From nobody Thu Apr 4 06:03:56 2024 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V99zk1rbTz5GK2G for ; Thu, 4 Apr 2024 06:04:02 +0000 (UTC) (envelope-from paulf2718@gmail.com) Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4V99zh5WwSz4Nch for ; Thu, 4 Apr 2024 06:04:00 +0000 (UTC) (envelope-from paulf2718@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20230601 header.b=l2N9UznF; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of paulf2718@gmail.com designates 2a00:1450:4864:20::32b as permitted sender) smtp.mailfrom=paulf2718@gmail.com Received: by mail-wm1-x32b.google.com with SMTP id 5b1f17b1804b1-4162b7f18b6so264945e9.3 for ; Wed, 03 Apr 2024 23:04:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712210639; x=1712815439; darn=freebsd.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id:from :to:cc:subject:date:message-id:reply-to; bh=M0mG1Mb88BrdtQNB29XsbhTGd7sWNPn8QGH45ipGTtk=; b=l2N9UznFTK0x1bhNSobwPwN6M9vr305g2IiNEVbrLcWovqJcntfj6eUDcUk+VWICsl tpSpKEjeHZ4wjrLBI9znjOLoiWIeqvlQcYTq0swkmyiVizkLb4dGcux8D4biUpPsYEJn R1l+Nkn4tKgJd4X8UATUNllut8dIv/10JGuAYMJ5c/asq9oO9w8FBUG2B2AcDMq6bB+s VZLoin7tPsuRgegdLxDu+pyECyE+UJ1X3HEMYFrKAfWtk7NzsJIMUtkx59U7zGQY1Ljc BpuCmrD54sz7N//8eihS+Gvdc4uaIWeMRu/5eSo0HKgzzOAfZ9xCugw9P7nqyY4qD0hX T7+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712210639; x=1712815439; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=M0mG1Mb88BrdtQNB29XsbhTGd7sWNPn8QGH45ipGTtk=; b=mZEMGGyrs66GlHxpA+/J0C5OfB9CD6f8iiFZJiWXNe5bTcJyxs9CdyGEkl+YsxdgYE +sWlemEaOU4Ee40UrTMjbLP536W8NZHc0YKeGH2E/dYkAQUHBdxr12LoUyl45Loyj0mK 7jZBHACGS+JEzvaAiQ+hFAjAZMOANhjtqpyqfrVguoHUF9ZwHMp4LajB3LDkW1EQWlxK /+VaOFPzmtXveXPIHLm0dKw35VsdQ+e+hoQBhjd/qD9lM3taMtYdVEVfmtTyRUWyZ0LR DgpKIu8jHlNFnGLL7eZq50mQG1hhy4GEjx3FHG6mJPG/o4oXITUWxIMWGBg/8JnBSUIN PZ/A== X-Gm-Message-State: AOJu0YyIYwSOWAHsXoUgYGaD48pDgonWUhyvlvoci0XO190xTCHUA4Bn FOGsqrJRvNzEsbnHlPcLqdimmj3z3zPCiUxiAu/nE1MCJmtj5Th4CBsGm/01 X-Google-Smtp-Source: AGHT+IEEiDqL6Oc9mOWsH90kyiyb2vqnJ4u+4NpNOcWoNP/HkNSBlvgIhT02bom6wd3XgUTH5yckuw== X-Received: by 2002:a5d:51cf:0:b0:343:9fec:eb35 with SMTP id n15-20020a5d51cf000000b003439feceb35mr1019106wrv.24.1712210638906; Wed, 03 Apr 2024 23:03:58 -0700 (PDT) Received: from ?IPV6:2a01:cb15:8010:2f00:1aa9:5ff:fe16:2efb? ([2a01:cb15:8010:2f00:1aa9:5ff:fe16:2efb]) by smtp.gmail.com with ESMTPSA id h9-20020adffa89000000b003435e1c0b78sm6703945wrr.28.2024.04.03.23.03.57 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 03 Apr 2024 23:03:58 -0700 (PDT) Message-ID: <5e546bba-7d06-452b-ad8c-76555e1b1c14@gmail.com> Date: Thu, 4 Apr 2024 06:03:56 +0000 List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: CVE-2024-3094: malicious code in xz 5.6.0 and xz 5.6.1 To: freebsd-current@freebsd.org References: <20240404075023.3de63e28@thor.intern.walstatt.dynvpn.de> Content-Language: en-US From: Paul Floyd In-Reply-To: <20240404075023.3de63e28@thor.intern.walstatt.dynvpn.de> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.73 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.74)[-0.739]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20230601]; MIME_GOOD(-0.10)[text/plain]; XM_UA_NO_VERSION(0.01)[]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; RCPT_COUNT_ONE(0.00)[1]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; TO_DN_NONE(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; PREVIOUSLY_DELIVERED(0.00)[freebsd-current@freebsd.org]; MID_RHS_MATCH_FROM(0.00)[]; MLMMJ_DEST(0.00)[freebsd-current@freebsd.org]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::32b:from] X-Rspamd-Queue-Id: 4V99zh5WwSz4Nch On 04-04-24 05:49, FreeBSD User wrote: > Hello, > > I just stumbled over this CVE regarding xz 5.6.0 and 5.6.1: > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094 > > FreeBSD starting with 14-STABLE seems to use xz 5.6.0, but my limited skills do not allow me > to judge whether the described exploit mechanism also works on FreeBSD. > RedHat already sent out a warning, the workaround is to move back towards an older variant. > > I have to report to my superiors (we're using 14-STABLE and CURRENT and I do so in private), > so I would like to welcome any comment on that. No it does not affect FreeBSD. The autoconf script checks that it is running in a RedHat or Debian package build environment before trying to proceed. There are also checks for GCC and binutils ld.bfd. And I'm not sure that the payload (a precompiled Linux object file) would work with FreeBSD and /lib/libelf.so.2. See https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 A+ Paul