#archlinux32 | Logs for 2024-03-29

Back
[00:27:46] -!- phrik has quit [Remote host closed the connection]
[00:29:08] -!- phrik has joined #archlinux32
[03:39:09] -!- AtleoS has quit [Quit: AtleoS]
[03:43:10] -!- AtleoS has joined #archlinux32
[04:50:30] -!- morriset has quit [Quit: Leaving]
[05:37:29] -!- bill-auger has quit [Ping timeout: 252 seconds]
[05:37:56] -!- bill-auger has joined #archlinux32
[05:42:56] -!- bill-auger has quit [Ping timeout: 268 seconds]
[05:43:12] -!- bill-auger has joined #archlinux32
[05:47:09] -!- AtleoS has quit [Quit: AtleoS]
[05:47:39] -!- AtleoS has joined #archlinux32
[05:49:10] -!- AtleoS has quit [Remote host closed the connection]
[07:03:25] -!- T`aZ has quit [Remote host closed the connection]
[17:18:24] -!- dvzrv has quit [Quit: WeeChat 4.2.1]
[17:18:51] -!- dvzrv has joined #archlinux32
[18:10:09] <bill-auger> FYI people are buzzing over this CVE https://security.archlinux.org - AFAICT, the tainted version was replaced upstream; so it only needs a rebuild v5.6.1
[18:10:10] <phrik> Title: AVG-2851 - xz - Arch Linux (at security.archlinux.org)
[18:33:43] <bill-auger> i looked into it a bit more - this arch ticket concludes that the bug never affected arch https://gitlab.archlinux.org
[18:33:43] <bill-auger> Title: Backdoor found in xz 5.6.1 (#2) · Issues · Arch Linux / Packaging / Packages / xz · GitLab (at gitlab.archlinux.org)
[18:33:43] <bill-auger> > the backdoor appears to only run when built by the Debian build system or as an RPM package.
[18:33:43] <phrik> Title: Backdoor found in xz 5.6.1 (#2) · Issues · Arch Linux / Packaging / Packages / xz · GitLab (at gitlab.archlinux.org)
[18:34:21] <bill-auger> but the malicious code is still present in the release sourceball, which is why arch rebuilt from VCS
[18:54:35] <KillerWasp> lol, i also read it and still i'm try understand how work this bug....
[19:00:08] <bill-auger> as i understand, even the experts are not certain that they understand everything it may be able to do
[19:00:54] <KillerWasp> oh, seem that in git don't exist, only in tarball downloads files.
[19:01:20] <KillerWasp> starting from 5.6.0 include .m4 files that work with automake
[19:03:21] <KillerWasp> https://nvd.nist.gov
[19:03:44] <bill-auger> which is why we build everything in a clean chroot with networking disabled - that is a simple way to neutralize any exploit which requires downloading extra sources at compile time
[19:04:55] <KillerWasp> bill-auger: yes, is a good idea. :/
[19:05:38] <bill-auger> and why people should be suspicious of any build which requires networking at compile time
[19:27:58] <bill-auger> ok correction - arch just posted an alert, saying that 5.6.0 and 5.6.1 are vulnerable
[19:28:36] <bill-auger> so you should probably rebuild from the github sources like arch did
[21:13:11] -!- bill-auger has quit [Ping timeout: 264 seconds]
[21:22:33] -!- bill-auger has joined #archlinux32