unpushed

perl-Compress-Raw-Lzma-2.209-4.fc40 and xz-5.6.0-3.fc40

FEDORA-2024-f5033032b8 created by rjones 10 months ago for Fedora 40

--disable-ifunc (workaround for 2267598)


This update provides the latest version of xz, and a dependent rebuild of perl-Compress-Raw-Lzma that is required to go with it.


Automatic update for xz-5.6.0-1.fc40.

This update has been submitted for testing by rjones.

10 months ago

This update's test gating status has been changed to 'waiting'.

10 months ago

This update's test gating status has been changed to 'waiting'.

10 months ago

This update's test gating status has been changed to 'failed'.

10 months ago

adamwill edited this update.

New build(s):

  • perl-Compress-Raw-Lzma-2.209-4.fc40

Karma has been reset.

10 months ago

This update has obsoleted perl-Compress-Raw-Lzma-2.209-3.fc40, and has inherited its bugs and notes.

10 months ago

This update's test gating status has been changed to 'waiting'.

10 months ago

This update's test gating status has been changed to 'passed'.

10 months ago

This update has been pushed to testing.

10 months ago

This update's test gating status has been changed to 'failed'.

10 months ago
karma

This update's test gating status has been changed to 'waiting'.

10 months ago

This update's test gating status has been changed to 'failed'.

10 months ago
karma

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

10 months ago

This update has been unpushed.

User Icon cheimes commented & provided feedback 10 months ago
karma

I have been looking at the xz builds for Fedora to see whether my test containers are affected by CVE-2024-3094. It looks like annocheck from static analysis checker has detected the attack, e.g. build xz-5.6.0-2.fc40 has failed tests:

Command: annocheck --ignore-unknown --verbose --profile=rawhide /usr/lib64/liblzma.so.5.6.0
Exit Code: 1
...
Hardened: /usr/lib64/liblzma.so.5.6.0: FAIL: cf-protection test because .note.gnu.property section did not contain the necessary flags 
Hardened: /usr/lib64/liblzma.so.5.6.0: info: For more information visit: https://sourceware.org/annobin/annobin.html/Test-cf-protection.html
Hardened: /usr/lib64/liblzma.so.5.6.0: skip: dynamic-tags test because AArch64 specific 
Hardened: /usr/lib64/liblzma.so.5.6.0: PASS: fast test 
Hardened: /usr/lib64/liblzma.so.5.6.0: skip: fortify test because sources compiled as if they were assembler are not checked by this test 
Hardened: /usr/lib64/liblzma.so.5.6.0: WARN: If real assembler source code is used it may need updating to support the tested feature
Hardened: /usr/lib64/liblzma.so.5.6.0: WARN:  and it definitely needs updating to add notes about its security protections.
Hardened: /usr/lib64/liblzma.so.5.6.0: WARN: For more details see https://sourceware.org/annobin/annobin.html/Absence-of-compiled-code.html
...
Hardened: /usr/lib64/liblzma.so.5.6.0: skip: warnings test because sources compiled as if they were assembler are not checked by this test 
Hardened: /usr/lib64/liblzma.so.5.6.0: Overall: FAIL.

If you are looking for more information, please check out Richard W.M. Jones' emails on the Fedora devel list, xz backdoor, xz backdoor


Please login to add feedback.

Metadata
Type
bugfix
Karma
-1
Signed
Content Type
RPM
Test Gating
Autopush Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Thresholds
Minimum Karma
+2
Minimum Testing
14 days
Dates
submitted
10 months ago
in testing
10 months ago
modified
10 months ago

Automated Test Results