From nobody Thu Apr 4 06:13:02 2024 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V9BBr6BR9z5GLDg for ; Thu, 4 Apr 2024 06:13:40 +0000 (UTC) (envelope-from freebsd@walstatt-de.de) Received: from smtp052.goneo.de (smtp5.goneo.de [IPv6:2001:1640:5::8:30]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4V9BBr48jkz4R7J for ; Thu, 4 Apr 2024 06:13:40 +0000 (UTC) (envelope-from freebsd@walstatt-de.de) Authentication-Results: mx1.freebsd.org; none Received: from hub1.goneo.de (hub1.goneo.de [85.220.129.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by smtp5.goneo.de (Postfix) with ESMTPS id BC3FC2407F8; Thu, 4 Apr 2024 08:13:36 +0200 (CEST) Received: from hub1.goneo.de (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by hub1.goneo.de (Postfix) with ESMTPS id 9A7B9240252; Thu, 4 Apr 2024 08:13:30 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=walstatt-de.de; s=DKIM001; t=1712211210; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=3Ye56w9Mg/Hfwp3hH1ibP2onBvboYMDN7aQT7QEOjHE=; b=LFrdEIjwQ54/GwT0CG5Zyz+iRbjTZ1YUupkcYKgtsXRZNGeouy0FqLZ9QMSv85uIxEOvQC HEJuBaL3Qymu/XMuIYFD9QYclLpxtJUh5HbAQHAADLfL6ejQHRgZN6SlDGFLvR7nqBpQ/8 8kJXlNQ3wgOY7IgiQ4Q7xGUU/600yVEw8R40+FqrhQWYResnOQEB2Ymi3oScTmOA0F2Q3E M+tYTF56/mH7eTEPKICoDJspcYxUZJV0xuhkGJPu+u3A+FscuyS+51vAMEQ29e3rFvSL2Y ZvYWf/TSRkGr+LWGmPEVrcZlgdUd44xRZvUR6oq2HYA+n8+BrzeH1BGlTLmo7w== Received: from thor.intern.walstatt.dynvpn.de (dynamic-089-014-109-072.89.14.pool.telefonica.de [89.14.109.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by hub1.goneo.de (Postfix) with ESMTPSA id 5CA3C24012F; Thu, 4 Apr 2024 08:13:30 +0200 (CEST) Date: Thu, 4 Apr 2024 08:13:02 +0200 From: FreeBSD User To: sthaug@nethelp.no Cc: freebsd-current@freebsd.org Subject: Re: CVE-2024-3094: malicious code in xz 5.6.0 and xz 5.6.1 Message-ID: <20240404081329.5fa28101@thor.intern.walstatt.dynvpn.de> In-Reply-To: <20240404.080626.2156450008475679449.sthaug@nethelp.no> References: <20240404075023.3de63e28@thor.intern.walstatt.dynvpn.de> <5e546bba-7d06-452b-ad8c-76555e1b1c14@gmail.com> <20240404.080626.2156450008475679449.sthaug@nethelp.no> Organization: walstatt-de.de List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Rspamd-UID: 3b35b4 X-Rspamd-UID: 8d8e70 X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:25394, ipnet:2001:1640::/32, country:DE] X-Rspamd-Queue-Id: 4V9BBr48jkz4R7J Am Thu, 04 Apr 2024 08:06:26 +0200 (CEST) sthaug@nethelp.no schrieb: > >> I have to report to my superiors (we're using 14-STABLE and CURRENT > >> and I do so in private), > >> so I would like to welcome any comment on that. > > > > No it does not affect FreeBSD. > > > > The autoconf script checks that it is running in a RedHat or Debian > > package build environment before trying to proceed. There are also > > checks for GCC and binutils ld.bfd. And I'm not sure that the payload > > (a precompiled Linux object file) would work with FreeBSD and > > /lib/libelf.so.2. > > > > See > > > > https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 > > See also the following message from the FreeBSD security officer: > > https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html > > Steinar Haug, Nethelp consulting, sthaug@nethelp.no > Thank you very much for the quick answer. Kind regards oh -- O. Hartmann