unpushed

perl-Compress-Raw-Lzma-2.209-4.fc40 and xz-5.6.0-3.fc40

FEDORA-2024-f5033032b8 created by rjones a month ago for Fedora 40

--disable-ifunc (workaround for 2267598)


This update provides the latest version of xz, and a dependent rebuild of perl-Compress-Raw-Lzma that is required to go with it.


Automatic update for xz-5.6.0-1.fc40.

This update has been submitted for testing by rjones.

a month ago

This update's test gating status has been changed to 'waiting'.

a month ago

This update's test gating status has been changed to 'waiting'.

a month ago

This update's test gating status has been changed to 'failed'.

a month ago

adamwill edited this update.

New build(s):

  • perl-Compress-Raw-Lzma-2.209-4.fc40

Karma has been reset.

a month ago

This update has obsoleted perl-Compress-Raw-Lzma-2.209-3.fc40, and has inherited its bugs and notes.

a month ago

This update's test gating status has been changed to 'waiting'.

a month ago

This update's test gating status has been changed to 'passed'.

a month ago

This update has been pushed to testing.

a month ago

This update's test gating status has been changed to 'failed'.

a month ago
karma

This update's test gating status has been changed to 'waiting'.

a month ago

This update's test gating status has been changed to 'failed'.

a month ago
karma

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

3 weeks ago

This update has been unpushed.

User Icon cheimes commented & provided feedback 3 weeks ago
karma

I have been looking at the xz builds for Fedora to see whether my test containers are affected by CVE-2024-3094. It looks like annocheck from static analysis checker has detected the attack, e.g. build xz-5.6.0-2.fc40 has failed tests:

Command: annocheck --ignore-unknown --verbose --profile=rawhide /usr/lib64/liblzma.so.5.6.0
Exit Code: 1
...
Hardened: /usr/lib64/liblzma.so.5.6.0: FAIL: cf-protection test because .note.gnu.property section did not contain the necessary flags 
Hardened: /usr/lib64/liblzma.so.5.6.0: info: For more information visit: https://sourceware.org/annobin/annobin.html/Test-cf-protection.html
Hardened: /usr/lib64/liblzma.so.5.6.0: skip: dynamic-tags test because AArch64 specific 
Hardened: /usr/lib64/liblzma.so.5.6.0: PASS: fast test 
Hardened: /usr/lib64/liblzma.so.5.6.0: skip: fortify test because sources compiled as if they were assembler are not checked by this test 
Hardened: /usr/lib64/liblzma.so.5.6.0: WARN: If real assembler source code is used it may need updating to support the tested feature
Hardened: /usr/lib64/liblzma.so.5.6.0: WARN:  and it definitely needs updating to add notes about its security protections.
Hardened: /usr/lib64/liblzma.so.5.6.0: WARN: For more details see https://sourceware.org/annobin/annobin.html/Absence-of-compiled-code.html
...
Hardened: /usr/lib64/liblzma.so.5.6.0: skip: warnings test because sources compiled as if they were assembler are not checked by this test 
Hardened: /usr/lib64/liblzma.so.5.6.0: Overall: FAIL.

If you are looking for more information, please check out Richard W.M. Jones' emails on the Fedora devel list, xz backdoor, xz backdoor


Please login to add feedback.

Metadata
Type
bugfix
Karma
-1
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
a month ago
in testing
a month ago
modified
a month ago

Automated Test Results