Sync xz-utils 5.6.1-1 (main) from Debian unstable (main)

Bug #2059417 reported by Jia Tan
32
This bug affects 2 people
Affects Status Importance Assigned to Milestone
xz-utils (Ubuntu)
Won't Fix
Undecided
Unassigned

Bug Description

NOTE: THIS IS AN ATTEMPT AT INCLUDING A BACKDOOR. THIS IS LEFT FOR HISTORICAL PURPOSES ONLY AND MUST NOT BE DONE.

Please sync xz-utils 5.6.1-1 (main) from Debian unstable (main)

Hello! I am one of the upstream maintainers for XZ Utils. Version 5.6.1
was recently released and uploaded to Debian as a bugfix only release.
Notably, this fixes a bug that causes Valgrind to issue a warning on
any application dynamically linked with liblzma. This includes a lot of
important applications. This could break build scripts and test
pipelines that expect specific output from Valgrind in order to pass.

Additionally, this fixes a small typo for the man pages translations
for Brazilian Portuguese, German, French, Korean, Romanian, and
Ukrainian, and removes the need for patches applied for version
5.6.0-0.2.

The other bugfixes in this release have no impact on Ubuntu. They
involve building with CMake or when building on a system without
Landlock system calls defined (these are defined in Ubuntu).

Changelog entries since current noble version 5.6.0-0.2:

xz-utils (5.6.1-1) unstable; urgency=medium

  * Non-maintainer upload.
  * Import 5.6.1 (Closes: #1067708).
  * Takeover maintenance of the package.

 -- Sebastian Andrzej Siewior <email address hidden> Wed, 27 Mar 2024 22:53:21 +0100

Excerpt from the NEWS entry from upstream:

5.6.1 (2024-03-09)

    * liblzma: Fixed two bugs relating to GNU indirect function (IFUNC)
      with GCC. The more serious bug caused a program linked with
      liblzma to crash on start up if the flag -fprofile-generate was
      used to build liblzma. The second bug caused liblzma to falsely
      report an invalid write to Valgrind when loading liblzma.

    * xz: Changed the messages for thread reduction due to memory
      constraints to only appear under the highest verbosity level.

    * Build:

        - Fixed a build issue when the header file <linux/landlock.h>
          was present on the system but the Landlock system calls were
          not defined in <sys/syscall.h>.

        - The CMake build now warns and disables NLS if both gettext
          tools and pre-created .gmo files are missing. Previously,
          this caused the CMake build to fail.

    * Minor improvements to man pages.

    * Minor improvements to tests.

Jia Tan (jiatan)
description: updated
Revision history for this message
Shengjing Zhu (zhsj) wrote :

It's reverted in Debian https://tracker.debian.org/news/1515519/accepted-xz-utils-561really545-1-source-into-unstable/

Though from the changelog I didn't see the reason.

Revision history for this message
Alex Murray (alexmurray) wrote :

Given this has been reverted in Debian, it should not be synced into Ubuntu.

Changed in xz-utils (Ubuntu):
status: New → Won't Fix
Revision history for this message
Adrien Nader (adrien-n) wrote :

I'll dive deeper into this. The timing collides with the t64 transition so that makes me curious. Moreover, Debian reverted to 5.4.5 so the situation where we're on 5.6.0 doesn't match Debian either.

Revision history for this message
Daniel Richard G. (skunk) wrote :

Important context from https://lists.debian.org/debian-security-announce/2024/msg00057.html :

  Andres Freund discovered that the upstream source tarballs for xz-utils,
  the XZ-format compression utilities, are compromised and inject
  malicious code, at build time, into the resulting liblzma5 library.

  Right now no Debian stable versions are known to be affected.
  Compromised packages were part of the Debian testing, unstable and
  experimental distributions, with versions ranging from 5.5.1alpha-0.1
  (uploaded on 2024-02-01), up to and including 5.6.1-1. The package has
  been reverted to use the upstream 5.4.5 code, which we have versioned
  5.6.1+really5.4.5-1.

Revision history for this message
Wei Tsui (ghostplant) wrote (last edit ):

https://thehackernews.com/2024/03/urgent-secret-backdoor-found-in-xz.html saying 5.6.0 and 5.6.1 are backdoored.

However, the current version from Ubuntu repo is "5.6.1+really5.4.5-1" for noble, is it secure?

Revision history for this message
Thorsten Glaser (mirabilos) wrote :

It’s 5.4.5, so “no, but it does not contain the known backdoor”. Both Debian and Ubuntu are currently analysing what needs to be done.

Adrien Nader (adrien-n)
description: updated
Revision history for this message
Markus Klyver (markusklyver) wrote :

CIA is not happy this got discovered.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.