@timbray@cosocial.ca2024-03-31 17:34:53
1/2 Looking at one of the #xz writeup, this struck my eye: “The release tarballs upstream publishes don't have the same code that GitHub has. This is common in C projects so that downstream consumers don't need to remember how to run autotools and autoconf.” Ah, GNU AutoHell, I remember it well. Tl;dr: With AutoHell, even if you're building for a 19-bit Multics variant from 1988, it’s got yo…
@mgorny@social.treehouse.systems2024-04-06 08:05:04
On 2024-03-19, two vulnerabilities were announced on #Python #security mailing list: "quoted zip-bomb" and "TemporaryDirectory symlink dereference during cleanup". Both were announced to affect all current #CPython releases.
The same day, security releases were made for Python 3.10, 3.9 and 3.8 branches. So far, so good. However, I found it surprising that there were no releases being made for 3.11 or 3.12.
On 2024-04-02, Python 3.11.9 was tagged. Initially, the signature on source tarball didn't verify. Today, it does verify, but the release still doesn't seem to have been announced. However, what I found the most surprising is the lack of fixes for the security issues announced before! Was the release borked?
So I've checked in more detail… and it turned out that both issues were already fixed in 3.11.8 (and 3.12.2), so the security announcement was wrong. Sigh.
That said, #PyPy is still affected.
https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/
https://mail.python.org/archives/list/security-announce@python.org/thread/Q5C6ATFC67K53XFV4KE45325S7NS62LD/
https://discuss.python.org/t/python-3-10-14-3-9-19-and-3-8-19-is-now-available/48993
https://bugs.gentoo.org/927299
@mgorny@social.treehouse.systems2024-03-29 17:49:49
You've probably seen it elsewhere already, but: xz-utils 5.6.0 and 5.6.1 release tarballs contain an elaborate exploit that injects a backdoor into SSH. #Gentoo systems shouldn't be affected since our OpenSSH doesn't link to liblzma — apparently the exploit targets distributions that patch OpenSSH to link with libsystemd, which in turn may link to liblzma. However, it's not clear if the exploits doesn't do anything else, so we've masked the new versions.
lzip is not affected.
https://www.openwall.com/lists/oss-security/2024/03/29/4
@mgorny@social.treehouse.systems2024-03-29 17:49:49
You've probably seen it elsewhere already, but: xz-utils 5.6.0 and 5.6.1 release tarballs contain an elaborate exploit that injects a backdoor into SSH. #Gentoo systems shouldn't be affected since our OpenSSH doesn't link to liblzma — apparently the exploit targets distributions that patch OpenSSH to link with libsystemd, which in turn may link to liblzma. However, it's not clear if the exploits doesn't do anything else, so we've masked the new versions.
lzip is not affected.
https://www.openwall.com/lists/oss-security/2024/03/29/4