[liblzma] port uses compromised version #37839
Comments
WangWeiLin-MV
added
the
category:port-bug
Resolves #37839 Reverts #37199 See https://www.openwall.com/lists/oss-security/2024/03/29/4 Note that the version database is unmodified, only the baseline is changed. Because vcpkg builds liblzma from cmake sources downloaded from github and this backdoor required modifications only present in the release tarballs, it is our belief that vcpkg customers are not affected by this problem. However, we are reverting this version out of an abundance of caution as the threat actor clearly has broad access to liblzma infrastructure, and because we believe customers will start flagging this package by version as being a problem.
|
This PR already addresses the issue by downgrading xz version, but it still leaves the build broken because the entire xz repo has been disabled by GitHub so ALL versions are blocked. So, to fix your build, run
Then building will work again: |
If you are using vcpkg in manifest mode with a builtin baseline, you can use an overlay port to implement the suggestion by @MichaelCurrie . |
... until that fork is taken down for the same reasons as the official repo. |
Yes. I am sure the folks involved do not make these decisions lightly. I hope there will be an actual solution soon. |
|
The official XZ team announcement is here: Important to know: There is no problem with contributors here like @carsten-grimm. But several people mix all because I have requested the XZ update in vcpkg. @gowthamgts has participated on Reddit against me badly and I have commented on two places where he has commented (on my SCRAM request publications):
You can look here the original comment:
You can follow my announcements here:
The good point, people speak about SCRAM "Salted Challenge Response Authentication Mechanism" security ;) Badly, some people or projects like only old unsecure mechanisms, some would like security improvements. |
Make it easier to develop with SDL2 and Rust on Windows by getting a build environment setup. Previously attempted using 'cargo-vcpkg' but encountered build issues due to vcpkg relying on liblzma port that has been taken down due to being compromised: microsoft/vcpkg#37839
WangWeiLin-MV
changed the title
See microsoft/vcpkg#37839 and connected issues
Without this drawpile-srv does not include WebSockets support. Tested on Linux on Debian Bookworm x86 with bookworm-backports packages. Tested on Windows 11 23H2 build 22631.3374: * Temporarily required fox for xz repository unavailability: microsoft/vcpkg#37839 (comment) * Reported listening for WebSocket connections but inbound connections were closed without response rather than registered as a connection unless headers Sec-WebSocket-Version: 13 and Sec-WebSocket-Key: ... were provided; even after that it didn't connect - this was because my nginx server had root directives: # Don't pass request header and body to the server # prevents referer being a problem proxy_pass_request_headers off; proxy_pass_request_body off; # Don't pass the h2 upgrade header, as it breaks Safari proxy_hide_header Upgrade; Resolved by adding the following to the /drawpile-web/ws block: proxy_pass_header Upgrade; proxy_pass_request_headers on; proxy_pass_request_body on;
…oblems See microsoft/vcpkg#37839 and connected issues
You may have to not only reinstall the library as explained in the above (THANKS! @MichaelCurrie). But also:
|
https://github.com/tukaani-project/xz has been disabled. Use bminor's fork of xz until the liblzma project publishes a new official repository as proposed by @MichaelCurrie in a comment on microsoft#37839
https://github.com/tukaani-project/xz has been disabled. Use bminor's fork of xz until the liblzma project publishes a new official repository as proposed by @MichaelCurrie in a comment on microsoft#37839
https://github.com/tukaani-project/xz has been disabled. Use bminor's fork of xz until the liblzma project publishes a new official repository as proposed by @MichaelCurrie in a comment on microsoft#37839
https://github.com/tukaani-project/xz has been disabled. Use bminor's fork of xz until the liblzma project publishes a new official repository as proposed by @MichaelCurrie in a comment on microsoft#37839
For reference please look here microsoft/vcpkg#37839 TL;DR Github disabled downloading their artifacts thus resulting in 404
Because it's *still* busted in vcpkg. The workaround is from microsoft/vcpkg#37839. Relates to #1 and drawpile/Drawpile#1239.
Describe the bug
vcpkg updated liblzma to 5.6.0. This version is known as compromised and backdoored
https://nvd.nist.gov/vuln/detail/CVE-2024-3094
https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
This is a solid 10.0 CVE score vulnerability
vcpkg should immediately revert from 5.6.0
The text was updated successfully, but these errors were encountered: