xz-utils backdoor about rocker HOT 4 CLOSED

Yes, I'd be happy to rebuild but I just want to clarify that it is a bit of a non-issue. Also rocker/r-base famously becomes r-base (ie a core Docker container) and we treat those as immutable.

Maybe with R 4.3.3 coming to end of life a rebuild is fine, on other other hand we are having a bit trouble right now with testing because of the 64 bit time_t transition which may pull more in than we like from unstable. Come to think about it that was the case already for the 4.3.3 build so maybe I just rebuild.

Typing from a happy Ubuntu workstation with an updated xz etc (as I am surely running sshd here...) ...

from rocker.

But I presume you not running sshd (which is how the exploit was aiming to do damage) in that container? If I do an apt update -qqq; apt install -y procps then ps -aux shows nothing is running as docker is, after all, by default a single process:

root@a90632d4c6ba:/# ps -aux
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root           1  0.0  0.0   7216  3840 pts/0    Ss   17:39   0:00 bash
root         236  0.0  0.0  10740  4224 pts/0    R+   17:41   0:00 ps -aux
root@a90632d4c6ba:/# 

(The hostname is AFAIK entirely random so no need to obfuscate / hide in the screenshot. Also textual quotes work great here thanks to markdown and code formatting....)

from rocker.

Thanks for the tips, I don't comment on issues often so I appreciate the feedback. Yes, I am not running sshd (and therefore it's not a risk). I was just checking through my containers with different base images and this was the only one with the vulnerability. Seems like you are aware of the issue, thanks for taking the time to respond :).

All my best,
Kevin

from rocker.

I just rebuilt (and pushed) them (for tags 4.3.3 and latest).

It moves packages xz,liblzma{5,-dev} package from 5.6.0-0.2 to 5.6.1+really5.4.5-1. It should not matter for the container providing R, but it does not hurt and we all sleep better that way.

from rocker.