Fallout from the XZ issue, a question to our users

arjan · March 30, 2024, 2:23pm

Hi,

so in the fallout of the XZ issue we are looking at using liblzma (and XZ) as little as possible in the OS (due to the “how much can we trust” issue). One place where this rubs a bit is in rpm (and rpm2cpio specifially). RPM has supported (and for us at least, defaulted) to using zstd for some time now, but are still RPM files out there that are XZ compressed. The one we know about is the official Google Chrome browser RPM.

So on the one hand we’d like to not use xz/liblzma for RPM, but on the other hand it might impact folks who use rpm2cpio to install the Chrome browser…

So two questions

Is anyone using the Chrome browser this way
What would you do if you were us? Take out xz/liblzma for peace of mind, or keep compatibility with the Google Chrome RPMs

(and we sure hope Google changes their compression away from XZ… even zlib would be better at this point)

marioroy · March 30, 2024, 6:26pm

I use Google Chrome, installed via rpm2cpio. I also have Chromium Browser installed similarly. Ditto, VSCodium installed via rpm.

Bah… This is horrible. I’m at a cross point with Clear Linux.

Recent GNOME 46 (gnome-terminal specifically) does not work reliably on Xorg. Terminal input has 1 second lapse, randomly. This caused me to rolled back to 41270.
The NVIDIA driver has not reached reliability on Wayland (particularly Xwayland). Supposedly, that may not happen until NVIDIA releases version 555.
Now this xz problem.

Checking to see how much further to roll back for older xz 5.4.y e.g. Clear 41210. The problem is that there were many broken Clear releases and unsure which one to roll back to. This is until the NVIDIA 555 driver. Perhaps Wayland/Xwayland will work better.

marioroy · March 30, 2024, 6:31pm

Fedora 39 and 38 users were not impacted e.g. xz-5.4.x.

arjan · March 30, 2024, 8:19pm

ok sounds like we need to keep xz/lzma in RPM – no problem this is why I asked

pamalosebi · March 31, 2024, 9:59am

I guess everyone has their own use cases. For mine, it would be no issue to get rid of it at all.
Also, I think it (XZ) will disappear in no time anyway. Look how fast X11 is disappearing everywhere

I can just say, that ClearLinux did not cause any of these issues you mentioned.

For Google Chrome and VSCode… Did you consider Flatpak?

Dapal · March 31, 2024, 1:25pm

I don’t know what rpm2cpio is, but I install my RPM packages using:

rpm -U --nodeps nameofpackage.rpm

And everything works perfectly fine (Microsoft Edge, VSCode, Zoom…) no need to use flatpak.

So… I don’t know if I will be affected by this?

ClearLinux.User.809 · March 31, 2024, 8:35pm

Perso I use Flatpak it works perfect :

 flatpak install -y flathub com.google.Chrome;
 flatpak install -y flathub org.chromium.Chromium;
 flatpak install -y flathub com.github.Eloston.UngoogledChromium;

I install also these extensions on the 2 first browsers witout any problems.

https://chromewebstore.google.com/detail/adblock-plus-bloqueur-de/cfhdojbkjhnklbpkdaibdccddilifddb 
https://chromewebstore.google.com/detail/adblock-pour-youtube-outi/annjejmdobkjaneeafkbpipgohafpcom 
https://chromewebstore.google.com/detail/adblock-pour-youtube/cmedhionkhpnakcndndgjdbohmhepckk 
https://chromewebstore.google.com/detail/video-downloadhelper/lmjnegcaeklhafolokijcfjliaokphfk 
https://chromewebstore.google.com/detail/tubeblock-adblock-for-you/mkdijghjjdkfpohnmmoicikpkjodcmio 
https://chromewebstore.google.com/detail/adblock-pour-youtube-outi/lagdcjmbchphhndlbpfajelapcodekll?hl=fr&utm_source=ext_sidebar
https://chromewebstore.google.com/detail/read-aloud-a-text-to-spee/hdhinadidafjejdhmfkjgnolgimiaplp?hl=fr&utm_source=ext_sidebar

arjan · April 1, 2024, 12:40pm

probably rpm is equally impacted IF the source of the RPMs uses XZ and not gzip or zstd encoding
(RPM files can be in any of those)

however given the feedback here we’ll keep xz(lzma) support in RPM (at least until the ecosystem of these rpms changes over)

sbharveyCL · April 1, 2024, 8:52pm

Is tar affected? I know that use the --xz with tar for compression
I am on Clear Linux build version:
swupd info
Distribution: Clear Linux OS
Installed version: 41370
Version URL: https://cdn.download.clearlinux.org/update
Content URL: https://cdn.download.clearlinux.org/update

xz --version
xz (XZ Utils) 5.4.6
liblzma 5.4.6

I vote to keep using/supporting xz and monitor or force the distributors of the xz libraries.to remove the malicious code found in the libraries.

pixelgeek · April 1, 2024, 10:07pm

Question for the Clear team - as I understand it, the vulnerability was introduced in the tarball and not the Git repo. Do we pull from the repo or from the tarball?

arjan · April 2, 2024, 6:24pm

so we have/had a policy of using the tarbal not the git tar, because the tarbal was cryptographically signed by “the maintainer” and we automatically verify the signatures etc…
(now of course the problem was … the official (but new) maintainer)

so yeah you can assume we’ll go analyze if we need to change our policy here