[Devel-en] Compressing man pages with gzip instead of xz?
Giovanni Mariani
mc2374 at mclink.it
Sat Mar 30 17:26:16 MSK 2024
Il 30/03/24 13:01, Mikhail Novosyolov ha scritto:
> Hello everyone.
>
> Probably most of you have already heard about a backdoor added into xz:
>
> https://www.openwall.com/lists/oss-security/2024/03/29/4
>
> https://www.opennet.ru/opennews/art.shtml?num=60877
>
> https://www.opennet.ru/opennews/art.shtml?num=60880
>
> https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
>
> ROSA Linux has been compressing /usr/share/man/man*/* with xz for ages. Compression is done automatically by spec-helper after the %install stage. Some other distros use gzip (*.gz).
>
> I do not know about any big advantages of xz for man pages over gzip, but know about a rather big problem that exists with xz:
>
> https://gitlab.com/man-db/man-db/-/issues/4
>
> man-db (/usr/bin/man is from man-db) by default uses seccomp-based isolation when decompressing and parsing manual pages. Isolation makes sense, to my mind, because a vulnerability may exist in the interpreter of man pages.
>
> mandb uses gzip as a library for decompressing *.gz man pages, but cannon use liblzma (xz library) and calls /usr/bin/xz for decompression. This makes generating the mandb cache VERY slow and VERY I/O intensive, it made building ISO images on ABF nearly impossible. I had to disable isolation by default for man-db being ran from RPM file triggers: https://abf.io/import/man-db/commit/4908043777080c512fb001da80c9e47081fd5834
>
> Now we have the following situation:
>
> 1) the xz/lzma library has become not trusted (thanks to gvm@ for trying to quickly remove the backdoor in https://abf.io/import/xz/commits/rosa2023.1 , but we cannot be sure that there are no other backdoors)
>
> 2) xz saves some disk space, but do we really care about a few megabytes in the installed system?
>
> 3) man-db works much faster with gzip then with xz with and without isolation
>
> So, my question is: does any body see any real advantage of xz in mans?
From my POV, none...
Perhaps is it possible to simply switch to zstd as we already do for the
kernel modules?
BTW, do we have other stuff depending upon xz/lzma?
It should be safer to avoid them entirely...
GvM
More information about the Devel-en
mailing list