18:13 <tilman> is anyone looking into the xz thing yet? https://www.openwall.com/lists/oss-security/2024/03/29/4

18:13 <tilman> looks to me like the xz tarball that crux uses is affected

18:13 <tilman> fwiw, i looked at https://git.crux.nu/ports/core/commit/560c9ffc2b837b1c513ff09d47a911f8c97202be and into the tarball that it references

18:45 <jaeger> I have read about it a bit and I don't think we're affected since we don't link with systemd/xz/lzma... but I could be wrong

18:47 <tilman> only builds done where debian/rules exists or where RPM_ARCH is set to x86_64 or something seem to be affected. let me find the link that claims so

18:48 <jaeger> Yeah, saw that as well in the original mail to oss-security

18:48 <tilman> ah right

18:48 <tilman> i was in panic mode and missed it first

18:48 <jaeger> understandable, it's pretty nasty

18:48 <tilman> https://news.ycombinator.com/item?id=39866676

18:49 <tilman> this guy claims that older release tarballs have been altered

18:49 <jaeger> yeah, I was just wondering if it would be any safer to downgrade to 5.4.x

18:50 <tilman> https://github.com/google/oss-fuzz/pull/11587 i think you might want to change crux' build recipe to avoid that ifunc optimization

18:50 <jaeger> I saw claims that the malicious party has access to the signing keys for any tarballs so probably not

18:50 <tilman> wrong link, sorry

18:50 <tilman> https://github.com/google/oss-fuzz/pull/10667

18:51 <tilman> this ifunc feature seems to be an optimization that speeds up calls into crc via function pointers, but it might lead to vulnerable code(?)

19:18 <jaeger> I'm not 100% sure we could trust older tarballs since they're hosted at the same place... but I don't find the bad-3-corrupt_lzma2.xz archive in them either

19:18 <jaeger> So maybe disabling ifunc and downgrading to 5.4.x would be a good idea for the short term?

19:19 <jaeger> Looks like 5.4.x doesn't have the ifunc switch anyway