Skip to content

Commit

Permalink
[XZ] Add v5.2.5 with security patch and no backdoor author commits (#…
Browse files Browse the repository at this point in the history 
…8396)

* [XZ] Add v5.2.5 with security patch and no backdoor author commits

* [XZ] Add patch for CVE-2022-1271, ZDI-22-619, ZDI-CAN-16587

* Add gpg verification and Lasse Collin's public key
  • Loading branch information
@mkitti
mkitti authored Apr 2, 2024
1 parent dbb9918 commit 108e784
Show file tree
Hide file tree
Showing 4 changed files with 182 additions and 5 deletions.
29 changes: 24 additions & 5 deletions X/XZ/build_tarballs.jl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,18 +7,34 @@ name = "XZ"
# code is free from malicious backdoors, see for example
# * https://www.openwall.com/lists/oss-security/2024/03/29/4
# * https://boehs.org/node/everything-i-know-about-the-xz-backdoor
version = v"5.4.6"
# v5.2.5 is the last stable version without commits from the backdoor author
version = v"5.2.5"

# Collection of sources required to complete build
sources = [
ArchiveSource("https://github.com/tukaani-project/xz/releases/download/v$(version)/xz-$(version).tar.xz",
# NOTE: see comment above about changing version
"cdafe1632f139c82937cc1ed824f7a60b7b0a0619dfbbd681dcac02b1ac28f5b"),
GitSource("https://git.tukaani.org/xz.git",
# NOTE: see comment above about changing version
"2327a461e1afce862c22269b80d3517801103c1b"),
DirectorySource("./bundled"),
]

# Bash recipe for building across all platforms
script = raw"""
cd $WORKSPACE/srcdir/xz-*
cd $WORKSPACE/srcdir/xz*
if [[ "${target}" != "*mingw32*" ]]; then
# install `autopoint`
apk update && apk add gettext-dev po4a gpg gpg-agent
fi
# From https://tukaani.org/misc/lasse_collin_pubkey.txt
gpg --import ../keys/lasse_collin_pubkey.txt
git verify-tag `git describe --exact-match --tags HEAD`
# Patch is only needed for version < v"5.2.6"
gpg --verify ../patches/xzgrep-ZDI-CAN-16587.patch.sig
git apply ../patches/xzgrep-ZDI-CAN-16587.patch
./autogen.sh
BUILD_FLAGS=(--prefix=${prefix} --build=${MACHTYPE} --host=${target} --with-pic)
# i686 error "configure works but build fails at crc32_x86.S"
Expand All @@ -44,8 +60,11 @@ else
./configure "${BUILD_FLAGS[@]}" "${TOGGLE[@]}"
make -j${nproc}
make install
# Toggle does not work with v5.2.5 without clean
make clean
done
fi
install_license COPYING
"""

# These are the platforms we will build for by default, unless further
Expand Down
64 changes: 64 additions & 0 deletions X/XZ/bundled/keys/lasse_collin_pubkey.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBEzEOZIBEACxg/IuXERlDB48JBWmF4NxNUuuup1IhJAJyFGFSKh3OGAO2Ard
sNuRLjANsFXA7m7P5eTFcG+BoHHuAVYmKnI3PPZtHVLnUt4pGItPczQZ2BE1WpcI
ayjGTBJeKItX3Npqg9D/odO9WWS1i3FQPVdrLn0YH37/BA66jeMQCRo7g7GLpaNf
IrvYGsqTbxCwsmA37rpE7oyU4Yrf74HT091WBsRIoq/MelhbxTDMR8eu/dUGZQVc
Kj3lN55RepwWwUUKyqarY0zMt4HkFJ7v7yRL+Cvzy92Ouv4Wf2FlhNtEs5LE4Tax
W0PO5AEmUoKjX87SezQK0f652018b4u6Ex52cY7p+n5TII/UyoowH6+tY8UHo9yb
fStrqgNE/mY2bhA6+AwCaOUGsFzVVPTbjtxL3HacUP/jlA1h78V8VTvTs5d55iG7
jSqR9o05wje8rwNiXXK0xtiJahyNzL97Kn/DgPSqPIi45G+8nxWSPFM5eunBKRl9
vAnsvwrdPRsR6YR3uMHTuVhQX9/CY891MHkaZJ6wydWtKt3yQwJLYqwo5d4DwnUX
CduUwSKv+6RmtWI5ZmTQYOcBRcZyGKml9X9Q8iSbm6cnpFXmLrNQwCJN+D3SiYGc
MtbltZo0ysPMa6Xj5xFaYqWk/BI4iLb2Gs+ByGo/+a0Eq4XYBMOpitNniQARAQAB
tCdMYXNzZSBDb2xsaW4gPGxhc3NlLmNvbGxpbkB0dWthYW5pLm9yZz6JAlEEEwEK
ADsCGwMCHgECF4AECwkIBwMVCggFFgIDAQAWIQQ2kMJAzlG0Zw0wrRw47nV9aRhG
IAUCZZwJyQUJGuHiNwAKCRA47nV9aRhGIE4qD/4jdFTe3WPpLgvz/jdlbnSZxr7q
OS6H/ZJFENHO4SbavXdoXLtj+t6/lqWq890Js8IpWaaiJLowzW1xJMEg99W6k0KD
3pHUbwPxf0GCSAt/W4JYxdTj+1ggdHjx5yBAmOakjnOH+ZDKQNBnDOI6ghf3ew+H
9z/b0mQX3rlQbtoqSPZtuDOdFcjCOSwEyqdV+9eNqnv2CoKZkiGoUB1WGCbqKUkY
KiUJ3WldmPQ5RQYjEi7zZWVac1VuwBA0XOku+W4cCJ5DnPyK7CtMwC84VvaodlOX
UAK3Y5BIZpZM2Rk6yMX5lFDA5nA8UuHJQRDjTVmh3BIdgRvp0ZV6ogtqNE7RifpW
aBWDIsCkimcbCJJM+edOLiVZog+ia1Ts8zu33wj7Tnvp5znLc8NLZIqwu1HKLS97
m+Yf5oC3ObTZtXbVF+OglWe/3ljLHdL2bJxNdtcVlChSNPUW3fgLHk9Fzrlnqdab
tSGwI/0Ryt00cKjRiMOagTn5Nly6boCtgGYdQafQoSrs3eQjnWVgbNYDMgPyl4k+
Q5RJLEY7AvtXo7FUEgOTfr9PWmjmc2JzGpxbtwl6sQi6yLrBZTRf1Xao2OjOje6G
XdUbXNmgOv16sWxcI0s4lX1z28BgHQfwXhBFBRjw2Sy+6TfFXjX24thcpMwvyJ3c
xhMtdY4N4jyfRjYe8IkCMwQQAQoAHRYhBCLUZfK0wXOAOyDG3ln88gf+p/RFBQJl
oUP9AAoJEFn88gf+p/RF8vkQAK61ozYuBgfRZP4agZAxljb5x76B9r3KcLwz4LDS
57WD90aJ+ZsMP7RRCpqd63LDFxNvX+w8advw8U5Tfg4d6xN9AdK8ApI15MG2M/YJ
gZ89DPlnU0HbldPqk+uKNUFTI2Ngzv3Z0rzKhcDwqs0wkXRNL+a40TeNDsi4S2xi
IVF4KvJczYnm69PwK6TIJeL3DroloOlFnHXTPsbfYnd8nzI+FZf0ZWI/mGAGQ9g8
oZhAMVaeehqehh3XyXw6ZxOOGmPttPP8BDQd8p2kWursAvNp0jBGGMMiAww3QsCi
2YVFcBivLhRGov3Hxl9TvHWsNLe/bMJzJT7UnanjTB6B1mt+qTZZemq14gNy1HoF
CuX7gPHBTXFMrIchGiMoFloXTf5Jcb4sXNWYD0olSkz9vIx+5TNliMv7fi/iHXTU
3IzpL2niy3wsIFq4e5Zn3iYTmbd7ONapNXrGOp/v/EJqTWUO2oFkoDDeXnk6E5yo
yHJgqPEP/jRWWBsjykZ9XrkeuWP3cXPwAwkcrB25qpYd5aUDexfIiYslCrulzlsS
pnYtIEG8LPfOcD59g+SCX6UiJY2sWhJ2ms32Pvy2mU2bbAbpJTUSav0dWXqATsNv
q81IWkqxGHzUmHjxbiE0oXkCSIoWNgNeZ+rbjzEMLD6BE8P6R+0ca76uUcMWz8gc
Ga6ruQINBEzEOZIBEAC/xcCnY8YD8bUqYKtUjM4GbU08i6oYBg9zWX2nR1h2ESC9
/DQ1dyXkwO/WNs49nY+ykDw0/tGqnos01dhN4z94gkOd1Tk+HKJ7AWkAICnsaabZ
0vk9Q6G7SAhSdBhs39B0Y+ijts0jrjorVj1pVMG71+zNCyyNvoapcdI0z6myRWf2
Wuik7W0usXQj1VKVKmGUKaJBGXMEJlKfEPpRqCQ9rDWAmcmqet1/2gDoAhq9kV2H
XTh+XvLxsxlvpsLQr/lkPQMt+ZhqiOTKpG2XdUG7r9m9euOxP0BBLnH0R1WyVShh
j6RTFCbXCLcsiLeY6Pq/Qgi+ArOO3Rf/f0TcLjb6bx11MqjAUHVjWUTMeJPzRg/1
r4j4vZupiDLouqzkLEjmqmHXFF+Datjq69zms9iT0HVH3iNt4qLdbyvIcb1AkE1d
x3yYIYszerKVZdMkDigYhPJoiUYK4x4pR94U28aKONsQ5DQKvgkKN0AJtYmw8Sgg
6tEXFj43AkQDf0OTJqXKHaXSpM1dMhiEuIO7OX61a4Ff5KMdq+P2MbK/CvdPfuB/
NgI0yhl/wZrEBQkwKgZOqeyNM8YyKif8N902QUND5+K91iJVD2n82OmvfywLzdXx
0cX/UqQgcibLMw9N0LuX+UwfILYbHZ1Zk6O444qK3RCjLcNmhDC83Vlk0P0zVQAR
AQABiQI8BBgBCgAmAhsMFiEENpDCQM5RtGcNMK0cOO51fWkYRiAFAmWcCbIFCRrh
4iAACgkQOO51fWkYRiC7JhAAmj7lKcwx2753vSZZ9Rv09mDs/kIZF6kedyTH1KKz
mhHmzs02XmPljLgnVTCyas/6afna6Op7CSRWwKrrk0ZBDHv62TC4oa+cYGQd2sj5
omTzqosx/gOWc0kSY3y3mNMZB9EtsVV/YjwRjqpcDMJKYv1mz76sNTPrkY5MHUQ/
ReYFGy5VhF8NsV7Os9AfQkO5xtcWL/YEOeXb8yT00GhDQK8Higa0sOJBn6NXufVV
dcnV9oP2zuLSE5N1wbquXIiqL8vIDN0Kc5hOSa/dTWR2bOS+uHUoSJ6Oczl+PbtE
Ta/X3W+HeGBn5fn67CM1M/RALio/xfKRA4ADy6w4xVnvaXJcICTCJRxF2sBcs39d
sgU1xDebh3dbq3rQaTT3AWVQpoSW0MyU9SzGJIbeoXAUY8E/pRWHeaMkwCXWOW0u
tHvJt7PRJzN+twC10KwpO+DNX1bZPNR8rZH08FqeZdNcrYzvJTciq4e3cl7hpI/t
dhvkP5qOVsU2+dc5hxqLxavJ8LmcsB9Xgxs9f5SVFpgKqodWG62Ar3et7UvmYwjf
OMblGLmMulQD22hIkIgkhjnPCv/wsv9kvhOLFeWi4DXvKOSlj94GOzxw2PU7dozi
NjYUoJLxRt/E6IBGT/mQExE8Rn+aqkxC23MTwpWM6/p9HHL95UTzzz+BOh7mRvyp
jDI=
=PHuF
-----END PGP PUBLIC KEY BLOCK-----
94 changes: 94 additions & 0 deletions X/XZ/bundled/patches/xzgrep-ZDI-CAN-16587.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
From 69d1b3fc29677af8ade8dc15dba83f0589cb63d6 Mon Sep 17 00:00:00 2001
From: Lasse Collin <[email protected]>
Date: Tue, 29 Mar 2022 19:19:12 +0300
Subject: [PATCH] xzgrep: Fix escaping of malicious filenames (ZDI-CAN-16587).

Malicious filenames can make xzgrep to write to arbitrary files
or (with a GNU sed extension) lead to arbitrary code execution.

xzgrep from XZ Utils versions up to and including 5.2.5 are
affected. 5.3.1alpha and 5.3.2alpha are affected as well.
This patch works for all of them.

This bug was inherited from gzip's zgrep. gzip 1.12 includes
a fix for zgrep.

The issue with the old sed script is that with multiple newlines,
the N-command will read the second line of input, then the
s-commands will be skipped because it's not the end of the
file yet, then a new sed cycle starts and the pattern space
is printed and emptied. So only the last line or two get escaped.

One way to fix this would be to read all lines into the pattern
space first. However, the included fix is even simpler: All lines
except the last line get a backslash appended at the end. To ensure
that shell command substitution doesn't eat a possible trailing
newline, a colon is appended to the filename before escaping.
The colon is later used to separate the filename from the grep
output so it is fine to add it here instead of a few lines later.

The old code also wasn't POSIX compliant as it used \n in the
replacement section of the s-command. Using \<newline> is the
POSIX compatible method.

LC_ALL=C was added to the two critical sed commands. POSIX sed
manual recommends it when using sed to manipulate pathnames
because in other locales invalid multibyte sequences might
cause issues with some sed implementations. In case of GNU sed,
these particular sed scripts wouldn't have such problems but some
other scripts could have, see:

info '(sed)Locale Considerations'

This vulnerability was discovered by:
cleemy desu wayo working with Trend Micro Zero Day Initiative

Thanks to Jim Meyering and Paul Eggert discussing the different
ways to fix this and for coordinating the patch release schedule
with gzip.
---
src/scripts/xzgrep.in | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/src/scripts/xzgrep.in b/src/scripts/xzgrep.in
index b180936..e5186ba 100644
--- a/src/scripts/xzgrep.in
+++ b/src/scripts/xzgrep.in
@@ -180,22 +180,26 @@ for i; do
{ test $# -eq 1 || test $no_filename -eq 1; }; then
eval "$grep"
else
+ # Append a colon so that the last character will never be a newline
+ # which would otherwise get lost in shell command substitution.
+ i="$i:"
+
+ # Escape & \ | and newlines only if such characters are present
+ # (speed optimization).
case $i in
(*'
'* | *'&'* | *'\'* | *'|'*)
- i=$(printf '%s\n' "$i" |
- sed '
- $!N
- $s/[&\|]/\\&/g
- $s/\n/\\n/g
- ');;
+ i=$(printf '%s\n' "$i" | LC_ALL=C sed 's/[&\|]/\\&/g; $!s/$/\\/');;
esac
- sed_script="s|^|$i:|"
+
+ # $i already ends with a colon so don't add it here.
+ sed_script="s|^|$i|"

# Fail if grep or sed fails.
r=$(
exec 4>&1
- (eval "$grep" 4>&-; echo $? >&4) 3>&- | sed "$sed_script" >&3 4>&-
+ (eval "$grep" 4>&-; echo $? >&4) 3>&- |
+ LC_ALL=C sed "$sed_script" >&3 4>&-
) || r=2
exit $r
fi >&3 5>&-
--
2.35.1

Binary file added X/XZ/bundled/patches/xzgrep-ZDI-CAN-16587.patch.sig
View file
Binary file not shown.

0 comments on commit 108e784

Please sign in to comment.