What i need to do for my system for the vulnerability

So I checked whether we silverblue users are affected with some extremely horrible bash. I am not proud of it, there is probably a much easier way to do this, but it works. Anyway, learned some useful commands.

# Pull last 60 commits of Fedora Silverblue version 40
# This goes back to 13 feb 2024
sudo ostree pull --commit-metadata-only --depth 60 fedora:fedora/40/x86_64/silverblue

# Get all commits, and loop over them
ostree log fedora:fedora/40/x86_64/silverblue | grep 'commit' | grep -v 'not fetched' | while read -r line; do
    # Get commit id
    commit=$(echo $line | awk '{print $2}')

    # rpm-ostree db list prints all version, grab the xz version
    rpm-ostree db list "$commit" | grep 'xz'
done | grep -q '5.6' && echo "we're screwed" || echo "we're good"
# Output: we're good

So you’re good. If you’re on silverblue 40 testing though, that is a different story:

sudo ostree pull --commit-metadata-only --depth 20 fedora:fedora/40/x86_64/testing/silverblue
ostree log fedora:fedora/40/x86_64/testing/silverblue | grep 'commit' | grep -v 'not fetched' | while read -r line; do
    rpm-ostree db list "$(echo $line | awk '{print $2}')" | grep 'xz'
done | grep -q '5.6' && echo "testing is screwed" || echo "we're good"
# Output: testing is screwed

Edit: testing does have the 5.6 version but might not be vurnable. See the other discussion

4 Likes