Hacker Newsnew | past | comments | ask | show | jobs | submit | Phenylacetyl's commentslogin

The alpine patch includes gettext-dev which is likely also exploited as the same authors have been pushing gettext to projects where their changes have been questioned


What do you mean?


Look at the newest commits, do you see anything suspicious:

https://git.alpinelinux.org/aports/log/main/gettext

libunistring could also be affected as that has also been pushed there


Seeing so many commits that are "skip failing test" is a very strong code smell.


Yes, but it is often a sad reality of trying to run projects mainly written for glibc on musl. Not many people write portable C these days.


It's still the wrong way to go about things. Tests are there for a reason, meaning if they fail you should try to understand them to the point where you can fix the problem (broken test or actual bug) instead of just wantonly distabling tests until you get a green light.


> do you see anything suspicious

No.

> libunistring could also be affected as that has also been pushed there

What do you mean by "that"?


Apparently, many.

It looks like gettext may be containing a part of their attack infrastructure.

https://github.com/microsoft/vcpkg/pull/37199#pullrequestrev...

https://github.com/microsoft/vcpkg/pull/37356/files#diff-e16...

https://github.com/MonicaLiu0311


Are you referencing the '-unsafe' suffix in the second link? That is not something to worry about.

This is from Gnulib, which is used by Gettext and other GNU projects. Using 'setlocale (0, NULL)' is not thread-safe on all platforms. Gnulib has modules to work around this, but not all projects want the extra locking. Hence the name '-unsafe'. :)

See: https://lists.gnu.org/archive/html/bug-gnulib/2024-02/msg001...


They may be right: https://git.alpinelinux.org/aports/log/main/gettext

Timeline matches and there is a sudden switch of maintainer. And they add dependency to xz!


psykose was a prolific contributor to Alpine's aports, with thousands of commits over the past few years[0]. So, I doubt They're involved.

[0]: https://git.alpinelinux.org/aports/stats/?period=y&ofs=10


JiaT75 was also a prolific contributor to xz over the past few years, so your assumptions are generally invalid at this point.


The same authors have also contributed to Zstd


details please? I do not see any such contributions to https://github.com/facebook/zstd


They are probably getting confused.

Jia had a zstd fork on github, but when things kicked off, it appears they may have sanitized the fork.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: