.4.0) <!nocheck>,
+ xz-utils <!nocheck>,
 # Needed for the functional test.
  zstd <!nocheck>,
 # Needed for the author release process.
@@ -89,7 +89,7 @@
  libmd-dev,
  zlib1g-dev,
 # Version needed for multi-threaded decompressor support.
- liblzma-dev (>= 5.4.0),
+ liblzmaunscathed-dev,
 # Version needed for the new streaming API.
  libzstd-dev (>= 1.4.0),
  libbz2-dev,
@@ -113,7 +113,7 @@
  tar (>= 1.28-1),
  bzip2,
 # Version needed for multi-threaded decompressor support.
- xz-utils (>= 5.4.0),
+ xz-utils,
 # Version needed for git-style diff support.
  patch (>= 2.7),
  make,
@@ -165,7 +165,7 @@
  liblocale-gettext-perl,
  bzip2,
 # Version needed for multi-threaded decompressor support.
- xz-utils (>= 5.4.0),
+ xz-utils,
 Suggests:
  debian-keyring,
  gnupg | sq | sqop | pgpainless-cli | sequoia-chameleon-gnupg,
diff -ur orig/dpkg-1.22.6/debian/libdpkg-dev.install dpkg-1.22.6/debian/libdpkg-dev.install
--- orig/dpkg-1.22.6/debian/libdpkg-dev.install	2024-02-04 22:31:16.000000000 -0400
+++ dpkg-1.22.6/debian/libdpkg-dev.install	2024-03-30 13:25:27.043840706 -0400
@@ -1,4 +1,5 @@
 usr/include/dpkg/*.h
-usr/lib/*/pkgconfig/libdpkg.pc
-usr/lib/*/libdpkg.a
+usr/lib/pkgconfig/libdpkg.pc
+usr/lib/libdpkg.a
 usr/share/aclocal/dpkg-*.m4
+usr/lib/libdpkg.la
diff -ur orig/dpkg-1.22.6/debian/rules dpkg-1.22.6/debian/rules
--- orig/dpkg-1.22.6/debian/rules	2024-03-02 21:30:15.000000000 -0400
+++ dpkg-1.22.6/debian/rules	2024-03-30 13:22:38.316130018 -0400
@@ -67,7 +67,8 @@
 	   $(D)/usr/share/lintian/profiles/dpkg/main.profile
 
 override_dh_auto_test:
-	dh_auto_test -- $(testflags)
+	echo tests disabled for now
+	#dh_auto_test -- $(testflags)
 
 override_dh_installsystemd:
 	dh_installsystemd -a --name=dpkg-db-backup \
diff -ur orig/dpkg-1.22.6/dselect/Makefile.in dpkg-1.22.6/dselect/Makefile.in
--- orig/dpkg-1.22.6/dselect/Makefile.in	2024-03-10 15:21:24.000000000 -0400
+++ dpkg-1.22.6/dselect/Makefile.in	2024-03-30 13:28:12.851685390 -0400
@@ -366,7 +366,7 @@
 LTLIBINTL = @LTLIBINTL@
 LTLIBOBJS = @LTLIBOBJS@
 LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
-LZMA_LIBS = @LZMA_LIBS@
+LZMAUNSCATHED_LIBS = @LZMAUNSCATHED_LIBS@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MD_LIBS = @MD_LIBS@
diff -ur orig/dpkg-1.22.6/dselect/methods/Makefile.in dpkg-1.22.6/dselect/methods/Makefile.in
--- orig/dpkg-1.22.6/dselect/methods/Makefile.in	2024-03-10 15:21:24.000000000 -0400
+++ dpkg-1.22.6/dselect/methods/Makefile.in	2024-03-30 13:28:12.859685385 -0400
@@ -248,7 +248,7 @@
 LTLIBINTL = @LTLIBINTL@
 LTLIBOBJS = @LTLIBOBJS@
 LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
-LZMA_LIBS = @LZMA_LIBS@
+LZMAUNSCATHED_LIBS = @LZMAUNSCATHED_LIBS@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MD_LIBS = @MD_LIBS@
Only in dpkg-1.22.6/dselect/po: Makevars.template
diff -ur orig/dpkg-1.22.6/lib/Makefile.in dpkg-1.22.6/lib/Makefile.in
--- orig/dpkg-1.22.6/lib/Makefile.in	2024-03-10 15:21:24.000000000 -0400
+++ dpkg-1.22.6/lib/Makefile.in	2024-03-30 13:28:12.875685375 -0400
@@ -265,7 +265,7 @@
 LTLIBINTL = @LTLIBINTL@
 LTLIBOBJS = @LTLIBOBJS@
 LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
-LZMA_LIBS = @LZMA_LIBS@
+LZMAUNSCATHED_LIBS = @LZMAUNSCATHED_LIBS@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MD_LIBS = @MD_LIBS@
diff -ur orig/dpkg-1.22.6/lib/compat/Makefile.in dpkg-1.22.6/lib/compat/Makefile.in
--- orig/dpkg-1.22.6/lib/compat/Makefile.in	2024-03-10 15:21:24.000000000 -0400
+++ dpkg-1.22.6/lib/compat/Makefile.in	2024-03-30 13:28:12.907685355 -0400
@@ -328,7 +328,7 @@
 LTLIBINTL = @LTLIBINTL@
 LTLIBOBJS = @LTLIBOBJS@
 LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
-LZMA_LIBS = @LZMA_LIBS@
+LZMAUNSCATHED_LIBS = @LZMAUNSCATHED_LIBS@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MD_LIBS = @MD_LIBS@
diff -ur orig/dpkg-1.22.6/lib/dpkg/Makefile.in dpkg-1.22.6/lib/dpkg/Makefile.in
--- orig/dpkg-1.22.6/lib/dpkg/Makefile.in	2024-03-10 15:21:24.000000000 -0400
+++ dpkg-1.22.6/lib/dpkg/Makefile.in	2024-03-30 13:28:12.947685330 -0400
@@ -633,7 +632,7 @@
 LTLIBINTL = @LTLIBINTL@
 LTLIBOBJS = @LTLIBOBJS@
 LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
-LZMA_LIBS = @LZMA_LIBS@
+LZMAUNSCATHED_LIBS = @LZMAUNSCATHED_LIBS@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MD_LIBS = @MD_LIBS@
diff -ur orig/dpkg-1.22.6/m4/dpkg-libs.m4 dpkg-1.22.6/m4/dpkg-libs.m4
--- orig/dpkg-1.22.6/m4/dpkg-libs.m4	2024-02-25 22:11:37.000000000 -0400
+++ dpkg-1.22.6/m4/dpkg-libs.m4	2024-03-30 13:16:24.373532270 -0400
@@ -93,20 +93,20 @@
     [Define to the zlib implementation to use])
 ])# DPKG_LIB_Z
 
-# DPKG_LIB_LZMA
+# DPKG_LIB_LZMAUNSCATHED
 # -------------
-# Check for lzma library.
-AC_DEFUN([DPKG_LIB_LZMA], [
-  DPKG_WITH_COMPRESS_LIB([lzma], [lzma.h], [lzma_alone_decoder])
-  AC_CHECK_LIB([lzma], [lzma_stream_encoder_mt], [
+# Check for lzmaunscathed library.
+AC_DEFUN([DPKG_LIB_LZMAUNSCATHED], [
+  DPKG_WITH_COMPRESS_LIB([lzmaunscathed], [lzma.h], [lzma_alone_decoder])
+  AC_CHECK_LIB([lzmaunscathed], [lzma_stream_encoder_mt], [
     AC_DEFINE([HAVE_LZMA_MT_ENCODER], [1],
       [xz multi-threaded compression support])
   ])
-  AC_CHECK_LIB([lzma], [lzma_stream_decoder_mt], [
+  AC_CHECK_LIB([lzmaunscathed], [lzma_stream_decoder_mt], [
     AC_DEFINE([HAVE_LZMA_MT_DECODER], [1],
       [xz multi-threaded decompression support])
   ])
-])# DPKG_LIB_LZMA
+])# DPKG_LIB_LZMAUNSCATHED
 
 # DPKG_LIB_ZSTD
 # ------------
diff -ur orig/dpkg-1.22.6/man/Makefile.in dpkg-1.22.6/man/Makefile.in
--- orig/dpkg-1.22.6/man/Makefile.in	2024-03-10 15:21:24.000000000 -0400
+++ dpkg-1.22.6/man/Makefile.in	2024-03-30 13:28:12.967685317 -0400
@@ -255,7 +255,7 @@
 LTLIBINTL = @LTLIBINTL@
 LTLIBOBJS = @LTLIBOBJS@
 LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
-LZMA_LIBS = @LZMA_LIBS@
+LZMAUNSCATHED_LIBS = @LZMAUNSCATHED_LIBS@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MD_LIBS = @MD_LIBS@
diff -ur orig/dpkg-1.22.6/scripts/Makefile.in dpkg-1.22.6/scripts/Makefile.in
--- orig/dpkg-1.22.6/scripts/Makefile.in	2024-03-10 15:21:24.000000000 -0400
+++ dpkg-1.22.6/scripts/Makefile.in	2024-03-30 13:28:12.983685306 -0400
@@ -324,7 +324,7 @@
 LTLIBINTL = @LTLIBINTL@
 LTLIBOBJS = @LTLIBOBJS@
 LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
-LZMA_LIBS = @LZMA_LIBS@
+LZMAUNSCATHED_LIBS = @LZMAUNSCATHED_LIBS@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MD_LIBS = @MD_LIBS@
diff -ur orig/dpkg-1.22.6/scripts/mk/Makefile.in dpkg-1.22.6/scripts/mk/Makefile.in
--- orig/dpkg-1.22.6/scripts/mk/Makefile.in	2024-03-10 15:21:24.000000000 -0400
+++ dpkg-1.22.6/scripts/mk/Makefile.in	2024-03-30 13:28:12.999685296 -0400
@@ -245,7 +245,7 @@
 LTLIBINTL = @LTLIBINTL@
 LTLIBOBJS = @LTLIBOBJS@
 LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
-LZMA_LIBS = @LZMA_LIBS@
+LZMAUNSCATHED_LIBS = @LZMAUNSCATHED_LIBS@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MD_LIBS = @MD_LIBS@
diff -ur orig/dpkg-1.22.6/src/Makefile.in dpkg-1.22.6/src/Makefile.in
--- orig/dpkg-1.22.6/src/Makefile.in	2024-03-10 15:21:24.000000000 -0400
+++ dpkg-1.22.6/src/Makefile.in	2024-03-30 13:28:13.023685281 -0400
@@ -371,7 +371,7 @@
 LTLIBINTL = @LTLIBINTL@
 LTLIBOBJS = @LTLIBOBJS@
 LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
-LZMA_LIBS = @LZMA_LIBS@
+LZMAUNSCATHED_LIBS = @LZMAUNSCATHED_LIBS@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MD_LIBS = @MD_LIBS@
diff -ur orig/dpkg-1.22.6/utils/Makefile.in dpkg-1.22.6/utils/Makefile.in
--- orig/dpkg-1.22.6/utils/Makefile.in	2024-03-10 15:21:24.000000000 -0400
+++ dpkg-1.22.6/utils/Makefile.in	2024-03-30 13:28:13.047685267 -0400
@@ -326,7 +326,7 @@
 LTLIBINTL = @LTLIBINTL@
 LTLIBOBJS = @LTLIBOBJS@
 LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
-LZMA_LIBS = @LZMA_LIBS@
+LZMAUNSCATHED_LIBS = @LZMAUNSCATHED_LIBS@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MD_LIBS = @MD_LIBS@

Attachment: signature.asc
Description: PGP signature

Reply via email to