Possible vulnerability

Hello!

Does GL affected by this vulnerability?

xz isn't installed by default, so no issue with default devices out of factory.

But maybe @Bruce can clarify about the GL repos.

1 Like

This is related to the build tools.

Though it was fixed really fast inside OpenWrt themselves, and now there is a newer xz i believe without the backdoor.

So i guess its not there anymore, though i cannot speak for GL-iNet, it requires to either bump the hash of xz to a newer version, or deleting tmp/ for them to redownload it, i suspect this likely happened automaticly when they builded for OpenWrt 24.

As the developer of your attached URL said from the OpenWRT forum, and, through our R&D check the GL firmware build tools (makefile), the xz is not affected OpenWRT, as well as not affected GL. As the tar package of the GL build tools always sync with OpenWRT.

Including the GL with the OpenWRT 24 or not with, not affected.

1 Like