From nobody Thu Apr  4 06:56:28 2024
X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V9C8D3VFxz5GQ4V;
	Thu,  4 Apr 2024 06:56:28 +0000 (UTC)
	(envelope-from dutchdaemon@freebsd.org)
Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "smtp.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4V9C8D0M0Yz4Y6K;
	Thu,  4 Apr 2024 06:56:28 +0000 (UTC)
	(envelope-from dutchdaemon@freebsd.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1712213788;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=88KylaqmFSyh5SHHTng26zPhjOWdw5yzCuqGz2ERNNE=;
	b=RBSHNxTqbi0W18xt6SLQfr04GRVTJ+Lufw1Cn+MCI0ptVsTu8kJW809O/FEnxYPlZuSyfc
	RoBPZ/zsbr1WNQVKJq1IXHgm7wEYh6D3rue92IajyFUe4hNZpchwtIo27VOUGiLYyIY4AX
	hUScfXjx6zw/SLhV3SNBvmOYv7gRZjrrfUDjWoSpiVyVkSyZUmdYDHPslnOjboXwTUTJ0m
	s5bxgwGik9ZG1wANW3pY2969r0NW/x1NNmzuIuR2B94FsyKPPERi+DGsqlQ3Pj/La12ysE
	EbjXEOEOqUY8N1qcKee53yrCXhQiLhjMzhnjF024T+iDjnAiC31Cgq8KVE0+Ow==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1712213788; a=rsa-sha256; cv=none;
	b=uNhReUXDR1ElV7NSLZpHMxxMuMzU6/CIHuR0b8Osb3UuxEQcnHjGnXoGzTaBZSx0xsBMVO
	iL4VSpiwOFI1gyRil2Eh2Hv1wJ9TYNSJDsXUXhbVSWLOjKiMFkW7RvHHCb8aOEDK60H4Qm
	2alN4rLZqElAZWxcx/1nGgW84sHr9y3KUpxx6u8gcFgcqMdf+tRzV+CwFzhb0x1tFXHMRd
	2uv+zwie9L0S9Vz/FX5SWvjOL8r2zEMcMIp2c5/7vR+GbZQfXQpn+GjX4NGYa0WhA+tIh8
	12IW12LbacyLtCC5vsz7E5GgUtp3LNGUObwwFLQa2jL1Dw7t4AjnB0LANWp5rw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1712213788;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=88KylaqmFSyh5SHHTng26zPhjOWdw5yzCuqGz2ERNNE=;
	b=HOzwLOGw3YXCefwpMp90dohdKOFIU+qXNZXcLLcKod7eiPydFH9BprPTPRQyCKrFXE3ZAg
	KzOTC6YRv9mnDG73aLtyF+HhBSSJXRCMYpfJXDwbJ4/6AdgKPteb6TfNk1MwES1kYWheN5
	BrsKQuWoS912w0SfqlF13sB51y/3UU75z9wZZik3OSEs4Ej1BSUnuHm4bdgwRnpELxc5mm
	eeMVLlnSJHB+hPUtiqnDY0znSfz4L+KgFSZ0CxkDdfQn/YRZuS7q70uoGpLfHN7EF0nYPY
	9OxFzJHuL4H/JqkxdC4c/e/01QedNTqHU5WfKTk4snYo/d7yvQ5znY20MfwWyQ==
Received: from [192.168.178.229] (unknown [85.148.89.7])
	(using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits))
	(Client did not present a certificate)
	(Authenticated sender: dutchdaemon/mail)
	by smtp.freebsd.org (Postfix) with ESMTPSA id 4V9C8C3NWtzHWZ;
	Thu,  4 Apr 2024 06:56:27 +0000 (UTC)
	(envelope-from dutchdaemon@freebsd.org)
From: "Ben C. O. Grimm" <dutchdaemon@freebsd.org>
To: FreeBSD User <freebsd@walstatt-de.de>, FreeBSD CURRENT <freebsd-current@freebsd.org>, <freebsd-security@freebsd.org>
Date: Thu, 04 Apr 2024 08:56:28 +0200
Message-ID: <18ea7b425a8.2892.b36d34a15fda208b80f54b6ad54d9e04@freebsd.org>
In-Reply-To: <20240404075023.3de63e28@thor.intern.walstatt.dynvpn.de>
References: <20240404075023.3de63e28@thor.intern.walstatt.dynvpn.de>
User-Agent: AquaMail/1.50.0 (build: 105000429)
Subject: Re: CVE-2024-3094: malicious code in xz 5.6.0 and xz 5.6.1
List-Id: Discussions about the use of FreeBSD-current <freebsd-current.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-current
List-Help: <mailto:freebsd-current+help@freebsd.org>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Subscribe: <mailto:freebsd-current+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-current+unsubscribe@freebsd.org>
Sender: owner-freebsd-current@freebsd.org
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="18ea7e50659271f2892388edc8"

This is a multi-part message in MIME format.
--18ea7e50659271f2892388edc8
Content-Type: text/plain; format=flowed; charset="us-ascii"
Content-Transfer-Encoding: 8bit

On April 4, 2024 07:50:55 FreeBSD User <freebsd@walstatt-de.de> wrote:

> Hello,
>
> I just stumbled over this CVE regarding xz 5.6.0 and 5.6.1:
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094
>
> FreeBSD starting with 14-STABLE seems to use xz 5.6.0, but my limited 
> skills do not allow me
> to judge wether the described exploit mechanism also works on FreeBSD.
> RedHat already sent out a warning, the workaround is to move back towards 
> an older variant.
>
> I have to report to my superiors (we're using 14-STABLE and CURRENT and I 
> do so in private),
> so I would like to welcome any comment on that.
>
> Thanks in advance,
>
> O. Hartmann
>
>
> --
> O. Hartmann

As noted on freebsd-security last Friday:

FreeBSD is not affected by the recently announced backdoor included in the 
5.6.0 and 5.6.1 xz releases.



All supported FreeBSD releases include versions of xz that predate the 
affected releases.



The main, stable/14, and stable/13 branches do include the affected version 
(5.6.0), but the backdoor components were excluded from the vendor import. 
Additionally, FreeBSD does not use the upstream's build tooling, which was 
a required part of the attack. Lastly, the attack specifically targeted 
x86_64 Linux systems using glibc.

--18ea7e50659271f2892388edc8
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.=
w3.org/TR/html4/loose.dtd">
<html>
<body>
<div dir=3D"auto">
<div dir=3D'auto'><br></div>
<div id=3D"aqm-original" style=3D"color: black;">
<div dir=3D"auto">On April 4, 2024 07:50:55 FreeBSD User &lt;freebsd@walsta=
tt-de.de&gt; wrote:</div>
<div><br></div>
<blockquote type=3D"cite" class=3D"gmail_quote" style=3D"margin: 0 0 0 0.75=
ex; border-left: 1px solid #808080; padding-left: 0.75ex;">
<div dir=3D"auto">Hello,</div>
<div dir=3D"auto"><br></div>
<div dir=3D"auto">I just stumbled over this CVE regarding xz 5.6.0 and 5.6.=
1:</div>
<div dir=3D"auto"><br></div>
<div dir=3D"auto">https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2024=
-3094</div>
<div dir=3D"auto"><br></div>
<div dir=3D"auto">FreeBSD starting with 14-STABLE seems to use xz 5.6.0, bu=
t my limited skills do not allow me</div>
<div dir=3D"auto">to judge wether the described exploit mechanism also work=
s on FreeBSD.</div>
<div dir=3D"auto">RedHat already sent out a warning, the workaround is to m=
ove back towards an older variant.</div>
<div dir=3D"auto"><br></div>
<div dir=3D"auto">I have to report to my superiors (we're using 14-STABLE a=
nd CURRENT and I do so in private),</div>
<div dir=3D"auto">so I would like to welcome any comment on that.</div>
<div dir=3D"auto"><br></div>
<div dir=3D"auto">Thanks in advance,</div>
<div dir=3D"auto"><br></div>
<div dir=3D"auto">O. Hartmann</div>
<div dir=3D"auto"><br></div>
<div dir=3D"auto"><br></div>
<div dir=3D"auto">--&nbsp;</div>
<div dir=3D"auto">O. Hartmann</div>
</blockquote>
</div><div dir=3D"auto">As noted on freebsd-security last Friday:&nbsp;</di=
v><div dir=3D"auto"><br></div><div dir=3D"auto">FreeBSD is not affected by =
the recently announced backdoor included in the 5.6.0 and 5.6.1 xz releases=
.</div><div dir=3D"auto"><br></div><div dir=3D"auto"><br></div><div dir=3D"=
auto"><br></div><div dir=3D"auto">All supported FreeBSD releases include ve=
rsions of xz that predate the affected releases.</div><div dir=3D"auto"><br=
></div><div dir=3D"auto"><br></div><div dir=3D"auto"><br></div><div dir=3D"=
auto">The main, stable/14, and stable/13 branches do include the affected v=
ersion (5.6.0), but the backdoor components were excluded from the vendor i=
mport. Additionally, FreeBSD does not use the upstream's build tooling, whi=
ch was a required part of the attack. Lastly, the attack specifically targe=
ted x86_64 Linux systems using glibc.</div>
</div></body>
</html>

--18ea7e50659271f2892388edc8--