Friday, April 19, 2024
Monday, April 15, 2024
Saturday, April 6, 2024
Precautionary measures at Manjaro Testing Branch in context of CVE-2024-3094
UPDATE as of 04/19/2024 Current status of Manjaro Testing
Your installation should go through phase
core 147.7 KiB 444 KiB/s 00:00 [##################################] 100%
extra 8.7 MiB 6.76 MiB/s 00:01 [##################################] 100%
multilib 144.9 KiB 315 KiB/s 00:00 [##################################] 100%
:: Some packages should be upgraded first...
resolving dependencies...
looking for conflicting packages...
Packages (1) archlinux-keyring-20240313-1
Total Download Size: 1.16 MiB
Total Installed Size: 1.66 MiB
Net Upgrade Size: 0.00 MiB
:: Proceed with installation? [Y/n] Y
. . . . . . .
:: Replace baloo5 with extra/baloo? [Y/n] Y
:: Replace breeze with extra/breeze5? [Y/n] Y
:: Replace ksysguard with extra/plasma-systemmonitor? [Y/n] Y
:: Replace kuserfeedback5 with extra/kuserfeedback? [Y/n] Y
:: Replace oxygen with extra/oxygen5? [Y/n] Y
:: Replace plasma-integration with extra/plasma5-integration? [Y/n] Y
:: Replace plasma-wayland-session with extra/plasma-workspace? [Y/n] Y
:: Replace plasma5-themes-breath with extra/plasma6-themes-breath? [Y/n] Y
:: Replace plasma5-themes-breath-migration with extra/plasma6-themes-breath-migration? [Y/n] Y
resolving dependencies...
:: There are 2 providers available for qt6-multimedia-backend:
:: Repository extra
1) qt6-multimedia-ffmpeg 2) qt6-multimedia-gstreamer
Enter a number (default=1): 1
END UPDATE
Per https://forum.manjaro.org/t/xz-package-contains-a-vulnerability/159028/26
Arch does not directly link openssh to liblzma, and thus this attack vector is not possible. You can confirm this by issuing the following command:
ldd "$(command -v sshd)"
However, out of an abundance of caution, we advise users to remove the malicious code from their system by upgrading either way. This is because other yet-to-be discovered methods to exploit the backdoor could exist.
– Arch Linux - News: The xz package has been backdoored
On Manjaro Testing I was able only downgrade (say) to xz-5.4.6-1 and lib32-xz-5.4.6-1
Running https://github.com/cyclone-github/scripts/blob/main/xz_cve-2... on Manjaro Testing :-
Per https://archlinux.org/news/the-xz-package-has-been-backdoored/
It is strongly advised to do a full system upgrade right away if your system currently has xz
version 5.6.0-1
or 5.6.1-1
installed:
$ pacman -Syu
After running
on Manjaro stable KDE as of 04/06/24
$ sudo pacman-mirrors --api --set-branch testing
$ sudo pacman-mirrors --fasttrack 5 && sudo pacman -Syu
I obtained
$ pacman -Ss xz
core/xz 5.6.1-3 [installed]
Library and command line tools for XZ and LZMA compressed files
extra/pixz 1.0.7-4
Parallel, indexed xz compressor
multilib/lib32-xz 5.6.1-3 [installed]
Library and command line tools for XZ and LZMA compressed files (32-bit)
$ pacman -Ss lib32-xz
multilib/lib32-xz 5.6.1-3 [installed]
Library and command line tools for XZ and LZMA compressed files (32-bit)
Per link above version 5.6.1-3 was already fixed . I'd just skipped this notice ( 5.6.1-2 had been already fixed ). See first paragraph. So, there is no need to downgrade xz-5.6.1-3 and lib32-xz-5.6.1-3 on Manjaro Testing .
The most recent version of xz released for Arch Linux