Re: [sage-devel] Re: xz/liblzma has been compromised

2024-03-30 Thread Michael Orlitzky
On 2024-03-30 07:08:45, Marc Culler wrote: > > Potentially, any tarfile we host may contain an exploit. > > Potentially, any file may contain an exploit. > > This hack specifically targeted ssh. When used by ssh to verify keys, the > hacked liblzma would validate certain invalid keys, allowing

Re: [sage-devel] Re: xz/liblzma has been compromised

2024-03-30 Thread Marc Culler
According to Hacker News : > openssh does not directly use liblzma. However debian and several other distributions patch openssh to support systemd notification, and libsystemd does depend on lzma. So this hack was not targeting ssh in general, jus

Re: [sage-devel] Re: xz/liblzma has been compromised

2024-03-30 Thread Marc Culler
> Potentially, any tarfile we host may contain an exploit. Potentially, any file may contain an exploit. This hack specifically targeted ssh. When used by ssh to verify keys, the hacked liblzma would validate certain invalid keys, allowing a "back door" for a particular bad actor to login to

Re: [sage-devel] Re: xz/liblzma has been compromised

2024-03-30 Thread Dima Pasechnik
On Fri, Mar 29, 2024 at 7:42 PM Dima Pasechnik wrote: > > On Fri, Mar 29, 2024 at 7:39 PM Matthias Koeppe > wrote: > > > > Workaround with the Sage distribution: "./configure > > --without-system-liblzma --without-system-xz" > > (Our xz package dates back from before the attackers were born;) >

[sage-devel] Re: xz/liblzma has been compromised

2024-03-29 Thread Dima Pasechnik
and Homebrew. Please upgrade your Homebrew. It should do a downgrade: `brew upgrade` now "upgrades" xz from 5.6.1 -> 5.4.6 On Fri, Mar 29, 2024 at 7:36 PM Dima Pasechnik wrote: > > aand Conda: https://anaconda.org/anaconda/xz shows version 5.6.1 > > On Fri, Mar 29, 2024 at 7:18 PM Dima Pasechnik

Re: [sage-devel] Re: xz/liblzma has been compromised

2024-03-29 Thread Dima Pasechnik
On Fri, Mar 29, 2024 at 7:39 PM Matthias Koeppe wrote: > > Workaround with the Sage distribution: "./configure --without-system-liblzma > --without-system-xz" > (Our xz package dates back from before the attackers were born;) > > Incidentally, the cryptographic protection of the Sage distribution

[sage-devel] Re: xz/liblzma has been compromised

2024-03-29 Thread Matthias Koeppe
Workaround with the Sage distribution: "./configure --without-system-liblzma --without-system-xz" (Our xz package dates back from before the attackers were born;) Incidentally, the cryptographic protection of the Sage distribution is wildly insufficient. I've opened https://github.com/sagemath/s

[sage-devel] Re: xz/liblzma has been compromised

2024-03-29 Thread Dima Pasechnik
aand Conda: https://anaconda.org/anaconda/xz shows version 5.6.1 On Fri, Mar 29, 2024 at 7:18 PM Dima Pasechnik wrote: > > https://www.openwall.com/lists/oss-security/2024/03/29/4 > > if your have xz 5.6.0 or 5.6.1 installed (e.g. Debian testing/unstable) > you have a backdoored xz. -- You rece