[Urgent security issue] [liblzma] port uses compromised version #4538
Comments
jonathanlinat
changed the title
jonathanlinat
changed the title
|
Thanks! I'll look into updating the dependency. Hopefully there will be a proper fix by then. As far as I understand it, the actual issue only affects glibc based systems, ie. Linux. I'm not sure if TB using this library actually makes the host vulnerable if it wasn't already, but I don't think so. |
|
If it comes via freeimage -> tiff -> lzma it's unfortunately not a feature that can be disabled. The freeimage port could be vendored and customized though, haven't followed the other dependencies to see if it comes from more places. |
|
Fix for the freeimage port on the way, microsoft/vcpkg#38047 |
|
This fix disables tiff support? |
|
I'm not sure either if it is disabling features of tiff or the format all together. I asked on that pull request, waiting for an answer. |
|
Apparently it does not disable, just fix. Here is a link to the reply. |
|
I don't understand the reply I'm afraid. |
|
Ha, me either, that's why I linked the reply. |
|
Some news. That means, in theory, the building process of TrenchBroom should work now. Let's try. Here is the commit responsible for removing the backdoor from the official GitHub repository: tukaani-project/xz@e93e13c |
|
Well... it does not work, unfortunately. But now, the issue is related to the
|
|
microsoft/vcpkg#38047 is merged now, so should be possible to just bump vcpkg and tiff no longer depends on lzma. But as the release artifacts have been restored for xz, doing nothing works fine too. Yep, verified. Can close this issue now unless you want to tighten up the dependencies a bit. Compiles with no change. |
|
I can confirm that the
|
|
Not seeing that issue with upstream TrenchBroom. Builds and runs fine on Windows here via vcpkg. |
@kduske Is this what we need to upgrade? https://github.com/TrenchBroom/TrenchBroom/blob/master/vcpkg-overlay-ports/freeimage/vcpkg.json |
I think it enables you to specifically declare which freeimage features you are using, so that e.g. you can avoid pulling in lzma if you aren't using it. Motivated by the (temporary? previous?) broken state of things due to xz being pulled offline. If xz is back now (without the vulnerability) then maybe this is not something that TB needs to worry with? I'm not up to speed though about whether all the necessary fixes/changes have propagated everywhere yet. |
|
Thanks Joel. |
@kduske My automated process to build the apps and tools for my Quake Level Design Starter Kit fails for TrenchBroom on Windows.
It happens because of a compromised vcpkg dependency, which is related to a GitHub account that has been terminated. The main reason is the presence of a backdoor.
This will likely happen on your automated pipeline, too.
Here is a possible temporary workaround: microsoft/vcpkg#37839 (comment)
The text was updated successfully, but these errors were encountered: