[liblzma] port uses compromised version
marekr opened this issue · 7 comments
Describe the bug
vcpkg updated liblzma to 5.6.0. This version is known as compromised and backdoored
https://nvd.nist.gov/vuln/detail/CVE-2024-3094
https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
This is a solid 10.0 CVE score vulnerability
vcpkg should immediately revert from 5.6.0
This PR already addresses the issue by downgrading xz version, but it still leaves the build broken because the entire xz repo has been disabled by GitHub so ALL versions are blocked.
So, to fix your build, run git pull
to sync that fix, and then make this unofficial one-liner change to grab xz from an unofficial mirror.
Then building will work again:
.\vcpkg install liblzma:x64-windows
This PR already addresses the issue by downgrading xz version, but it still leaves the build broken because the entire xz repo has been disabled by GitHub so ALL versions are blocked.
So, to fix your build, run
git pull
to sync that fix, and then make this unofficial one-liner change to grab xz from an unofficial mirror.Then building will work again:
.\vcpkg install liblzma:x64-windows
If you are using vcpkg in manifest mode with a builtin baseline, you can use an overlay port to implement the suggestion by @MichaelCurrie .
to implement the suggestion by @MichaelCurrie
... until that fork is taken down for the same reasons as the official repo.
to implement the suggestion by @MichaelCurrie
... until that fork is taken down for the same reasons as the official repo.
Yes. I am sure the folks involved do not make these decisions lightly. I hope there will be an actual solution soon.
The official XZ team announcement is here:
Important to know: There is no problem with contributors here like @carsten-grimm.
But several people mix all because I have requested the XZ update in vcpkg.
I have received a lot of bad messages (private and public).
I have no link with XZ project, I follow only the project and do announcement or/and update requests.
I have requested 5.4.5 and 5.6.0 because there was only 5.4.4 in vcpkg.
@gowthamgts has participated on Reddit against me badly and I have commented on two places where he has commented (on my SCRAM request publications):
You can look here the original comment:
- https://news.ycombinator.com/item?id=39871685
- All the XZ backdoor story on Reddit is here: https://news.ycombinator.com/item?id=39865810
You can follow my announcements here:
- https://mastodon.social/@neustradamus
- https://twitter.com/neustradamus
- https://bsky.app/profile/neustradamus.bsky.social
- https://news.ycombinator.com/user?id=neustradamus
The good point, people speak about SCRAM "Salted Challenge Response Authentication Mechanism" security ;)
Badly, some people or projects like only old unsecure mechanisms, some would like security improvements.
cc: @duesee, @canselcik, @WinkelCode, @timrobbins1, @sebpretzer, @sroussey, @masklinn, @Asmor (not sure).