Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 04 Apr 2024 08:56:28 +0200
From:      "Ben C. O. Grimm" <dutchdaemon@freebsd.org>
To:        FreeBSD User <freebsd@walstatt-de.de>, FreeBSD CURRENT <freebsd-current@freebsd.org>, <freebsd-security@freebsd.org>
Subject:   Re: CVE-2024-3094: malicious code in xz 5.6.0 and xz 5.6.1
Message-ID:  <18ea7b425a8.2892.b36d34a15fda208b80f54b6ad54d9e04@freebsd.org>
In-Reply-To: <20240404075023.3de63e28@thor.intern.walstatt.dynvpn.de>
References:  <20240404075023.3de63e28@thor.intern.walstatt.dynvpn.de>

next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
--18ea7e50659271f2892388edc8
Content-Type: text/plain; format=flowed; charset="us-ascii"
Content-Transfer-Encoding: 8bit

On April 4, 2024 07:50:55 FreeBSD User <freebsd@walstatt-de.de> wrote:

> Hello,
>
> I just stumbled over this CVE regarding xz 5.6.0 and 5.6.1:
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094
>
> FreeBSD starting with 14-STABLE seems to use xz 5.6.0, but my limited 
> skills do not allow me
> to judge wether the described exploit mechanism also works on FreeBSD.
> RedHat already sent out a warning, the workaround is to move back towards 
> an older variant.
>
> I have to report to my superiors (we're using 14-STABLE and CURRENT and I 
> do so in private),
> so I would like to welcome any comment on that.
>
> Thanks in advance,
>
> O. Hartmann
>
>
> --
> O. Hartmann

As noted on freebsd-security last Friday:

FreeBSD is not affected by the recently announced backdoor included in the 
5.6.0 and 5.6.1 xz releases.



All supported FreeBSD releases include versions of xz that predate the 
affected releases.



The main, stable/14, and stable/13 branches do include the affected version 
(5.6.0), but the backdoor components were excluded from the vendor import. 
Additionally, FreeBSD does not use the upstream's build tooling, which was 
a required part of the attack. Lastly, the attack specifically targeted 
x86_64 Linux systems using glibc.

--18ea7e50659271f2892388edc8
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.=
w3.org/TR/html4/loose.dtd">
<html>
<body>
<div dir=3D"auto">
<div dir=3D'auto'><br></div>
<div id=3D"aqm-original" style=3D"color: black;">
<div dir=3D"auto">On April 4, 2024 07:50:55 FreeBSD User &lt;freebsd@walsta=
tt-de.de&gt; wrote:</div>
<div><br></div>
<blockquote type=3D"cite" class=3D"gmail_quote" style=3D"margin: 0 0 0 0.75=
ex; border-left: 1px solid #808080; padding-left: 0.75ex;">
<div dir=3D"auto">Hello,</div>
<div dir=3D"auto"><br></div>
<div dir=3D"auto">I just stumbled over this CVE regarding xz 5.6.0 and 5.6.=
1:</div>
<div dir=3D"auto"><br></div>
<div dir=3D"auto">https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2024=
-3094</div>
<div dir=3D"auto"><br></div>
<div dir=3D"auto">FreeBSD starting with 14-STABLE seems to use xz 5.6.0, bu=
t my limited skills do not allow me</div>
<div dir=3D"auto">to judge wether the described exploit mechanism also work=
s on FreeBSD.</div>
<div dir=3D"auto">RedHat already sent out a warning, the workaround is to m=
ove back towards an older variant.</div>
<div dir=3D"auto"><br></div>
<div dir=3D"auto">I have to report to my superiors (we're using 14-STABLE a=
nd CURRENT and I do so in private),</div>
<div dir=3D"auto">so I would like to welcome any comment on that.</div>
<div dir=3D"auto"><br></div>
<div dir=3D"auto">Thanks in advance,</div>
<div dir=3D"auto"><br></div>
<div dir=3D"auto">O. Hartmann</div>
<div dir=3D"auto"><br></div>
<div dir=3D"auto"><br></div>
<div dir=3D"auto">--&nbsp;</div>
<div dir=3D"auto">O. Hartmann</div>
</blockquote>
</div><div dir=3D"auto">As noted on freebsd-security last Friday:&nbsp;</di=
v><div dir=3D"auto"><br></div><div dir=3D"auto">FreeBSD is not affected by =
the recently announced backdoor included in the 5.6.0 and 5.6.1 xz releases=
.</div><div dir=3D"auto"><br></div><div dir=3D"auto"><br></div><div dir=3D"=
auto"><br></div><div dir=3D"auto">All supported FreeBSD releases include ve=
rsions of xz that predate the affected releases.</div><div dir=3D"auto"><br=
></div><div dir=3D"auto"><br></div><div dir=3D"auto"><br></div><div dir=3D"=
auto">The main, stable/14, and stable/13 branches do include the affected v=
ersion (5.6.0), but the backdoor components were excluded from the vendor i=
mport. Additionally, FreeBSD does not use the upstream's build tooling, whi=
ch was a required part of the attack. Lastly, the attack specifically targe=
ted x86_64 Linux systems using glibc.</div>
</div></body>
</html>

--18ea7e50659271f2892388edc8--




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?18ea7b425a8.2892.b36d34a15fda208b80f54b6ad54d9e04>