From nobody Thu Apr  4 05:49:56 2024
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V99hC1Y3Nz5GHsX;
	Thu,  4 Apr 2024 05:50:35 +0000 (UTC)
	(envelope-from freebsd@walstatt-de.de)
Received: from smtp6.goneo.de (smtp6.goneo.de [85.220.129.31])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4V99h94FYQz4Kl6;
	Thu,  4 Apr 2024 05:50:33 +0000 (UTC)
	(envelope-from freebsd@walstatt-de.de)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=walstatt-de.de header.s=DKIM001 header.b=QZdzpZjl;
	dmarc=none;
	spf=pass (mx1.freebsd.org: domain of freebsd@walstatt-de.de designates 85.220.129.31 as permitted sender) smtp.mailfrom=freebsd@walstatt-de.de
Received: from hub1.goneo.de (hub1.goneo.de [IPv6:2001:1640:5::8:52])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by smtp6.goneo.de (Postfix) with ESMTPS id 123C5240124;
	Thu,  4 Apr 2024 07:50:26 +0200 (CEST)
Received: from hub1.goneo.de (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by hub1.goneo.de (Postfix) with ESMTPS id 427ED24012A;
	Thu,  4 Apr 2024 07:50:24 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=walstatt-de.de;
	s=DKIM001; t=1712209824;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=rgmiFR5UmzWhC8md1Kqwc8Fd39sXZ9P0SUJ2ZSXJ9D4=;
	b=QZdzpZjl0bJMAqlp7V9TLtKKHig2JhIqCc/xr3f6/4yCIDRLFdhCyRJApAd6asAqhZbLbP
	nJ1fUn8AVj/CJH+JT2n4HRLt4aw3DzvNVjWMKqV8XmglTWDj1pqFlWAh7vb0PHALQN/g0l
	bDFdGAafXzqJ3iBEVaAXrSdZTVZX3+UXkjzSnheNYfvfLhMO5TEUR38E4WDVJZbmsL74r1
	DKtslpaA9mu1rAgnetC1tZ+GG4Qb83eesTsPLtyVnqqekPEMiWpwfPXKjaHQjIOrOSl8v9
	CxgFbjmo7gkiN/jnaR2kI3qn8nkcvlNVoTWR6gJLQFuZBUi3yfPo2lyH5x1EVg==
Received: from thor.intern.walstatt.dynvpn.de (dynamic-089-014-109-072.89.14.pool.telefonica.de [89.14.109.72])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (prime256v1) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by hub1.goneo.de (Postfix) with ESMTPSA id 0DAE6240125;
	Thu,  4 Apr 2024 07:50:24 +0200 (CEST)
Date: Thu, 4 Apr 2024 07:49:56 +0200
From: FreeBSD User <freebsd@walstatt-de.de>
To: FreeBSD CURRENT <freebsd-current@freebsd.org>,
 freebsd-security@freebsd.org
Subject: CVE-2024-3094: malicious code in xz 5.6.0 and xz 5.6.1
Message-ID: <20240404075023.3de63e28@thor.intern.walstatt.dynvpn.de>
Organization: walstatt-de.de
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
Sender: owner-freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Rspamd-UID: 9b3015
X-Rspamd-UID: 901608
X-Spamd-Bar: ---
X-Spamd-Result: default: False [-3.49 / 15.00];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-0.99)[-0.988];
	R_SPF_ALLOW(-0.20)[+ip4:85.220.129.0/25];
	R_DKIM_ALLOW(-0.20)[walstatt-de.de:s=DKIM001];
	MIME_GOOD(-0.10)[text/plain];
	TO_DN_SOME(0.00)[];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	MIME_TRACE(0.00)[0:+];
	ARC_NA(0.00)[];
	HAS_ORG_HEADER(0.00)[];
	ASN(0.00)[asn:25394, ipnet:85.220.128.0/17, country:DE];
	RCVD_TLS_ALL(0.00)[];
	DMARC_NA(0.00)[walstatt-de.de];
	RCPT_COUNT_TWO(0.00)[2];
	FROM_EQ_ENVFROM(0.00)[];
	FROM_HAS_DN(0.00)[];
	MISSING_XM_UA(0.00)[];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-current@freebsd.org,freebsd-security@freebsd.org];
	RCVD_COUNT_THREE(0.00)[3];
	DKIM_TRACE(0.00)[walstatt-de.de:+]
X-Rspamd-Queue-Id: 4V99h94FYQz4Kl6

Hello,

I just stumbled over this CVE regarding xz 5.6.0 and 5.6.1:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094

FreeBSD starting with 14-STABLE seems to use xz 5.6.0, but my limited skills do not allow me
to judge wether the described exploit mechanism also works on FreeBSD.
RedHat already sent out a warning, the workaround is to move back towards an older variant.

I have to report to my superiors (we're using 14-STABLE and CURRENT and I do so in private),
so I would like to welcome any comment on that.

Thanks in advance,

O. Hartmann


-- 
O. Hartmann

From nobody Thu Apr  4 06:14:52 2024
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V9BDH1f7Lz5GLH2;
	Thu,  4 Apr 2024 06:14:55 +0000 (UTC)
	(envelope-from kevans@FreeBSD.org)
Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "smtp.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4V9BDH1CHpz4SQw;
	Thu,  4 Apr 2024 06:14:55 +0000 (UTC)
	(envelope-from kevans@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1712211295;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=vsQas0ZHgZYfVcyZBHrVjnoVivY4PBOeHOQ2tit1fYI=;
	b=gDKiyW2Q0PLMCTs9wWbya2xObgiCJs2hJoYCMXrRlCIEoJk3L8vTA1VKDAPxw0RlACV0X+
	Bm/BYAR9eABABEBjIoWsuGdM1OB5W0zysV+bljQrFayAsgaR7lyo7S7+YC5wy+CxLfUJIs
	izRV+UGGRSBobSjXJyAzDo4thsVhHUtM+xeTC7nG6YinEp3tXJmST4cM6OGBjHQlVnAfey
	/b6xeZzfIwiS+HyMfuSxeZ77djb7ivp5ejZBZEc0nHYIrZHhdb/VVWVLDxv7xbKBHw3t90
	9HwigcFPW4P/h7cy4tlEINY5L1BoNp/lu0M59+8bjF9v9pE1NObwEeEOWMOA8g==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1712211295; a=rsa-sha256; cv=none;
	b=NSO8mtsGa4+++ov8VuJudqV5Mm0LQBMr/QHNiupXEpa78ONUYGc7ugKZD9A8xEaCbXjppu
	PEGcyDvQOt1+V2OrtE+VxrKNLk55WGKZomnspRIiu6MVnq1uPVD19N+dDrmnxvBoF2s2lk
	5W6JuV88Wq8FEMHSkIE/pDkr1NA5qEfrt3xCMPDNkKGaADyspOxFFPXAZrZK3G5mngrJDq
	2IAQIJ4rMMy6rEd36WRmWhCt+zW5SQ1U5zBZWmxR64QR9G7esUQSqMtafvIV7HY3K8Quyu
	VHNxre44GTsIueRP7nuBgwycUg1EprAhGSwXVAWpd37aJHizD4+diNpmKYBq6A==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1712211295;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=vsQas0ZHgZYfVcyZBHrVjnoVivY4PBOeHOQ2tit1fYI=;
	b=mKNd6gBhjjuPXvkUlzDNuHZDlItCIPun6wHYPTH9gxigvFN6Fr7xY+UnjIuMBJO1i0UXDA
	nvnB6Fu2pnPywgtMIIJoVnkKX7Ge3/ZU8hX5RYQWZcyIJ0fdVA6J3Q3D+qmmxvMCLGPl+d
	/H7GeDVhLcrW4KE0LQkoqSmHv4wpEt7iJB0GxEJaGQXy+wdXwrNUUj/9d8x+yxCjAdizl0
	YAeJXVDecKg16hpOsQYX1q6n765qkh3rpppkOcPO726PmKaSck/WROprk3gxjRLbUF91gp
	KNxG3/F0waWsJ4pqHTcqqowIMUGo4f4uhrkyx4bdaKtcP3r92ZljAuKD5O8c6A==
Received: from [10.9.4.95] (unknown [209.182.120.176])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	(Authenticated sender: kevans/mail)
	by smtp.freebsd.org (Postfix) with ESMTPSA id 4V9BDG4SHlzGqf;
	Thu,  4 Apr 2024 06:14:54 +0000 (UTC)
	(envelope-from kevans@FreeBSD.org)
Message-ID: <f0f63907-ffb4-4aa9-809c-c68c090e8364@FreeBSD.org>
Date: Thu, 4 Apr 2024 01:14:52 -0500
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
Sender: owner-freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: CVE-2024-3094: malicious code in xz 5.6.0 and xz 5.6.1
Content-Language: en-US
To: FreeBSD User <freebsd@walstatt-de.de>,
 FreeBSD CURRENT <freebsd-current@freebsd.org>, freebsd-security@freebsd.org
References: <20240404075023.3de63e28@thor.intern.walstatt.dynvpn.de>
From: Kyle Evans <kevans@FreeBSD.org>
In-Reply-To: <20240404075023.3de63e28@thor.intern.walstatt.dynvpn.de>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

On 4/4/24 00:49, FreeBSD User wrote:
> Hello,
> 
> I just stumbled over this CVE regarding xz 5.6.0 and 5.6.1:
> 
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094
> 
> FreeBSD starting with 14-STABLE seems to use xz 5.6.0, but my limited skills do not allow me
> to judge wether the described exploit mechanism also works on FreeBSD.
> RedHat already sent out a warning, the workaround is to move back towards an older variant.
> 
> I have to report to my superiors (we're using 14-STABLE and CURRENT and I do so in private),
> so I would like to welcome any comment on that.
> 
> Thanks in advance,
> 
> O. Hartmann
> 
> 

See so@'s answer from a couple days ago:

https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html

TL;DR no

Thanks,

Kyle Evans

From nobody Thu Apr  4 06:56:28 2024
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V9C8D3VFxz5GQ4V;
	Thu,  4 Apr 2024 06:56:28 +0000 (UTC)
	(envelope-from dutchdaemon@freebsd.org)
Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "smtp.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4V9C8D0M0Yz4Y6K;
	Thu,  4 Apr 2024 06:56:28 +0000 (UTC)
	(envelope-from dutchdaemon@freebsd.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1712213788;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=88KylaqmFSyh5SHHTng26zPhjOWdw5yzCuqGz2ERNNE=;
	b=RBSHNxTqbi0W18xt6SLQfr04GRVTJ+Lufw1Cn+MCI0ptVsTu8kJW809O/FEnxYPlZuSyfc
	RoBPZ/zsbr1WNQVKJq1IXHgm7wEYh6D3rue92IajyFUe4hNZpchwtIo27VOUGiLYyIY4AX
	hUScfXjx6zw/SLhV3SNBvmOYv7gRZjrrfUDjWoSpiVyVkSyZUmdYDHPslnOjboXwTUTJ0m
	s5bxgwGik9ZG1wANW3pY2969r0NW/x1NNmzuIuR2B94FsyKPPERi+DGsqlQ3Pj/La12ysE
	EbjXEOEOqUY8N1qcKee53yrCXhQiLhjMzhnjF024T+iDjnAiC31Cgq8KVE0+Ow==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1712213788; a=rsa-sha256; cv=none;
	b=uNhReUXDR1ElV7NSLZpHMxxMuMzU6/CIHuR0b8Osb3UuxEQcnHjGnXoGzTaBZSx0xsBMVO
	iL4VSpiwOFI1gyRil2Eh2Hv1wJ9TYNSJDsXUXhbVSWLOjKiMFkW7RvHHCb8aOEDK60H4Qm
	2alN4rLZqElAZWxcx/1nGgW84sHr9y3KUpxx6u8gcFgcqMdf+tRzV+CwFzhb0x1tFXHMRd
	2uv+zwie9L0S9Vz/FX5SWvjOL8r2zEMcMIp2c5/7vR+GbZQfXQpn+GjX4NGYa0WhA+tIh8
	12IW12LbacyLtCC5vsz7E5GgUtp3LNGUObwwFLQa2jL1Dw7t4AjnB0LANWp5rw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1712213788;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=88KylaqmFSyh5SHHTng26zPhjOWdw5yzCuqGz2ERNNE=;
	b=HOzwLOGw3YXCefwpMp90dohdKOFIU+qXNZXcLLcKod7eiPydFH9BprPTPRQyCKrFXE3ZAg
	KzOTC6YRv9mnDG73aLtyF+HhBSSJXRCMYpfJXDwbJ4/6AdgKPteb6TfNk1MwES1kYWheN5
	BrsKQuWoS912w0SfqlF13sB51y/3UU75z9wZZik3OSEs4Ej1BSUnuHm4bdgwRnpELxc5mm
	eeMVLlnSJHB+hPUtiqnDY0znSfz4L+KgFSZ0CxkDdfQn/YRZuS7q70uoGpLfHN7EF0nYPY
	9OxFzJHuL4H/JqkxdC4c/e/01QedNTqHU5WfKTk4snYo/d7yvQ5znY20MfwWyQ==
Received: from [192.168.178.229] (unknown [85.148.89.7])
	(using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits))
	(Client did not present a certificate)
	(Authenticated sender: dutchdaemon/mail)
	by smtp.freebsd.org (Postfix) with ESMTPSA id 4V9C8C3NWtzHWZ;
	Thu,  4 Apr 2024 06:56:27 +0000 (UTC)
	(envelope-from dutchdaemon@freebsd.org)
From: "Ben C. O. Grimm" <dutchdaemon@freebsd.org>
To: FreeBSD User <freebsd@walstatt-de.de>, FreeBSD CURRENT <freebsd-current@freebsd.org>, <freebsd-security@freebsd.org>
Date: Thu, 04 Apr 2024 08:56:28 +0200
Message-ID: <18ea7b425a8.2892.b36d34a15fda208b80f54b6ad54d9e04@freebsd.org>
In-Reply-To: <20240404075023.3de63e28@thor.intern.walstatt.dynvpn.de>
References: <20240404075023.3de63e28@thor.intern.walstatt.dynvpn.de>
User-Agent: AquaMail/1.50.0 (build: 105000429)
Subject: Re: CVE-2024-3094: malicious code in xz 5.6.0 and xz 5.6.1
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
Sender: owner-freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="18ea7e50659271f2892388edc8"

This is a multi-part message in MIME format.
--18ea7e50659271f2892388edc8
Content-Type: text/plain; format=flowed; charset="us-ascii"
Content-Transfer-Encoding: 8bit

On April 4, 2024 07:50:55 FreeBSD User <freebsd@walstatt-de.de> wrote:

> Hello,
>
> I just stumbled over this CVE regarding xz 5.6.0 and 5.6.1:
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094
>
> FreeBSD starting with 14-STABLE seems to use xz 5.6.0, but my limited 
> skills do not allow me
> to judge wether the described exploit mechanism also works on FreeBSD.
> RedHat already sent out a warning, the workaround is to move back towards 
> an older variant.
>
> I have to report to my superiors (we're using 14-STABLE and CURRENT and I 
> do so in private),
> so I would like to welcome any comment on that.
>
> Thanks in advance,
>
> O. Hartmann
>
>
> --
> O. Hartmann

As noted on freebsd-security last Friday:

FreeBSD is not affected by the recently announced backdoor included in the 
5.6.0 and 5.6.1 xz releases.



All supported FreeBSD releases include versions of xz that predate the 
affected releases.



The main, stable/14, and stable/13 branches do include the affected version 
(5.6.0), but the backdoor components were excluded from the vendor import. 
Additionally, FreeBSD does not use the upstream's build tooling, which was 
a required part of the attack. Lastly, the attack specifically targeted 
x86_64 Linux systems using glibc.

--18ea7e50659271f2892388edc8
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.=
w3.org/TR/html4/loose.dtd">
<html>
<body>
<div dir=3D"auto">
<div dir=3D'auto'><br></div>
<div id=3D"aqm-original" style=3D"color: black;">
<div dir=3D"auto">On April 4, 2024 07:50:55 FreeBSD User &lt;freebsd@walsta=
tt-de.de&gt; wrote:</div>
<div><br></div>
<blockquote type=3D"cite" class=3D"gmail_quote" style=3D"margin: 0 0 0 0.75=
ex; border-left: 1px solid #808080; padding-left: 0.75ex;">
<div dir=3D"auto">Hello,</div>
<div dir=3D"auto"><br></div>
<div dir=3D"auto">I just stumbled over this CVE regarding xz 5.6.0 and 5.6.=
1:</div>
<div dir=3D"auto"><br></div>
<div dir=3D"auto">https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2024=
-3094</div>
<div dir=3D"auto"><br></div>
<div dir=3D"auto">FreeBSD starting with 14-STABLE seems to use xz 5.6.0, bu=
t my limited skills do not allow me</div>
<div dir=3D"auto">to judge wether the described exploit mechanism also work=
s on FreeBSD.</div>
<div dir=3D"auto">RedHat already sent out a warning, the workaround is to m=
ove back towards an older variant.</div>
<div dir=3D"auto"><br></div>
<div dir=3D"auto">I have to report to my superiors (we're using 14-STABLE a=
nd CURRENT and I do so in private),</div>
<div dir=3D"auto">so I would like to welcome any comment on that.</div>
<div dir=3D"auto"><br></div>
<div dir=3D"auto">Thanks in advance,</div>
<div dir=3D"auto"><br></div>
<div dir=3D"auto">O. Hartmann</div>
<div dir=3D"auto"><br></div>
<div dir=3D"auto"><br></div>
<div dir=3D"auto">--&nbsp;</div>
<div dir=3D"auto">O. Hartmann</div>
</blockquote>
</div><div dir=3D"auto">As noted on freebsd-security last Friday:&nbsp;</di=
v><div dir=3D"auto"><br></div><div dir=3D"auto">FreeBSD is not affected by =
the recently announced backdoor included in the 5.6.0 and 5.6.1 xz releases=
.</div><div dir=3D"auto"><br></div><div dir=3D"auto"><br></div><div dir=3D"=
auto"><br></div><div dir=3D"auto">All supported FreeBSD releases include ve=
rsions of xz that predate the affected releases.</div><div dir=3D"auto"><br=
></div><div dir=3D"auto"><br></div><div dir=3D"auto"><br></div><div dir=3D"=
auto">The main, stable/14, and stable/13 branches do include the affected v=
ersion (5.6.0), but the backdoor components were excluded from the vendor i=
mport. Additionally, FreeBSD does not use the upstream's build tooling, whi=
ch was a required part of the attack. Lastly, the attack specifically targe=
ted x86_64 Linux systems using glibc.</div>
</div></body>
</html>

--18ea7e50659271f2892388edc8--


From nobody Sat Apr  6 07:23:49 2024
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VBRgW5z10z5G2NP;
	Sat,  6 Apr 2024 07:24:23 +0000 (UTC)
	(envelope-from freebsd@walstatt-de.de)
Received: from smtp052.goneo.de (smtp5.goneo.de [IPv6:2001:1640:5::8:30])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4VBRgV3b2Jz40fH;
	Sat,  6 Apr 2024 07:24:22 +0000 (UTC)
	(envelope-from freebsd@walstatt-de.de)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=walstatt-de.de header.s=DKIM001 header.b=baOgqfYx;
	dmarc=none;
	spf=pass (mx1.freebsd.org: domain of freebsd@walstatt-de.de designates 2001:1640:5::8:30 as permitted sender) smtp.mailfrom=freebsd@walstatt-de.de
Received: from hub1.goneo.de (hub1.goneo.de [85.220.129.52])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by smtp5.goneo.de (Postfix) with ESMTPS id 6B38F2403CA;
	Sat,  6 Apr 2024 09:24:19 +0200 (CEST)
Received: from hub1.goneo.de (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by hub1.goneo.de (Postfix) with ESMTPS id 82763240030;
	Sat,  6 Apr 2024 09:24:17 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=walstatt-de.de;
	s=DKIM001; t=1712388257;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=XmoRyyCxmqbUHDleMS1G8qJdO+xQ5Z3+OcR5zp98Xzs=;
	b=baOgqfYxLyv7dqvrXjHtOIi+lWUq5SfcPxKWmpRRHwzDDlfpNMa+OGN34DgR5Mp2BuLAEO
	dMj5u7cJz7LMVVOPT6o4bKuKR7RkYQ2jqKEEwEQW8ENGFnOg5MPruhV3u5KvRDgLQ36nrQ
	OYOEIy0C5ZHHDL61vK7ZdPrbujzEPUkbB70GrHgRAn43oaYty0YeiRuwbg3uJVe6MY2LIv
	ihQBFAbZk6UqH9BC6wMMWa8LUBHqVGUZ5MLa/8sRNYhY5kWDXdxG8ZzjxJsKIDt0tUFTl1
	TSsvc7BsdRzSxyJ1QHQOpIeP1PLii7sWQvwSTAy0wzjxxwfTBzevSOon4sJRSw==
Received: from thor.intern.walstatt.dynvpn.de (dynamic-078-055-133-175.78.55.pool.telefonica.de [78.55.133.175])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (prime256v1) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by hub1.goneo.de (Postfix) with ESMTPSA id 4531A240124;
	Sat,  6 Apr 2024 09:24:17 +0200 (CEST)
Date: Sat, 6 Apr 2024 09:23:49 +0200
From: FreeBSD User <freebsd@walstatt-de.de>
To: Kyle Evans <kevans@FreeBSD.org>
Cc: FreeBSD CURRENT <freebsd-current@freebsd.org>,
 freebsd-security@freebsd.org
Subject: Re: CVE-2024-3094: malicious code in xz 5.6.0 and xz 5.6.1
Message-ID: <20240406092416.046598fb@thor.intern.walstatt.dynvpn.de>
In-Reply-To: <f0f63907-ffb4-4aa9-809c-c68c090e8364@FreeBSD.org>
References: <20240404075023.3de63e28@thor.intern.walstatt.dynvpn.de>
	<f0f63907-ffb4-4aa9-809c-c68c090e8364@FreeBSD.org>
Organization: walstatt-de.de
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
Sender: owner-freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Rspamd-UID: c693f9
X-Rspamd-UID: d82f0e
X-Spamd-Bar: ---
X-Spamd-Result: default: False [-3.60 / 15.00];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-0.997];
	R_SPF_ALLOW(-0.20)[+ip6:2001:1640:5::8:0/112];
	R_DKIM_ALLOW(-0.20)[walstatt-de.de:s=DKIM001];
	RCVD_IN_DNSWL_LOW(-0.10)[2001:1640:5::8:30:from];
	MIME_GOOD(-0.10)[text/plain];
	ASN(0.00)[asn:25394, ipnet:2001:1640::/32, country:DE];
	ARC_NA(0.00)[];
	TO_DN_SOME(0.00)[];
	HAS_ORG_HEADER(0.00)[];
	MISSING_XM_UA(0.00)[];
	MIME_TRACE(0.00)[0:+];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	RCVD_TLS_ALL(0.00)[];
	DMARC_NA(0.00)[walstatt-de.de];
	FROM_EQ_ENVFROM(0.00)[];
	FROM_HAS_DN(0.00)[];
	RCPT_COUNT_THREE(0.00)[3];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-current@freebsd.org,freebsd-security@freebsd.org];
	RCVD_COUNT_THREE(0.00)[3];
	DKIM_TRACE(0.00)[walstatt-de.de:+]
X-Rspamd-Queue-Id: 4VBRgV3b2Jz40fH

Am Thu, 4 Apr 2024 01:14:52 -0500
Kyle Evans <kevans@FreeBSD.org> schrieb:

> On 4/4/24 00:49, FreeBSD User wrote:
> > Hello,
> > 
> > I just stumbled over this CVE regarding xz 5.6.0 and 5.6.1:
> > 
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094
> > 
> > FreeBSD starting with 14-STABLE seems to use xz 5.6.0, but my limited skills do not allow
> > me to judge wether the described exploit mechanism also works on FreeBSD.
> > RedHat already sent out a warning, the workaround is to move back towards an older variant.
> > 
> > I have to report to my superiors (we're using 14-STABLE and CURRENT and I do so in
> > private), so I would like to welcome any comment on that.
> > 
> > Thanks in advance,
> > 
> > O. Hartmann
> > 
> >   
> 
> See so@'s answer from a couple days ago:
> 
> https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html
> 
> TL;DR no
> 
> Thanks,
> 
> Kyle Evans

Thank you very much.

Kind regards,

oh

-- 
O. Hartmann

From nobody Sun Apr  7 09:34:33 2024
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VC6WT47dgz5GfqT
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Sun,  7 Apr 2024 09:34:45 +0000 (UTC)
	(envelope-from prvs=1827f25825=weike_chen@dell.com)
Received: from mx0a-00154904.pphosted.com (mx0a-00154904.pphosted.com [148.163.133.20])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4VC6WS4gnvz4p1v
	for <freebsd-security@freebsd.org>; Sun,  7 Apr 2024 09:34:44 +0000 (UTC)
	(envelope-from prvs=1827f25825=weike_chen@dell.com)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=dell.com header.s=smtpout1 header.b=YKtMCHwe;
	dmarc=pass (policy=reject) header.from=dell.com;
	spf=pass (mx1.freebsd.org: domain of "prvs=1827f25825=weike_chen@dell.com" designates 148.163.133.20 as permitted sender) smtp.mailfrom="prvs=1827f25825=weike_chen@dell.com";
	arc=reject ("signature check failed: fail, {[1] = sig:microsoft.com:reject}")
Received: from pps.filterd (m0170389.ppops.net [127.0.0.1])
	by mx0a-00154904.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 436LY7XW008182;
	Sun, 7 Apr 2024 05:34:42 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dell.com; h=from : to : cc :
 subject : date : message-id : references : in-reply-to : content-type :
 content-transfer-encoding : mime-version; s=smtpout1;
 bh=DxRMBYLPSxH62ihIumzMsS+vfbncP4J0M3suC9GpSAE=;
 b=YKtMCHweTSe0SwzmHnTV6yio5s/lg00lTPW06NYiy+vmTEBAszLD/R2kw3NWOSCUKZ67
 8LQh7gI6rESTRPAQyA53dNxtNqNMUfVAtB3o80g23ffnmvBtA3LwHC/CBtJpBNCodxYr
 XrGRWNjk0chNUJ8Ie/rjKxx1l3fJ9wyCvu08GHcnZHJXO0pV+RVx8ODzNzCoWBdWarGS
 F2xeNU/oQhP4aJ2qk2tug4eO46Jh+rL9j42bQdesi7xInMpnIe+4jHxc8DwZjEBqNdBt
 ZtpeJy731uIob604n3APlKm/mmaYWRmdMxvF7hR8miJIkoR9X2ZJ237cqfDOeXcFdDxQ Cg== 
Received: from mx0b-00154901.pphosted.com (mx0b-00154901.pphosted.com [67.231.157.37])
	by mx0a-00154904.pphosted.com (PPS) with ESMTPS id 3xb2dnjv1a-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Sun, 07 Apr 2024 05:34:42 -0400
Received: from pps.filterd (m0144104.ppops.net [127.0.0.1])
	by mx0b-00154901.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 4376odrA007600;
	Sun, 7 Apr 2024 05:34:41 -0400
Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2100.outbound.protection.outlook.com [104.47.58.100])
	by mx0b-00154901.pphosted.com (PPS) with ESMTPS id 3xbkxftctk-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Sun, 07 Apr 2024 05:34:41 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=LwwQ0nvpZzLZeZDCsip6B6e5V7ixOaKQx4vKW4T0L/rfr/w5M57+jZusZoSkQwkRWMLzJ9SAyxVV1MAjU5/LQnQ1aBpxHgjVTcDE6NM6oGHhKWmKqTycvk47qlSGpFYdnqzX6kTS4Fc5qJ52s3TrWSVW007PkBJKu4N8igyGKOH+onPg+mc1uUqpS2blb/cyIQY5+QRmo6ewvGN6eeCCx0eM4evOuK+b4IOxijy7GgCZbB9xPtmfxVKdol3/Vwkcz+yD/2+vE333MGZwnIa9yWelyxcUMaIOPPx6FvRpcrzft/ieKgoSy9f9/KjLpoWVek0Q5w/d2oe2bfAhDHzAQg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=DxRMBYLPSxH62ihIumzMsS+vfbncP4J0M3suC9GpSAE=;
 b=jle0vtbZI3UvM9rgRzWboCHWAfoL0wJRM4lc5dnQl5euj80VAeO2IearemvYDrIQtJrRC+Z++zDserZeBpso/yegUXg73IRZoDJvOD/hJCc1QrleKfiZRdRzNCWZma9MzDbI88a6Q2WHbupctZu0lHoKzkFjRcw89g7VCGIiPr4FVFJWEwpbEz1TVV3q5tEn2w7ycNxiacnWPCAGrJnE96viSO2/Q7YdQAQ+gRHHJr4ZaHPFLVO29P3YSWxsYlZ4cmD/oWWP9TvetbBZXQmnFV9rcXcUpdnruapGKHonEiaziGB+RjOWCNx5Cw7cEyda1CakstFjPdByMpnvcTrJAA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=dell.com; dmarc=pass action=none header.from=dell.com;
 dkim=pass header.d=dell.com; arc=none
Received: from PH0PR19MB4938.namprd19.prod.outlook.com (2603:10b6:510:94::9)
 by BLAPR19MB4289.namprd19.prod.outlook.com (2603:10b6:208:27a::16) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7409.46; Sun, 7 Apr
 2024 09:34:33 +0000
Received: from PH0PR19MB4938.namprd19.prod.outlook.com
 ([fe80::870:1bbd:b867:dc8e]) by PH0PR19MB4938.namprd19.prod.outlook.com
 ([fe80::870:1bbd:b867:dc8e%4]) with mapi id 15.20.7409.042; Sun, 7 Apr 2024
 09:34:33 +0000
From: "Chen, Alvin W" <Weike.Chen@Dell.com>
To: Gordon Tetlow <gordon@tetlows.org>,
        Shawn Webb
	<shawn.webb@hardenedbsd.org>
CC: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>
Subject: RE: Disclosed backdoor in xz releases - FreeBSD not affected
Thread-Topic: Disclosed backdoor in xz releases - FreeBSD not affected
Thread-Index: AQHagfrsKFXk+CHUikeUEYmAijBs/7FPBlKAgAAHygCADYrD8A==
Date: Sun, 7 Apr 2024 09:34:33 +0000
Message-ID: 
 <PH0PR19MB4938C9F692909F7A993E9C319E012@PH0PR19MB4938.namprd19.prod.outlook.com>
References: <1C17C92B-AFC2-4B7A-9594-25864156A546@tetlows.org>
 <xeiec7rsjjd4sztlxztka4f5uopea3sqpm6jb6jalrxsraogrm@zpnprx5pg72c>
 <E00E547B-D7B9-4A6D-B439-EA95EA1FCE16@tetlows.org>
In-Reply-To: <E00E547B-D7B9-4A6D-B439-EA95EA1FCE16@tetlows.org>
Accept-Language: zh-CN, en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
msip_labels: 
 MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_ActionId=f4405c45-c670-44eb-bc69-bc098e8049e5;MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_ContentBits=0;MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_Enabled=true;MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_Method=Standard;MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_Name=No
 Protection (Label Only) - Internal
 Use;MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_SetDate=2024-04-07T09:31:49Z;MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_SiteId=945c199a-83a2-4e80-9f8c-5a91be5752dd;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PH0PR19MB4938:EE_|BLAPR19MB4289:EE_
x-exotenant: 2khUwGVqB6N9v58KS13ncyUmMJd8q4
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 
 DV8z0SlZwPbwJFri4HRm82faI/Ebs4VpulSQsvaaNVNraE55DmTU+fiWjjRdSCcbWRB9zaC9EfA+XkpmnMCLAL6fXr6gZgpHh7N9SvI3GJjyxtHpJn3jK4W+3IZQjvH8dS3pGNYRVpvBXqvqR+BC5NFfsy3q2QKGCLCg3sl2hyin2l5MJlm+1uDuZYbjN6AmsWbvDPxLxaaO5us5HAD8xoKkknS/DfTv6xpEwEEa61Q4CYXAIxx+5KmavxskS8StftmfWTf4v0O3SZfwv6qBC4nVzpcBVEORXqLli8aQIImiBN6thdO0MdmYKJ6cB2fOcq4QEBz0kZc1MsLFOhF+IQW326giYkKzJRJLZUzdlL9uig8aE3z2OZoSiQ/Y6mJvfrSnaz82ha9a8hDJ0LusktC3KIXazzT3CBZMkxgog5CR3rWJKH+MJkoR2y4JT7yFvw0pqVfvTD6Iw75yHPamQ9LYkI+S1C55TuZcGpPKgY1S2YqYF1MDkyQp6nWg5EdsrjqjNRv2YnvPFCYQlaY5brKTdwrvEfWx481Okk9/2rnC1d16je8myM9kgdyFnZ0Iw6mN3RtpO5bCAdBZVOYP7ok2hlHmGd8AgVEnVLZRFZ9KKjdf8SmqzriZqJ8cm5EsRl23sYoAosLQ9nhXCtg0EHMniqoL1GetusfGIF86uWQ=
x-forefront-antispam-report: 
 CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR19MB4938.namprd19.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(366007)(1800799015)(376005);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 
 =?utf-8?B?cUoyY2c4Z1plam0yWVRPTllMc29mM1U0L2ZpMmNEb1R4NzJLSll0MXFTczZM?=
 =?utf-8?B?SFgzclJhTWNybjlMSnVxd3MrSW93Y1Jnd3ZCMDFjakp3N3dBeWwvZ1R4U3hn?=
 =?utf-8?B?Y28xYTd1c1NHYUxjUXFwcGhOSGZNUEpqQ0N4MDc0N055c2pyamlzY2pSWGFv?=
 =?utf-8?B?Vk5HNGxMVm1wZXdpNFdKVExjSkVibXlwVnVSVUNldW44NHM0RGJacmo0Z01o?=
 =?utf-8?B?MjJ1RFJnZVZ5dlliaWVYaDNNSzdMNXVEc1pzY0R5VEZJeFhZb0JnbUd3dzI0?=
 =?utf-8?B?YlhFME5Zd0ZWbTlPbk1JRVZ4NTg0NVNwR3VWZlZuRVo2VXhROGJHSmh4T1Zw?=
 =?utf-8?B?Q2xpdC9wWmk3NXJXVEdBRkRoczFaK0JTY1JmNzd3QlR2ZnJGdzVCd2RUbnl4?=
 =?utf-8?B?cjVvWmVmZ1dUUDhsN0ZKZjlZQUs0dFZzZVNJblFDd3pNUVdYbjFtU0ZCYlVk?=
 =?utf-8?B?cE5zSTRDZDFtRGE4RUhtVEJhRFkzQ2tIYXBKRllRYVVMZU9qb1k4TStIeEVp?=
 =?utf-8?B?RzJkNVhhRE1JNTFzZEpDcXN1NjhSL080QUxOWGh0bWd3cHgzMExBODVPUkJZ?=
 =?utf-8?B?TVZIQXIrRXQ2NE9lSnZrelRDT25hS24wQ0tSWjM1eDkybmlxeUtMaXdqRjZ5?=
 =?utf-8?B?enhjRHRxMVVlalIwVEhBRmhvM2puR3NObmV6bEwzNUk4Zks2c3h4QnlyMncv?=
 =?utf-8?B?UFlua014UXdRQ01sUFRnbHI3eGRhb1VFekdsd3hBTjhHY0o2cUdRWmJyV0FP?=
 =?utf-8?B?SzRIYlRueVluc2gzQTdMN01vU2EzOUsrVDhoQlIrQWJubDhwZEVDY1UzcVpo?=
 =?utf-8?B?aG1kMi80dnU3bTVOTTMrUjZlMzgwR0l5T3pFeTNUbVNIZUJXaldtZHJGSkVC?=
 =?utf-8?B?TUNIU2VKVEM2QU05V0lWNHk2Ny95Y0hVenFKYlRaRzJKVDBLWkJaTndIQzlw?=
 =?utf-8?B?MGRGWVlOeEMxMmZ0eHMyN3IybC9JQnBlVXgyUHpYOEN4OVcrOFBYUTI0aEh0?=
 =?utf-8?B?NFg5SS9RbUczeDlkWS9abERMckxDZGdRdDZQcHdha1ljbnMydGlxWi9lQ3lq?=
 =?utf-8?B?M0FZN0E4cE53OWdCc0NQeS96YkR4a3FNSk81S1NCeEtmeklXaGRCdm80UGxp?=
 =?utf-8?B?VzRBYXNCOUsrakN1OUJuS2xMYndjQ2lPanR0aWtVS0hLc21sUXRlc3hMTkZV?=
 =?utf-8?B?OTdHMnZoR3RRR3FMNUk2ZC9CYTEyS0tKSFl3NktoRUR1Z2RzS3FHMHNwaTdW?=
 =?utf-8?B?WWVkaXJlNFRpNEhYa0pyekRlY1FxOFpNYlJydlNJejBFOEp0ZDROdjNoOXFn?=
 =?utf-8?B?UHBUdnV2ZTVRcUtwRk1DZ2prb01wSi9na3Q1NW04c2t6U0NNYldobk1vUHd0?=
 =?utf-8?B?YnRkZ3UzZGYvOWp2dGFqNUhPclp6bERtRlR0aGtxSXpyMmlzN2xwM3VFZ1lq?=
 =?utf-8?B?NWNML0MvVXRIdkZvb2lHVVdQRGFQR3lHZkZ4N09walQ3aTNaSzFPeG92Y2lM?=
 =?utf-8?B?VWxpbWpqeVppNUhQalNTanpLYmxzNzYyY3MweEd4d1dlUm16NnRSRnhlclJz?=
 =?utf-8?B?K2hDMFpDRHVxQjgzdUxWV05vM3U4K055b2N3V0crOHllYWJSMXRqOUZ5YmJv?=
 =?utf-8?B?UXhGb1B3ZVQrMmI1T2NVTnFrQk51SFNyMWpmOEM4RVEvYVF0aXlhK2lMQXhQ?=
 =?utf-8?B?RGRIVk1iL1lzNHE0bDZ2aGc0SW01d2VDN05jdk5DVjBaMXFueXMwZStUQXU3?=
 =?utf-8?B?Q2kyREZqdFo4T3B4R2RTOUxXQldBUkRlQmF5UUticGZHVTZtSWdkQWJFWlk5?=
 =?utf-8?B?MU1LM0xNT1YrUmhMRlJHRXN0Rnp2NFZuNmFRQVlGblpPcGxDQlY2QW5mMW5O?=
 =?utf-8?B?alZuQ0JXRFhnbGJGNG5oZCsvaXZDNzUycWkxbVpRV1ZnckxuckQ5UWM0VFFI?=
 =?utf-8?B?QkhkRjZFZGtqVzEyeHZTMjdLL05IMjVOb2hsV3ZYN1o0ZVhXb1ZLM1ZPZnFH?=
 =?utf-8?B?anNpYlU5UDFhQVVzUGxMN2hKdkFsbUR5TFRyVngxdERqN3cvQ0VPemU2OUV3?=
 =?utf-8?B?aVFCV2RqRmhVY2dxL2dXb1NFUFdkQmI0Z3ViS0RnL2c4S1BKTW9NUllGb0Q4?=
 =?utf-8?Q?4MM2ljbbbiUV9DoatQjajn06m?=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
Sender: owner-freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
MIME-Version: 1.0
X-OriginatorOrg: Dell.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH0PR19MB4938.namprd19.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f5ba3691-3b91-4f23-5f17-08dc56e5eebc
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Apr 2024 09:34:33.2455
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 945c199a-83a2-4e80-9f8c-5a91be5752dd
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 7kJhdUocEbdocM+QemfWGy98GCTigjkS2fhY/5WBzJI71Y0Vpoqhs9MdjqimgYNzUVmiDFmh50ugWXLHRBNJGQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLAPR19MB4289
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26
 definitions=2024-04-07_03,2024-04-05_02,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 clxscore=1011
 phishscore=0 impostorscore=0 priorityscore=1501 mlxscore=0 bulkscore=0
 mlxlogscore=850 malwarescore=0 lowpriorityscore=0 spamscore=0
 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.12.0-2404010000 definitions=main-2404070074
X-Proofpoint-GUID: 0SSdDj_YIKwtG0wKZYa9eq7O8df1YfrT
X-Proofpoint-ORIG-GUID: 0SSdDj_YIKwtG0wKZYa9eq7O8df1YfrT
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 clxscore=1011 adultscore=0
 lowpriorityscore=0 mlxlogscore=919 suspectscore=0 spamscore=0
 priorityscore=1501 mlxscore=0 malwarescore=0 bulkscore=0 impostorscore=0
 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.12.0-2404010000 definitions=main-2404070075
X-Spamd-Bar: ------
X-Spamd-Result: default: False [-6.65 / 15.00];
	WHITELIST_SPF_DKIM(-3.00)[dell.com:d:+,dell.com:s:+];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	DWL_DNSWL_LOW(-1.00)[dell.com:dkim];
	ARC_REJECT(1.00)[signature check failed: fail, {[1] = sig:microsoft.com:reject}];
	NEURAL_HAM_SHORT(-0.85)[-0.854];
	DMARC_POLICY_ALLOW(-0.50)[dell.com,reject];
	FORGED_SENDER(0.30)[Weike.Chen@Dell.com,prvs=1827f25825=weike_chen@dell.com];
	R_DKIM_ALLOW(-0.20)[dell.com:s=smtpout1];
	RCVD_IN_DNSWL_LOW(-0.20)[148.163.133.20:from,67.231.157.37:received];
	R_SPF_ALLOW(-0.20)[+ip4:148.163.133.20];
	MIME_BASE64_TEXT(0.10)[];
	MIME_GOOD(-0.10)[text/plain];
	RCVD_TLS_LAST(0.00)[];
	MIME_TRACE(0.00)[0:+];
	TO_DN_EQ_ADDR_SOME(0.00)[];
	DKIM_TRACE(0.00)[dell.com:+];
	FROM_HAS_DN(0.00)[];
	TO_DN_SOME(0.00)[];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	RCVD_COUNT_FIVE(0.00)[6];
	FROM_NEQ_ENVFROM(0.00)[Weike.Chen@Dell.com,prvs=1827f25825=weike_chen@dell.com];
	RCPT_COUNT_THREE(0.00)[3];
	MLMMJ_DEST(0.00)[freebsd-security@freebsd.org];
	ASN(0.00)[asn:26211, ipnet:148.163.133.0/24, country:US];
	RWL_MAILSPIKE_POSSIBLE(0.00)[148.163.133.20:from];
	MISSING_XM_UA(0.00)[];
	RCVD_IN_DNSWL_NONE(0.00)[104.47.58.100:received]
X-Rspamd-Queue-Id: 4VC6WS4gnvz4p1v

PiA+PiBBbGwgc3VwcG9ydGVkIEZyZWVCU0QgcmVsZWFzZXMgaW5jbHVkZSB2ZXJzaW9ucyBvZiB4
eiB0aGF0IHByZWRhdGUgdGhlDQo+IGFmZmVjdGVkIHJlbGVhc2VzLg0KPiA+Pg0KPiA+PiBUaGUg
bWFpbiwgc3RhYmxlLzE0LCBhbmQgc3RhYmxlLzEzIGJyYW5jaGVzIGRvIGluY2x1ZGUgdGhlIGFm
ZmVjdGVkIHZlcnNpb24NCj4gKDUuNi4wKSwgYnV0IHRoZSBiYWNrZG9vciBjb21wb25lbnRzIHdl
cmUgZXhjbHVkZWQgZnJvbSB0aGUgdmVuZG9yIGltcG9ydC4NCj4gQWRkaXRpb25hbGx5LCBGcmVl
QlNEIGRvZXMgbm90IHVzZSB0aGUgdXBzdHJlYW0ncyBidWlsZCB0b29saW5nLCB3aGljaCB3YXMg
YQ0KPiByZXF1aXJlZCBwYXJ0IG9mIHRoZSBhdHRhY2suIExhc3RseSwgdGhlIGF0dGFjayBzcGVj
aWZpY2FsbHkgdGFyZ2V0ZWQgeDg2XzY0IExpbnV4DQo+IHN5c3RlbXMgdXNpbmcgZ2xpYmMuDQo+
ID4NCj4gPiBIZXkgR29yZG9uLA0KPiA+DQo+ID4gSXMgdGhlcmUgcG90ZW50aWFsIGZvciBMaW51
eCBqYWlscyBvbiBGcmVlQlNEIHN5c3RlbXMgKGllLCBkZXBsb3ltZW50cw0KPiA+IG1ha2luZyB1
c2Ugb2YgdGhlIExpbnh1bGF0b3IpIHRvIGJlIGltcGFjdGVkPyBBc3N1bWluZyBhbWQ2NCBoZXJl
LA0KPiA+IHRvby4NCj4NCj4gSGFyZCB0byBzYXkgZm9yIGNlcnRhaW4sIGJ1dCBJIHN1c3BlY3Qg
dGhlIGFuc3dlciBpcyB5ZXMuIElmIHRoZSBqYWlsIGhhcyB0aGUNCj4gdnVsbmVyYWJsZSBzb2Z0
d2FyZSBpbnN0YWxsZWQsIHRoZXJlIGlzIGEgZGVjZW50IGNoYW5jZSBpdCB3b3VsZCBiZSBhZmZl
Y3RlZC4gQXQNCj4gdGhhdCBwb2ludCwgSSB3b3VsZCByZWZlciB0byB0aGUgdnVsbmVyYWJpbGl0
eSBzdGF0ZW1lbnQgcHVibGlzaGVkIGJ5IHRoZSBMaW51eA0KPiBkaXN0cm8gdGhlIGphaWwgaXMg
YmFzZWQgb24uIEkgZG9u4oCZdCBiZWxpZXZlIHRoZSB2dWxuZXJhYmlsaXR5IGhhcyBhbnkga2Vy
bmVsDQo+IGRlcGVuZGVuY2llcyB0aGF0IEZyZWVCU0Qgd291bGQgcHJvdmlkZSBwcm90ZWN0aW9u
Lg0KPg0KPiBDZXJ0YWlubHksIGluIHRoZSB3b3JsZCBvZiBiZWluZyBjb25zZXJ2YXRpdmVseSBj
YXV0aW91cywgSSB3b3VsZCBpbW1lZGlhdGVseQ0KPiBhZGRyZXNzIGFueSBzdWNoIExpbnV4IGph
aWxzLg0KPg0KPiBHb3Jkb24NCk15IHVuZGVyc3RhbmRpbmcgaXM6IHRoZSAneHonIGJ1aWx0IGZy
b20gRnJlZUJTRCBpcyBub3QgaW1wYWN0ZWQsIGJ1dCB0aGUgJ3h6JyBidWlsdCBmcm9tIExpbnV4
IGFuZCBydW4gYmFzZWQgb24gRnJlZUJTRCBMaW51eCBBQkkgY291bGQgYmUgaW1wYWN0ZWQuDQpQ
bGVhc2UgY29ycmVjdCBteSBpZiBJIGFtIHdyb25nLg0KDQpJbnRlcm5hbCBVc2UgLSBDb25maWRl
bnRpYWwNCg==

From nobody Sun Apr  7 10:15:11 2024
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VC7Q948k0z5GTq6
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Sun,  7 Apr 2024 10:15:13 +0000 (UTC)
	(envelope-from des@freebsd.org)
Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "smtp.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4VC7Q92SYHz4tFV;
	Sun,  7 Apr 2024 10:15:13 +0000 (UTC)
	(envelope-from des@freebsd.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1712484913;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=e6X0nD0MnCCQM6kR5goHzjhwofqBtZl7OlS13bjoj4Y=;
	b=itZv+jHgM8j1FmHU8+0XPZQnQb34qkecWlmsYC1+NnLXerjg8G65N5C62bfHlVNlb37xWM
	7zqHkloo77+wEXHQTzk5ELkdcOEtbPtgB/pBUZI2ZUkSV35xbjK2wWSQcYdRKV1PZHbhSY
	jlX5Trq+iSk20cOEEV3yMJgTyz7E8n8sPIeaLgjdYLHY8M4prwHX/jGKyw99EJcAGGhp2F
	taSD+1GwiQvx0QxWctmkWJnhKzqSjN8Ms6PT0fTHIO8nsiZ5LugHyWCs/EWBMsVVuh2dhk
	MLxcxQouYyYU8Y759Wcnlp5y1+tq3Gk8/Bf52s2Na0iX+gsYqWNMHyeW/9hBBQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1712484913; a=rsa-sha256; cv=none;
	b=Z5U8P4gMESNFpIZqZwf4P5gFyOVNXrAFo7O+c2j/KcIJV0EmOjc0+nwS3kdbY7hDaykU2X
	rxios+3cGB0kwdyPa2x1aOYUdyMA+Fg5TZiOjv+X+ajoKcOzkzuUjQd6Tfb50L1g2qPRel
	w4ASoo7rgiA8BZc5qr1Mury7vxufs6DQCTxFOLBXwBLpf71a3Y1S5evQQu5gAckU50Z59Z
	2eOTWxi/X26OBMBeF777gzL5x0ZtBJUCwppl8RvNIZQdZ79DemMpZt835WNb0lkHzXdlIG
	fbXEWdJ9bAQ60g67T26ffrHlyObkuRb544aEKLqkwKJU84Oty28wKnfac2p2sA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1712484913;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=e6X0nD0MnCCQM6kR5goHzjhwofqBtZl7OlS13bjoj4Y=;
	b=yzdQvDSx+OKEVLHO0uVHnFg+eVCarp2dncJ42YEroxqBkl8lR4v0UrQn8lMQsGxEHJHCm2
	rSPwEHlMrEP2+pB3HGfDerjJfp5hPrASfTzFKiG+l0SOAxSlClSJ9WY7n0dOZAF/N7guzu
	14Xfem32EqkwDocgAoZbdXOkaaRhdyyzPU8a6OXobzn8HDYD8rSzHndBMtcLueYxtQIOwE
	hh3pkjsD8kn1BhdHbDUGSlXllKS0hfL0+8Gj/lEgVjz7JVNhRNh7+SLKbbKeGvQIJUWr1Z
	yxCMAJ90ehHd2KJK+4F8f7kjuKyB4PW+NGTT7ufzerUSvaTFdhOtEYYNP02Z0Q==
Received: from ltc.des.dev (2a02-8428-0993-f001-922e-16ff-fef1-acef.rev.sfr.net [IPv6:2a02:8428:993:f001:922e:16ff:fef1:acef])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	(Authenticated sender: des)
	by smtp.freebsd.org (Postfix) with ESMTPSA id 4VC7Q91JkZz13x4;
	Sun,  7 Apr 2024 10:15:13 +0000 (UTC)
	(envelope-from des@freebsd.org)
Received: by ltc.des.dev (Postfix, from userid 1001)
	id 7FD611E949; Sun, 07 Apr 2024 12:15:11 +0200 (CEST)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@FreeBSD.org>
To: "Chen, Alvin W" <Weike.Chen@Dell.com>
Cc: Gordon Tetlow <gordon@tetlows.org>,  Shawn Webb
 <shawn.webb@hardenedbsd.org>,  "freebsd-security@freebsd.org"
 <freebsd-security@freebsd.org>
Subject: Re: Disclosed backdoor in xz releases - FreeBSD not affected
In-Reply-To: <PH0PR19MB4938C9F692909F7A993E9C319E012@PH0PR19MB4938.namprd19.prod.outlook.com>
	(Alvin W. Chen's message of "Sun, 7 Apr 2024 09:34:33 +0000")
References: <1C17C92B-AFC2-4B7A-9594-25864156A546@tetlows.org>
	<xeiec7rsjjd4sztlxztka4f5uopea3sqpm6jb6jalrxsraogrm@zpnprx5pg72c>
	<E00E547B-D7B9-4A6D-B439-EA95EA1FCE16@tetlows.org>
	<PH0PR19MB4938C9F692909F7A993E9C319E012@PH0PR19MB4938.namprd19.prod.outlook.com>
User-Agent: Gnus/5.13 (Gnus v5.13)
Date: Sun, 07 Apr 2024 12:15:11 +0200
Message-ID: <86v84t5vio.fsf@ltc.des.dev>
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
Sender: owner-freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

"Chen, Alvin W" <Weike.Chen@Dell.com> writes:
> My understanding is: the 'xz' built from FreeBSD is not impacted, but
> the 'xz' built from Linux and run based on FreeBSD Linux ABI could be
> impacted.

It is certainly possible to build liblzma with the backdoor on a Linux
host (or in a Linux jail on a FreeBSD host) and run it on a FreeBSD
host.  However, the backdoor does nothing unless loaded into an sshd
process, so you would still not be affected unless you were running a
Linux sshd binary and that sshd binary loaded the backdoored liblzma.
FreeBSD's sshd binary (whether from base or ports) does not load
liblzma, and if it did, it would not be able to load a Linux version of
the library.

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@FreeBSD.org

From nobody Sun Apr  7 11:56:24 2024
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VC9g33zssz5Gfsj
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Sun,  7 Apr 2024 11:56:31 +0000 (UTC)
	(envelope-from hawei@free.fr)
Received: from smtp5-g21.free.fr (smtp5-g21.free.fr [212.27.42.5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4VC9g31Stmz54l6
	for <freebsd-security@freebsd.org>; Sun,  7 Apr 2024 11:56:31 +0000 (UTC)
	(envelope-from hawei@free.fr)
Authentication-Results: mx1.freebsd.org;
	none
Received: from [192.168.86.27] (unknown [81.65.149.193])
	(Authenticated sender: hawei@free.fr)
	by smtp5-g21.free.fr (Postfix) with ESMTPSA id 9F0B15FF3F;
	Sun,  7 Apr 2024 13:56:24 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=free.fr;
	s=smtp-20201208; t=1712490989;
	bh=VnoAtR1g+ac/6C2fZ/J8rej7kidLygp+Bw46+EDF7oQ=;
	h=Date:Subject:From:To:CC:References:In-Reply-To:From;
	b=i5kmGZJeirf7FjM8H40g+A7WcL8uu9/woaYMdJ8CxqwVBua6AR/R/Ys5PZBdUMBfp
	 wu9kxIY5dA1Cevq4hNTOPTSgP9mYqimeMU/GRb+vwQ8rjgsjrHTRLPo1JlfGp0I/lu
	 5ylhSjyu5otgjXQWLxaLxXad7NykDP9fHHm2PfOmigS2K11J2I5Z4a4qvsuwh2vMWu
	 0qhPDVpjQ9ygIYoMfqEQut5anB4wQg8wt3y1fNLHt+YONtGqnd341mtOIb9u90esfk
	 ZoR1K8wxl6vYiQ1lUtD25AEwNLvstY3BGVF1/jhpD3Rh6hNm0BCpWcPid0yRoVvSZD
	 bBXaF37HHdCNw==
User-Agent: Microsoft-MacOutlook/16.83.24032318
Date: Sun, 07 Apr 2024 13:56:24 +0200
Subject: Re: Disclosed backdoor in xz releases - FreeBSD not affected
From: =?UTF-8?B?Q8OpZHJpYw==?= Weis <hawei@free.fr>
To: "Chen, Alvin W" <Weike.Chen@Dell.com>,
	Gordon Tetlow <gordon@tetlows.org>,
	Shawn Webb <shawn.webb@hardenedbsd.org>
CC: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>
Message-ID: <A997BE31-9B73-4B5A-9AB2-5E6713C8025C@free.fr>
Thread-Topic: Disclosed backdoor in xz releases - FreeBSD not affected
References: <1C17C92B-AFC2-4B7A-9594-25864156A546@tetlows.org>
 <xeiec7rsjjd4sztlxztka4f5uopea3sqpm6jb6jalrxsraogrm@zpnprx5pg72c>
 <E00E547B-D7B9-4A6D-B439-EA95EA1FCE16@tetlows.org>
 <PH0PR19MB4938C9F692909F7A993E9C319E012@PH0PR19MB4938.namprd19.prod.outlook.com>
In-Reply-To: <PH0PR19MB4938C9F692909F7A993E9C319E012@PH0PR19MB4938.namprd19.prod.outlook.com>
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
Sender: owner-freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
Mime-version: 1.0
Content-type: text/plain;
	charset="UTF-8"
Content-transfer-encoding: quoted-printable
X-Spamd-Bar: ----
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[];
	ASN(0.00)[asn:12322, ipnet:212.27.32.0/19, country:FR]
X-Rspamd-Queue-Id: 4VC9g31Stmz54l6

Unsubscribe me please. I don't know how to to it by myself.

=EF=BB=BFLe 07/04/2024 11:35, =C2=AB Chen, Alvin W =C2=BB <owner-freebsd-security@freebsd=
.org <mailto:owner-freebsd-security@freebsd.org> au nom de Weike.Chen@Dell.c=
om <mailto:Weike.Chen@Dell.com>> a =C3=A9crit :


> >> All supported FreeBSD releases include versions of xz that predate the
> affected releases.
> >>
> >> The main, stable/14, and stable/13 branches do include the affected ve=
rsion
> (5.6.0), but the backdoor components were excluded from the vendor import=
.
> Additionally, FreeBSD does not use the upstream's build tooling, which wa=
s a
> required part of the attack. Lastly, the attack specifically targeted x86=
_64 Linux
> systems using glibc.
> >
> > Hey Gordon,
> >
> > Is there potential for Linux jails on FreeBSD systems (ie, deployments
> > making use of the Linxulator) to be impacted? Assuming amd64 here,
> > too.
>
> Hard to say for certain, but I suspect the answer is yes. If the jail has=
 the
> vulnerable software installed, there is a decent chance it would be affec=
ted. At
> that point, I would refer to the vulnerability statement published by the=
 Linux
> distro the jail is based on. I don=E2=80=99t believe the vulnerability has any =
kernel
> dependencies that FreeBSD would provide protection.
>
> Certainly, in the world of being conservatively cautious, I would immedia=
tely
> address any such Linux jails.
>
> Gordon
My understanding is: the 'xz' built from FreeBSD is not impacted, but the '=
xz' built from Linux and run based on FreeBSD Linux ABI could be impacted.
Please correct my if I am wrong.


Internal Use - Confidential





From nobody Sun Apr  7 20:42:59 2024
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VCPLs4mqQz5HVjn
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Sun,  7 Apr 2024 20:43:17 +0000 (UTC)
	(envelope-from alex-freebsd-security@alexburke.ca)
Received: from out-189.mta1.migadu.com (out-189.mta1.migadu.com [IPv6:2001:41d0:203:375::bd])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4VCPLq5cMnz4lMh
	for <freebsd-security@freebsd.org>; Sun,  7 Apr 2024 20:43:15 +0000 (UTC)
	(envelope-from alex-freebsd-security@alexburke.ca)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=alexburke.ca header.s=key1 header.b=ruatvm+O;
	dmarc=pass (policy=reject) header.from=alexburke.ca;
	spf=pass (mx1.freebsd.org: domain of alex-freebsd-security@alexburke.ca designates 2001:41d0:203:375::bd as permitted sender) smtp.mailfrom=alex-freebsd-security@alexburke.ca
Date: Sun, 7 Apr 2024 20:42:59 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alexburke.ca;
	s=key1; t=1712522586;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=PGJgwRWkp0WbMWQ8E7jAVAFulg6VLaQsEA5Ps77Cv9I=;
	b=ruatvm+OZyQXj3yVm000vvSqLnYc2Up3h3sUQZmSXEuV0dBYmhmGoSzH2DgSNnYK7rOi5C
	HBWNU7OZrO4yMiKoUQSIGy+CKENaOXF3pdWpGvB3bDNGowSnGl6kmR/3nD8HxO1ZxO9A3a
	HePV9bV7PA0vadUROdP3a5sXwcAHj1w=
X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers.
From: Alexander Burke <alex-freebsd-security@alexburke.ca>
To: =?UTF-8?Q?C=C3=A9dric_Weis?= <hawei@free.fr>
Cc: freebsd-security@freebsd.org
Message-ID: <281a2f41-7bbf-4e20-bb4a-630d839e9708@alexburke.ca>
Subject: Re: Disclosed backdoor in xz releases - FreeBSD not affected
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
Sender: owner-freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Correlation-ID: <281a2f41-7bbf-4e20-bb4a-630d839e9708@alexburke.ca>
X-Migadu-Flow: FLOW_OUT
X-Spamd-Bar: --
X-Spamd-Result: default: False [-3.00 / 15.00];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	FAKE_REPLY(1.00)[];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-0.999];
	DMARC_POLICY_ALLOW(-0.50)[alexburke.ca,reject];
	R_DKIM_ALLOW(-0.20)[alexburke.ca:s=key1];
	R_SPF_ALLOW(-0.20)[+ip6:2001:41d0:203:375::/64];
	MIME_GOOD(-0.10)[text/plain];
	MISSING_XM_UA(0.00)[];
	ASN(0.00)[asn:16276, ipnet:2001:41d0::/32, country:FR];
	MIME_TRACE(0.00)[0:+];
	TO_DN_SOME(0.00)[];
	ARC_NA(0.00)[];
	FREEMAIL_TO(0.00)[free.fr];
	MID_RHS_MATCH_FROM(0.00)[];
	FROM_EQ_ENVFROM(0.00)[];
	FROM_HAS_DN(0.00)[];
	RCVD_COUNT_ZERO(0.00)[0];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	RCPT_COUNT_TWO(0.00)[2];
	MLMMJ_DEST(0.00)[freebsd-security@freebsd.org];
	DKIM_TRACE(0.00)[alexburke.ca:+]
X-Rspamd-Queue-Id: 4VCPLq5cMnz4lMh

Bonjour C=C3=A9dric,

We can't; you must do it yourself by sending an email (even a blank one) to=
:

freebsd-security+unsubscribe@freebsd.org



----------------------------------------

2024-04-07T11:57:04Z C=C3=A9dric Weis <hawei@free.fr>:

> Unsubscribe me please. I don't know how to to it by myself.
>=20
> =EF=BB=BFLe 07/04/2024 11:35, =C2=AB Chen, Alvin W =C2=BB <owner-freebsd-=
security@freebsdorg <mailto:owner-freebsd-security@freebsd.org> au nom de W=
eike.Chen@Dell.com <mailto:Weike.Chen@Dell.com>> a =C3=A9crit :
>=20
>=20
>>>> All supported FreeBSD releases include versions of xz that predate the
>> affected releases.
>>>>=20
>>>> The main, stable/14, and stable/13 branches do include the affected ve=
rsion
>> (5.6.0), but the backdoor components were excluded from the vendor impor=
t.
>> Additionally, FreeBSD does not use the upstream's build tooling, which w=
as a
>> required part of the attack. Lastly, the attack specifically targeted x8=
6_64 Linux
>> systems using glibc.
>>>=20
>>> Hey Gordon,
>>>=20
>>> Is there potential for Linux jails on FreeBSD systems (ie, deployments
>>> making use of the Linxulator) to be impacted? Assuming amd64 here,
>>> too.
>>=20
>> Hard to say for certain, but I suspect the answer is yes. If the jail ha=
s the
>> vulnerable software installed, there is a decent chance it would be affe=
cted. At
>> that point, I would refer to the vulnerability statement published by th=
e Linux
>> distro the jail is based on. I don=E2=80=99t believe the vulnerability h=
as any kernel
>> dependencies that FreeBSD would provide protection.
>>=20
>> Certainly, in the world of being conservatively cautious, I would immedi=
ately
>> address any such Linux jails.
>>=20
>> Gordon
> My understanding is: the 'xz' built from FreeBSD is not impacted, but the=
 'xz' built from Linux and run based on FreeBSD Linux ABI could be impacted=
.
> Please correct my if I am wrong.
>=20
>=20
> Internal Use - Confidential