Confirmation of package safty regarding to recent xz vulnerability

[erisu]

Sorry in advance if this is not the best location to bring up this question and concern. I've noticed that the community isn't very active on Zulip, and there doesn't seem to be a discussion page on GitHub.

With the recent security vulnerability involving the xz backdoor (liblzma, xz, or libarchive), could you confirm if there are any concerns related to this package?

I attempted to dig into this package and its dependencies to assess any potential issues but couldn't conclusively confirm.

I observed that it utilizes the 7zip-bin package, which bundles the 7zip and p7zip binaries, although it seems to be two years old. Perhaps this isn't an issue?

Additionally, I noticed that app-builder-bin is used to build various packages, and I see the xz compression flag being set. However, I presume it relies on the version of xz installed on the user's system.

From what I could gather, we neither download, bundle or utilize a package that includes the liblzma, xz, or libarchive binaries for any specific version of the binaries.

If you could provide any additional information or confirm that there are no concerns, that would be greatly appreciated.

[mmaietta]

Ah, great callout! This is certainly a great topic to bring up 🙂

Re: the discussion page, I found it impossible for me to monitor as I wasn't receiving proper notifications for it any community members weren't actively contributing to it, so I deactivated it to consolidate in Issues as it was being used as previously

Re: 7zip-bin, I don't manage that project so I'm not familiar with how the binaries were provided/committed. When was the xz backdoor introduced? The last commits on the 7zip-bin project are 2+ years old as you mentioned, so I'd like to correlate timestamps with that first.

For app-builder-bin, I'm also not too positive as I'm not familiar with the implementation, so I would encourage opening a GH Issue on that repo and link back here. We can ping the owner of the repo to do a thorough investigation of that. From what I gather, it does use the xz installed on the system, but worth pinging the owner anyhow to double check.

[erisu]

Re: 7zip-bin, I don't manage that project so I'm not familiar with how the binaries were provided/committed. When was the xz backdoor introduced? The last commits on the 7zip-bin project are 2+ years old as you mentioned, so I'd like to correlate timestamps with that first.

From what I read, the compromised xz packages were versions 5.6.0, released on 2024-02-24, and version 5.6.1, released on 2024-03-09.

For app-builder-bin, I'm also not too positive as I'm not familiar with the implementation, so I would encourage opening a GH Issue on that repo and link back here.

I created a ticket here: develar/app-builder#115

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.

[github-actions]

This issue was closed because it has been stalled for 30 days with no activity.