Saturday, April 6, 2024

Precautionary measures at Manjaro Testing Branch in context of CVE-2024-3094

UPDATE as of 04/19/2024   Current status of Manjaro Testing 

branch.  KDE Frameworks 6.1.0 and KDE Plasma 6.0.4 arrived on Manjaro Testing Branch





UPDATE as of 04/09/20224                   
As of now you might need 
$ sudo pacman -Syyu after updating mirror's list. Another way  
$ sudo pacman -Syy ; $ sudo pacman -Syu

Your installation should go through phase

:: Synchronizing package databases...
core                              147.7 KiB   444 KiB/s 00:00 [##################################] 100%
extra                               8.7 MiB  6.76 MiB/s 00:01 [##################################] 100%
multilib                          144.9 KiB   315 KiB/s 00:00 [##################################] 100%
:: Some packages should be upgraded first...
resolving dependencies...
looking for conflicting packages...

Packages (1) archlinux-keyring-20240313-1

Total Download Size:   1.16 MiB
Total Installed Size:  1.66 MiB
Net Upgrade Size:      0.00 MiB

:: Proceed with installation? [Y/n] Y

.  .  .  .  .  .  .
:: Starting full system upgrade...
:: Replace baloo5 with extra/baloo? [Y/n] Y
:: Replace breeze with extra/breeze5? [Y/n] Y
:: Replace ksysguard with extra/plasma-systemmonitor? [Y/n] Y
:: Replace kuserfeedback5 with extra/kuserfeedback? [Y/n] Y
:: Replace oxygen with extra/oxygen5? [Y/n] Y
:: Replace plasma-integration with extra/plasma5-integration? [Y/n] Y
:: Replace plasma-wayland-session with extra/plasma-workspace? [Y/n] Y
:: Replace plasma5-themes-breath with extra/plasma6-themes-breath? [Y/n] Y
:: Replace plasma5-themes-breath-migration with extra/plasma6-themes-breath-migration? [Y/n] Y
resolving dependencies...
:: There are 2 providers available for qt6-multimedia-backend:
:: Repository extra
  1) qt6-multimedia-ffmpeg  2) qt6-multimedia-gstreamer

Enter a number (default=1): 1

END UPDATE

Per https://forum.manjaro.org/t/xz-package-contains-a-vulnerability/159028/26 

Arch does not directly link openssh to liblzma, and thus this attack vector is not possible. You can confirm this by issuing the following command:

ldd "$(command -v sshd)"

However, out of an abundance of caution, we advise users to remove the malicious code from their system by upgrading either way. This is because other yet-to-be discovered methods to exploit the backdoor could exist.
– Arch Linux - News: The xz package has been backdoored 

On Manjaro Testing I was able only downgrade (say) to xz-5.4.6-1 and lib32-xz-5.4.6-1

Running https://github.com/cyclone-github/scripts/blob/main/xz_cve-2... on Manjaro Testing :-








































Per https://archlinux.org/news/the-xz-package-has-been-backdoored/

It is strongly advised to do a full system upgrade right away if your system currently has xz version 5.6.0-1 or 5.6.1-1 installed:

$ pacman -Syu

After running  on Manjaro stable KDE as of 04/06/24

$ sudo pacman-mirrors --api --set-branch testing

$ sudo pacman-mirrors --fasttrack 5 && sudo pacman -Syu
I obtained 
$  pacman -Ss xz                                                               
    core/xz 5.6.1-3 [installed]
   Library and command line tools for XZ and LZMA compressed files
   extra/pixz 1.0.7-4
   Parallel, indexed xz compressor
   multilib/lib32-xz 5.6.1-3 [installed]
   Library and command line tools for XZ and LZMA compressed files (32-bit)
pacman -Ss lib32-xz                                                        
   multilib/lib32-xz 5.6.1-3 [installed]
   Library and command line tools for XZ and LZMA compressed files (32-bit)
Per link above version  5.6.1-3 was already fixed . I'd just skipped this notice ( 5.6.1-2 had been already fixed ). See first paragraph. So, there is no need to downgrade xz-5.6.1-3 and lib32-xz-5.6.1-3 on Manjaro Testing .














The most recent version of xz released for Arch Linux