On Fri, Mar 29, 2024 at 7:42 PM Dima Pasechnik <dimp...@gmail.com> wrote: > > On Fri, Mar 29, 2024 at 7:39 PM Matthias Koeppe > <matthiaskoe...@gmail.com> wrote: > > > > Workaround with the Sage distribution: "./configure > > --without-system-liblzma --without-system-xz" > > (Our xz package dates back from before the attackers were born;) > > > > Incidentally, the cryptographic protection of the Sage distribution is > > wildly insufficient. > > I've opened https://github.com/sagemath/sage/issues/37691 for this -- any > > takers? > > I'd switch to sha256. > And require PGP-signed commits, etc. > > well, I can't even comment on that issue :-)
By the way, the essential part of xz backdoor was sneaked in as a modified copy of a gnulib m4 macros file. As this is "the" way to use gnulib - just vendor what they provide in your source code - one may wonder again about the virtues of vendoring a lot of code. Potentially, any tarfile we host may contain an exploit. As well as anything produced on CI, VM, or, real, hosts running compromised OS (latest unstable versions of Debian and Fedora were compromised with this xz hack, Homebrew was, as well). So this is something to review urgently, too. Dima > > > > > > > > On Friday, March 29, 2024 at 12:18:24 PM UTC-7 Dima Pasechnik wrote: > >> > >> https://www.openwall.com/lists/oss-security/2024/03/29/4 > >> > >> if your have xz 5.6.0 or 5.6.1 installed (e.g. Debian testing/unstable) > >> you have a backdoored xz. > > > > -- > > You received this message because you are subscribed to the Google Groups > > "sage-devel" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to sage-devel+unsubscr...@googlegroups.com. > > To view this discussion on the web visit > > https://groups.google.com/d/msgid/sage-devel/d75e7cc9-9743-4c20-b502-431d400dc5f2n%40googlegroups.com. -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/sage-devel/CAAWYfq1w9X3aZ3z8U%3DC_BFD8Ffh_tE3JfNBGoSV%3DYYiFE2Guxg%40mail.gmail.com.
