[Toybox] [PATCH] Clean up xz a good amount

[Rob Landley]

On 3/29/24 17:50, Oliver Webb wrote:
>> > ah, crap, that's another thing to put on the riscv64 to-do list...
>> > (thanks for bringing that to light!)
>> 
>> so, TIL that upstream already added a risc-v bcj implementation...
> 
> I always thought that the xz decompresser we use in toybox ("xx-embeded") and the main
> one (The one with the CVE) were different projects (Separate git repos, one is much slower
> than the other, etc).

The exploit was somebody checked a "test case" into the build system that hacked
the rest of the build with an x86-64 binary blob that linked before the other
functions?

https://youtu.be/jqjtNDtbDNI

I was only halfway paying attention once I was sure it didn't affect toybox. My
systems here use dropbear for ssh anyway, yes including my laptop. :)

> That being said, There are 0BSD licensed parts in the xz repo
> (one of SIX different licenses).

Huh, really? Cool...

>> (rob will of course be delighted to hear of systemd's involvement in
>> the exploit chain :-) )
> 
> Who would've known that a over-complicated, extremely large hairball with a massive dependency chain
> that tries to consume _everything_ makes it easy to perform exploits.

Deleted long grumbling about adding complexity probably means you're _reducing_
security because the system is less auditable: a signing chain of custody is
still GIGO it just means it was delivered to you by TIVO with a mandatory EULA
so you can't personally FIX it...

Ahem. Tangent. Not going there.

Rob