[Toybox] [PATCH] Clean up xz a good amount
Rob Landley
rob at landley.net
Fri Mar 29 23:00:13 PDT 2024
On 3/29/24 17:50, Oliver Webb wrote:
>> > ah, crap, that's another thing to put on the riscv64 to-do list...
>> > (thanks for bringing that to light!)
>>
>> so, TIL that upstream already added a risc-v bcj implementation...
>
> I always thought that the xz decompresser we use in toybox ("xx-embeded") and the main
> one (The one with the CVE) were different projects (Separate git repos, one is much slower
> than the other, etc).
The exploit was somebody checked a "test case" into the build system that hacked
the rest of the build with an x86-64 binary blob that linked before the other
functions?
https://youtu.be/jqjtNDtbDNI
I was only halfway paying attention once I was sure it didn't affect toybox. My
systems here use dropbear for ssh anyway, yes including my laptop. :)
> That being said, There are 0BSD licensed parts in the xz repo
> (one of SIX different licenses).
Huh, really? Cool...
>> (rob will of course be delighted to hear of systemd's involvement in
>> the exploit chain :-) )
>
> Who would've known that a over-complicated, extremely large hairball with a massive dependency chain
> that tries to consume _everything_ makes it easy to perform exploits.
Deleted long grumbling about adding complexity probably means you're _reducing_
security because the system is less auditable: a signing chain of custody is
still GIGO it just means it was delivered to you by TIVO with a mandatory EULA
so you can't personally FIX it...
Ahem. Tangent. Not going there.
Rob
More information about the Toybox
mailing list