CVE-2024-3094 (aka "xz hackdoor") and Fiona wheels #1367
sgillies
announced in
Announcements
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Dear all,
I recommend a read of Even Rouault's analysis of the situation: https://lists.osgeo.org/pipermail/gdal-dev/2024-March/058792.html.
The macOS and Linux wheels on PyPI include xz <= 5.2.2 (we're using this commit of multibuild: https://github.com/multi-build/multibuild/blob/509e63a6d8ab4705a500264d396b0e675798b6fc/library_builders.sh#L26) and do not include libarchive.
The Windows wheels include xz <= 5.4.4 (we're using no commit later than 53bef8994c541b6561884a8395ea35715ece75db) and do not include libarchive.
I've read that vcpkg has not used the xz tarballs and so more recent vcpkg releases with liblzma >= 5.6.0 might be okay. Our multibuild system does build liblzma from xz source releases, but a much older version.
Fiona's own source distributions have always been made on a personal or work computer and include C/C++ source files that are not committed to the GitHub repository. They are generated from Cython .pyx files while the sdists are created by setuptools. Since version 1.9.6 the tarballs are made by running
make dockersdist
and should be reproducible.Beta Was this translation helpful? Give feedback.
All reactions