@kduske My automated process to build the apps and tools for my Quake Level Design Starter Kit fails for TrenchBroom on Windows.

It happens because of a compromised vcpkg dependency, which is related to a GitHub account that has been terminated. The main reason is the presence of a backdoor.

This will likely happen on your automated pipeline, too.

• Failing job: https://github.com/jonathanlinat/quake-leveldesign-starterkit/actions/runs/8501889540/job/23290290792#step:11:171
• vcpkg issue ref. microsoft/vcpkg#37839
• Official announcements:
  • https://www.openwall.com/lists/oss-security/2024/03/29/4
  • microsoft/vcpkg#37839 (comment)
  • https://tukaani.org/xz-backdoor
  • https://nvd.nist.gov/vuln/detail/CVE-2024-3094
• News: https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/

Here is a possible temporary workaround: microsoft/vcpkg#37839 (comment)

Thanks! I'll look into updating the dependency. Hopefully there will be a proper fix by then. As far as I understand it, the actual issue only affects glibc based systems, ie. Linux. I'm not sure if TB using this library actually makes the host vulnerable if it wasn't already, but I don't think so.

If it comes via freeimage -> tiff -> lzma it's unfortunately not a feature that can be disabled. The freeimage port could be vendored and customized though, haven't followed the other dependencies to see if it comes from more places.

Fix for the freeimage port on the way, microsoft/vcpkg#38047

This fix disables tiff support?

I'm not sure either if it is disabling features of tiff or the format all together. I asked on that pull request, waiting for an answer.

Apparently it does not disable, just fix. Here is a link to the reply.
microsoft/vcpkg#38047 (comment)

I don't understand the reply I'm afraid.

Ha, me either, that's why I linked the reply.

Some news.

That means, in theory, the building process of TrenchBroom should work now. Let's try.

Here is the commit responsible for removing the backdoor from the official GitHub repository: tukaani-project/xz@e93e13c

Well... it does not work, unfortunately. But now, the issue is related to the freeimage library.

Ref.: https://github.com/jonathanlinat/quake-leveldesign-starterkit/actions/runs/8592605129/job/23758309982#step:11:789

microsoft/vcpkg#38047 is merged now, so should be possible to just bump vcpkg and tiff no longer depends on lzma.

But as the release artifacts have been restored for xz, doing nothing works fine too.

Yep, verified. Can close this issue now unless you want to tighten up the dependencies a bit. Compiles with no change.

I can confirm that the xz issue is gone. Now, we are facing another one related to freeimage. I'll close this ticket in the meantime. Thank you all for your participation.

Not seeing that issue with upstream TrenchBroom. Builds and runs fine on Windows here via vcpkg.

I can confirm that the xz issue is gone. Now, we are facing another one related to freeimage. I'll close this ticket in the meantime. Thank you all for your participation.

@kduske Is this what we need to upgrade?

https://github.com/TrenchBroom/TrenchBroom/blob/master/vcpkg-overlay-ports/freeimage/vcpkg.json

Ha, me either, that's why I linked the reply.

I think it enables you to specifically declare which freeimage features you are using, so that e.g. you can avoid pulling in lzma if you aren't using it. Motivated by the (temporary? previous?) broken state of things due to xz being pulled offline.

If xz is back now (without the vulnerability) then maybe this is not something that TB needs to worry with? I'm not up to speed though about whether all the necessary fixes/changes have propagated everywhere yet.

Thanks Joel.