jaeger changed the topic of #crux-devel to: CRUX (https://crux.nu/) development channel | Logs: https://libera.irclog.whitequark.org/crux-devel/
sajcho has joined #crux-devel
sajcho has quit [Quit: Client closed]
SiFuh has quit [Remote host closed the connection]
SiFuh has joined #crux-devel
sajcho has joined #crux-devel
sajcho has quit [Quit: Client closed]
sajcho has joined #crux-devel
sajcho has quit [Client Quit]
dlcusa has joined #crux-devel
jue has joined #crux-devel
dlcusa has quit [Ping timeout: 260 seconds]
jue has quit [Ping timeout: 264 seconds]
dlcusa has joined #crux-devel
chrcav has quit [Ping timeout: 260 seconds]
chrcav has joined #crux-devel
tilman has joined #crux-devel
<tilman> is anyone looking into the xz thing yet? https://www.openwall.com/lists/oss-security/2024/03/29/4
<tilman> looks to me like the xz tarball that crux uses is affected
<tilman> fwiw, i looked at https://git.crux.nu/ports/core/commit/560c9ffc2b837b1c513ff09d47a911f8c97202be and into the tarball that it references
<jaeger> I have read about it a bit and I don't think we're affected since we don't link with systemd/xz/lzma... but I could be wrong
<tilman> only builds done where debian/rules exists or where RPM_ARCH is set to x86_64 or something seem to be affected. let me find the link that claims so
<jaeger> Yeah, saw that as well in the original mail to oss-security
<tilman> ah right
<tilman> i was in panic mode and missed it first
<jaeger> understandable, it's pretty nasty
<tilman> this guy claims that older release tarballs have been altered
<jaeger> yeah, I was just wondering if it would be any safer to downgrade to 5.4.x
<tilman> https://github.com/google/oss-fuzz/pull/11587 i think you might want to change crux' build recipe to avoid that ifunc optimization
<jaeger> I saw claims that the malicious party has access to the signing keys for any tarballs so probably not
<tilman> wrong link, sorry
<tilman> this ifunc feature seems to be an optimization that speeds up calls into crc via function pointers, but it might lead to vulnerable code(?)
<jaeger> I'm not 100% sure we could trust older tarballs since they're hosted at the same place... but I don't find the bad-3-corrupt_lzma2.xz archive in them either
<jaeger> So maybe disabling ifunc and downgrading to 5.4.x would be a good idea for the short term?
<jaeger> Looks like 5.4.x doesn't have the ifunc switch anyway