| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 3 Apr 2024 22:59:03 +0300 From: Lasse Collin <lasse.collin@...aani.org> To: <angel.lkml@...its.net> Cc: Andrew Morton <akpm@...ux-foundation.org>, Jubin Zhong <zhongjubin@...wei.com>, linux-kernel@...r.kernel.org, vegard.nossum@...cle.com Subject: Re: [PATCH 11/11] xz: Adjust arch-specific options for better kernel compression On 2024-03-31 angel.lkml@...its.net wrote: > Under the light of the recent xz backdoor, I should note that this > patch (patch 11) does: > > > +# Set XZ_VERSION (and LIBLZMA_VERSION). This is needed to disable > > features +# that aren't available in old XZ Utils versions. > > +eval "$($XZ --robot --version)" || exit The eval method has been on the xz man page for a very long time but I agree that due to the recent events the above method is not ideal. It can break also if XZ_OPT or XZ_DEFAULTS contains something that they usually shouldn't. For example, XZ_OPT=--help would make the above eval method run the output of $XZ --help. > So, in the spirit of keeping a fair amount of paranoia, and since it > doesn't do any harm, any such code should be failproofed to ensure it > can only import the expected shell variables with the right format[3]: > > eval "$($XZ --robot --version | grep '^\(XZ\|LIBLZMA\)_VERSION=[0-9]*$')" || exit I would rather get rid of eval. I committed the following to the upstream repository: XZ_VERSION=$($XZ --robot --version | sed -n 's/^XZ_VERSION=//p') || exit Thanks! -- Lasse Collin
Powered by blists - more mailing lists