lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 29 Mar 2024 12:32:07 -0700
From: Kees Cook <keescook@...omium.org>
To: Andrew Morton <akpm@...ux-foundation.org>
Cc: Lasse Collin <lasse.collin@...aani.org>, Jia Tan <jiat0218@...il.com>,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH 00/11] xz: Updates to license, filters, and compression
 options

On Wed, Mar 20, 2024 at 08:38:33PM +0200, Lasse Collin wrote:
> XZ Embedded, the upstream project, switched from public domain to the
> BSD Zero Clause License (0BSD). Now matching SPDX license identifiers
> can be added.
> 
> The new ARM64 and RISC-V filters can be used by Squashfs.
> 
> Account for the default threading change made in the xz command line
> tool version 5.6.0. Tweak kernel compression options for archs that
> support XZ compressed kernel.
> 
> Documentation was revised. There are minor cleanups too.
> 
> Lasse Collin (11):
>   MAINTAINERS: Add XZ Embedded maintainers
>   LICENSES: Add 0BSD license text
>   xz: Switch from public domain to BSD Zero Clause License (0BSD)
>   xz: Documentation/staging/xz.rst: Revise thoroughly
>   xz: Fix comments and coding style
>   xz: Cleanup CRC32 edits from 2018
>   xz: Optimize for-loop conditions in the BCJ decoders
>   xz: Add ARM64 BCJ filter
>   xz: Add RISC-V BCJ filter
>   xz: Use 128 MiB dictionary and force single-threaded mode
>   xz: Adjust arch-specific options for better kernel compression
> 
>  Documentation/staging/xz.rst    | 130 ++++++++---------------
>  LICENSES/deprecated/0BSD        |  23 ++++
>  MAINTAINERS                     |  14 +++
>  include/linux/decompress/unxz.h |   5 +-
>  include/linux/xz.h              |   5 +-
>  init/Kconfig                    |   5 +-
>  lib/decompress_unxz.c           |  39 ++++---
>  lib/xz/Kconfig                  |  13 ++-
>  lib/xz/xz_crc32.c               |   7 +-
>  lib/xz/xz_dec_bcj.c             | 183 ++++++++++++++++++++++++++++++--
>  lib/xz/xz_dec_lzma2.c           |   5 +-
>  lib/xz/xz_dec_stream.c          |   5 +-
>  lib/xz/xz_dec_syms.c            |  16 +--
>  lib/xz/xz_dec_test.c            |  12 +--
>  lib/xz/xz_lzma2.h               |   5 +-
>  lib/xz/xz_private.h             |  20 ++--
>  lib/xz/xz_stream.h              |   7 +-
>  scripts/Makefile.lib            |  13 ++-
>  scripts/xz_wrap.sh              | 157 +++++++++++++++++++++++++--
>  19 files changed, 487 insertions(+), 177 deletions(-)
>  create mode 100644 LICENSES/deprecated/0BSD

Andrew (and anyone else), please do not take this code right now.

Until the backdooring of upstream xz[1] is fully understood, we should not
accept any code from Jia Tan, Lasse Collin, or any other folks associated
with tukaani.org. It appears the domain, or at least credentials
associated with Jia Tan, have been used to create an obfuscated ssh
server backdoor via the xz upstream releases since at least 5.6.0.
Without extensive analysis, we should not take any associated code.
It may be worth doing some retrospective analysis of past contributions
as well...

Lasse, are you able to comment about what is going on here?

-Kees

[1] https://www.openwall.com/lists/oss-security/2024/03/29/4

-- 
Kees Cook

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ