| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 29 Mar 2024 17:37:45 -0700 From: Kees Cook <keescook@...omium.org> To: Jonathan Corbet <corbet@....net>, Andrew Morton <akpm@...ux-foundation.org> Cc: Lasse Collin <lasse.collin@...aani.org>, Jia Tan <jiat0218@...il.com>, linux-kernel@...r.kernel.org Subject: Re: [PATCH 00/11] xz: Updates to license, filters, and compression options On Fri, Mar 29, 2024 at 02:51:41PM -0600, Jonathan Corbet wrote: > "Kees Cook" <keescook@...omium.org> writes: > > > On Wed, Mar 20, 2024 at 08:38:33PM +0200, Lasse Collin wrote: > >> XZ Embedded, the upstream project, switched from public domain to the > >> BSD Zero Clause License (0BSD). Now matching SPDX license identifiers > >> can be added. > >> > >> The new ARM64 and RISC-V filters can be used by Squashfs. > >> > >> Account for the default threading change made in the xz command line > >> tool version 5.6.0. Tweak kernel compression options for archs that > >> support XZ compressed kernel. > >> > >> Documentation was revised. There are minor cleanups too. > >> > >> Lasse Collin (11): > >> MAINTAINERS: Add XZ Embedded maintainers > >> LICENSES: Add 0BSD license text > >> xz: Switch from public domain to BSD Zero Clause License (0BSD) > >> xz: Documentation/staging/xz.rst: Revise thoroughly > >> xz: Fix comments and coding style > >> xz: Cleanup CRC32 edits from 2018 > >> xz: Optimize for-loop conditions in the BCJ decoders > >> xz: Add ARM64 BCJ filter > >> xz: Add RISC-V BCJ filter > >> xz: Use 128 MiB dictionary and force single-threaded mode > >> xz: Adjust arch-specific options for better kernel compression > >> > >> Documentation/staging/xz.rst | 130 ++++++++--------------- > >> LICENSES/deprecated/0BSD | 23 ++++ > >> MAINTAINERS | 14 +++ > >> include/linux/decompress/unxz.h | 5 +- > >> include/linux/xz.h | 5 +- > >> init/Kconfig | 5 +- > >> lib/decompress_unxz.c | 39 ++++--- > >> lib/xz/Kconfig | 13 ++- > >> lib/xz/xz_crc32.c | 7 +- > >> lib/xz/xz_dec_bcj.c | 183 ++++++++++++++++++++++++++++++-- > >> lib/xz/xz_dec_lzma2.c | 5 +- > >> lib/xz/xz_dec_stream.c | 5 +- > >> lib/xz/xz_dec_syms.c | 16 +-- > >> lib/xz/xz_dec_test.c | 12 +-- > >> lib/xz/xz_lzma2.h | 5 +- > >> lib/xz/xz_private.h | 20 ++-- > >> lib/xz/xz_stream.h | 7 +- > >> scripts/Makefile.lib | 13 ++- > >> scripts/xz_wrap.sh | 157 +++++++++++++++++++++++++-- > >> 19 files changed, 487 insertions(+), 177 deletions(-) > >> create mode 100644 LICENSES/deprecated/0BSD > > > > Andrew (and anyone else), please do not take this code right now. > > > > Until the backdooring of upstream xz[1] is fully understood, we should not > > accept any code from Jia Tan, Lasse Collin, or any other folks associated > > with tukaani.org. It appears the domain, or at least credentials > > associated with Jia Tan, have been used to create an obfuscated ssh > > server backdoor via the xz upstream releases since at least 5.6.0. > > Without extensive analysis, we should not take any associated code. > > It may be worth doing some retrospective analysis of past contributions > > as well... > > > > Lasse, are you able to comment about what is going on here? > > FWIW, it looks like this series has been in linux-next for a few days. > Maybe it needs to come out, for now at least? Yes, for sure. Andrew, just so it's explicitly clear: please remove this series from -mm for now, until the situation is better understood. Thanks! -Kees -- Kees Cook
Powered by blists - more mailing lists