lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <14dc0bca-e5c7-40a4-88ae-b08b3680058c@incomsystems.biz>
Date: Fri, 29 Mar 2024 14:24:49 -0500
From: Jonathan Bennett <jbennett@...omsystems.biz>
To: Lasse Collin <lasse.collin@...aani.org>,
 Andrew Morton <akpm@...ux-foundation.org>
Cc: Jia Tan <jiat0218@...il.com>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 00/11] xz: Updates to license, filters, and compression
 options

Just in case it hasn't been brought to the kernel's attention, the xz 
project has been compromised in its upstream repo, and versions 5.6.0 
and 5.6.1 attempt to load a backdoor into SSH. I suggest any patches 
associated with Lasse Collin, Jia Tan, or tukaani.orgĀ  be held until 
that matter is fully resolved. And all their previous work needs to be 
re-examined with this in mind.

--Jonathan Bennett

On 3/20/24 1:38 PM, Lasse Collin wrote:
> XZ Embedded, the upstream project, switched from public domain to the
> BSD Zero Clause License (0BSD). Now matching SPDX license identifiers
> can be added.
>
> The new ARM64 and RISC-V filters can be used by Squashfs.
>
> Account for the default threading change made in the xz command line
> tool version 5.6.0. Tweak kernel compression options for archs that
> support XZ compressed kernel.
>
> Documentation was revised. There are minor cleanups too.
>
> Lasse Collin (11):
>    MAINTAINERS: Add XZ Embedded maintainers
>    LICENSES: Add 0BSD license text
>    xz: Switch from public domain to BSD Zero Clause License (0BSD)
>    xz: Documentation/staging/xz.rst: Revise thoroughly
>    xz: Fix comments and coding style
>    xz: Cleanup CRC32 edits from 2018
>    xz: Optimize for-loop conditions in the BCJ decoders
>    xz: Add ARM64 BCJ filter
>    xz: Add RISC-V BCJ filter
>    xz: Use 128 MiB dictionary and force single-threaded mode
>    xz: Adjust arch-specific options for better kernel compression
>
>   Documentation/staging/xz.rst    | 130 ++++++++---------------
>   LICENSES/deprecated/0BSD        |  23 ++++
>   MAINTAINERS                     |  14 +++
>   include/linux/decompress/unxz.h |   5 +-
>   include/linux/xz.h              |   5 +-
>   init/Kconfig                    |   5 +-
>   lib/decompress_unxz.c           |  39 ++++---
>   lib/xz/Kconfig                  |  13 ++-
>   lib/xz/xz_crc32.c               |   7 +-
>   lib/xz/xz_dec_bcj.c             | 183 ++++++++++++++++++++++++++++++--
>   lib/xz/xz_dec_lzma2.c           |   5 +-
>   lib/xz/xz_dec_stream.c          |   5 +-
>   lib/xz/xz_dec_syms.c            |  16 +--
>   lib/xz/xz_dec_test.c            |  12 +--
>   lib/xz/xz_lzma2.h               |   5 +-
>   lib/xz/xz_private.h             |  20 ++--
>   lib/xz/xz_stream.h              |   7 +-
>   scripts/Makefile.lib            |  13 ++-
>   scripts/xz_wrap.sh              | 157 +++++++++++++++++++++++++--
>   19 files changed, 487 insertions(+), 177 deletions(-)
>   create mode 100644 LICENSES/deprecated/0BSD
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ