[Toybox] [PATCH] Clean up xz a good amount

enh enh at google.com
Fri Mar 29 15:59:38 PDT 2024


On Fri, Mar 29, 2024 at 3:50 PM Oliver Webb <aquahobbyist at proton.me> wrote:
>
> > > ah, crap, that's another thing to put on the riscv64 to-do list...
> > > (thanks for bringing that to light!)
> >
> > so, TIL that upstream already added a risc-v bcj implementation...
>
> I always thought that the xz decompresser we use in toybox ("xx-embeded") and the main
> one (The one with the CVE) were different projects (Separate git repos, one is much slower
> than the other, etc). That being said, There are 0BSD licensed parts in the xz repo
> (one of SIX different licenses).

different repo, same maintainers.

> > (rob will of course be delighted to hear of systemd's involvement in
> > the exploit chain :-) )
>
> Who would've known that a over-complicated, extremely large hairball with a massive dependency chain
> that tries to consume _everything_ makes it easy to perform exploits.
>
> -   Oliver Webb <aquahobbyist at proton.me>
>


More information about the Toybox mailing list