From nobody Thu Apr  4 06:14:52 2024
X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V9BDH1f7Lz5GLH2;
	Thu,  4 Apr 2024 06:14:55 +0000 (UTC)
	(envelope-from kevans@FreeBSD.org)
Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "smtp.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4V9BDH1CHpz4SQw;
	Thu,  4 Apr 2024 06:14:55 +0000 (UTC)
	(envelope-from kevans@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1712211295;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=vsQas0ZHgZYfVcyZBHrVjnoVivY4PBOeHOQ2tit1fYI=;
	b=gDKiyW2Q0PLMCTs9wWbya2xObgiCJs2hJoYCMXrRlCIEoJk3L8vTA1VKDAPxw0RlACV0X+
	Bm/BYAR9eABABEBjIoWsuGdM1OB5W0zysV+bljQrFayAsgaR7lyo7S7+YC5wy+CxLfUJIs
	izRV+UGGRSBobSjXJyAzDo4thsVhHUtM+xeTC7nG6YinEp3tXJmST4cM6OGBjHQlVnAfey
	/b6xeZzfIwiS+HyMfuSxeZ77djb7ivp5ejZBZEc0nHYIrZHhdb/VVWVLDxv7xbKBHw3t90
	9HwigcFPW4P/h7cy4tlEINY5L1BoNp/lu0M59+8bjF9v9pE1NObwEeEOWMOA8g==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1712211295; a=rsa-sha256; cv=none;
	b=NSO8mtsGa4+++ov8VuJudqV5Mm0LQBMr/QHNiupXEpa78ONUYGc7ugKZD9A8xEaCbXjppu
	PEGcyDvQOt1+V2OrtE+VxrKNLk55WGKZomnspRIiu6MVnq1uPVD19N+dDrmnxvBoF2s2lk
	5W6JuV88Wq8FEMHSkIE/pDkr1NA5qEfrt3xCMPDNkKGaADyspOxFFPXAZrZK3G5mngrJDq
	2IAQIJ4rMMy6rEd36WRmWhCt+zW5SQ1U5zBZWmxR64QR9G7esUQSqMtafvIV7HY3K8Quyu
	VHNxre44GTsIueRP7nuBgwycUg1EprAhGSwXVAWpd37aJHizD4+diNpmKYBq6A==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1712211295;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=vsQas0ZHgZYfVcyZBHrVjnoVivY4PBOeHOQ2tit1fYI=;
	b=mKNd6gBhjjuPXvkUlzDNuHZDlItCIPun6wHYPTH9gxigvFN6Fr7xY+UnjIuMBJO1i0UXDA
	nvnB6Fu2pnPywgtMIIJoVnkKX7Ge3/ZU8hX5RYQWZcyIJ0fdVA6J3Q3D+qmmxvMCLGPl+d
	/H7GeDVhLcrW4KE0LQkoqSmHv4wpEt7iJB0GxEJaGQXy+wdXwrNUUj/9d8x+yxCjAdizl0
	YAeJXVDecKg16hpOsQYX1q6n765qkh3rpppkOcPO726PmKaSck/WROprk3gxjRLbUF91gp
	KNxG3/F0waWsJ4pqHTcqqowIMUGo4f4uhrkyx4bdaKtcP3r92ZljAuKD5O8c6A==
Received: from [10.9.4.95] (unknown [209.182.120.176])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	(Authenticated sender: kevans/mail)
	by smtp.freebsd.org (Postfix) with ESMTPSA id 4V9BDG4SHlzGqf;
	Thu,  4 Apr 2024 06:14:54 +0000 (UTC)
	(envelope-from kevans@FreeBSD.org)
Message-ID: <f0f63907-ffb4-4aa9-809c-c68c090e8364@FreeBSD.org>
Date: Thu, 4 Apr 2024 01:14:52 -0500
List-Id: Discussions about the use of FreeBSD-current <freebsd-current.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-current
List-Help: <mailto:freebsd-current+help@freebsd.org>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Subscribe: <mailto:freebsd-current+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-current+unsubscribe@freebsd.org>
Sender: owner-freebsd-current@freebsd.org
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: CVE-2024-3094: malicious code in xz 5.6.0 and xz 5.6.1
Content-Language: en-US
To: FreeBSD User <freebsd@walstatt-de.de>,
 FreeBSD CURRENT <freebsd-current@freebsd.org>, freebsd-security@freebsd.org
References: <20240404075023.3de63e28@thor.intern.walstatt.dynvpn.de>
From: Kyle Evans <kevans@FreeBSD.org>
In-Reply-To: <20240404075023.3de63e28@thor.intern.walstatt.dynvpn.de>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

On 4/4/24 00:49, FreeBSD User wrote:
> Hello,
> 
> I just stumbled over this CVE regarding xz 5.6.0 and 5.6.1:
> 
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094
> 
> FreeBSD starting with 14-STABLE seems to use xz 5.6.0, but my limited skills do not allow me
> to judge wether the described exploit mechanism also works on FreeBSD.
> RedHat already sent out a warning, the workaround is to move back towards an older variant.
> 
> I have to report to my superiors (we're using 14-STABLE and CURRENT and I do so in private),
> so I would like to welcome any comment on that.
> 
> Thanks in advance,
> 
> O. Hartmann
> 
> 

See so@'s answer from a couple days ago:

https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html

TL;DR no

Thanks,

Kyle Evans