Re: [PATCH 00/11] xz: Updates to license, filters, and compression options

From: Kees Cook
Date: Fri Mar 29 2024 - 15:32:16 EST


On Wed, Mar 20, 2024 at 08:38:33PM +0200, Lasse Collin wrote:
> XZ Embedded, the upstream project, switched from public domain to the
> BSD Zero Clause License (0BSD). Now matching SPDX license identifiers
> can be added.
>
> The new ARM64 and RISC-V filters can be used by Squashfs.
>
> Account for the default threading change made in the xz command line
> tool version 5.6.0. Tweak kernel compression options for archs that
> support XZ compressed kernel.
>
> Documentation was revised. There are minor cleanups too.
>
> Lasse Collin (11):
> MAINTAINERS: Add XZ Embedded maintainers
> LICENSES: Add 0BSD license text
> xz: Switch from public domain to BSD Zero Clause License (0BSD)
> xz: Documentation/staging/xz.rst: Revise thoroughly
> xz: Fix comments and coding style
> xz: Cleanup CRC32 edits from 2018
> xz: Optimize for-loop conditions in the BCJ decoders
> xz: Add ARM64 BCJ filter
> xz: Add RISC-V BCJ filter
> xz: Use 128 MiB dictionary and force single-threaded mode
> xz: Adjust arch-specific options for better kernel compression
>
> Documentation/staging/xz.rst | 130 ++++++++---------------
> LICENSES/deprecated/0BSD | 23 ++++
> MAINTAINERS | 14 +++
> include/linux/decompress/unxz.h | 5 +-
> include/linux/xz.h | 5 +-
> init/Kconfig | 5 +-
> lib/decompress_unxz.c | 39 ++++---
> lib/xz/Kconfig | 13 ++-
> lib/xz/xz_crc32.c | 7 +-
> lib/xz/xz_dec_bcj.c | 183 ++++++++++++++++++++++++++++++--
> lib/xz/xz_dec_lzma2.c | 5 +-
> lib/xz/xz_dec_stream.c | 5 +-
> lib/xz/xz_dec_syms.c | 16 +--
> lib/xz/xz_dec_test.c | 12 +--
> lib/xz/xz_lzma2.h | 5 +-
> lib/xz/xz_private.h | 20 ++--
> lib/xz/xz_stream.h | 7 +-
> scripts/Makefile.lib | 13 ++-
> scripts/xz_wrap.sh | 157 +++++++++++++++++++++++++--
> 19 files changed, 487 insertions(+), 177 deletions(-)
> create mode 100644 LICENSES/deprecated/0BSD

Andrew (and anyone else), please do not take this code right now.

Until the backdooring of upstream xz[1] is fully understood, we should not
accept any code from Jia Tan, Lasse Collin, or any other folks associated
with tukaani.org. It appears the domain, or at least credentials
associated with Jia Tan, have been used to create an obfuscated ssh
server backdoor via the xz upstream releases since at least 5.6.0.
Without extensive analysis, we should not take any associated code.
It may be worth doing some retrospective analysis of past contributions
as well...

Lasse, are you able to comment about what is going on here?

-Kees

[1] https://www.openwall.com/lists/oss-security/2024/03/29/4

--
Kees Cook