Date: Sun, 7 Apr 2024 09:34:33 +0000 From: "Chen, Alvin W" <Weike.Chen@Dell.com> To: Gordon Tetlow <gordon@tetlows.org>, Shawn Webb <shawn.webb@hardenedbsd.org> Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: RE: Disclosed backdoor in xz releases - FreeBSD not affected Message-ID: <PH0PR19MB4938C9F692909F7A993E9C319E012@PH0PR19MB4938.namprd19.prod.outlook.com> In-Reply-To: <E00E547B-D7B9-4A6D-B439-EA95EA1FCE16@tetlows.org> References: <1C17C92B-AFC2-4B7A-9594-25864156A546@tetlows.org> <xeiec7rsjjd4sztlxztka4f5uopea3sqpm6jb6jalrxsraogrm@zpnprx5pg72c> <E00E547B-D7B9-4A6D-B439-EA95EA1FCE16@tetlows.org>
index | next in thread | previous in thread | raw e-mail
> >> All supported FreeBSD releases include versions of xz that predate the > affected releases. > >> > >> The main, stable/14, and stable/13 branches do include the affected version > (5.6.0), but the backdoor components were excluded from the vendor import. > Additionally, FreeBSD does not use the upstream's build tooling, which was a > required part of the attack. Lastly, the attack specifically targeted x86_64 Linux > systems using glibc. > > > > Hey Gordon, > > > > Is there potential for Linux jails on FreeBSD systems (ie, deployments > > making use of the Linxulator) to be impacted? Assuming amd64 here, > > too. > > Hard to say for certain, but I suspect the answer is yes. If the jail has the > vulnerable software installed, there is a decent chance it would be affected. At > that point, I would refer to the vulnerability statement published by the Linux > distro the jail is based on. I don’t believe the vulnerability has any kernel > dependencies that FreeBSD would provide protection. > > Certainly, in the world of being conservatively cautious, I would immediately > address any such Linux jails. > > Gordon My understanding is: the 'xz' built from FreeBSD is not impacted, but the 'xz' built from Linux and run based on FreeBSD Linux ABI could be impacted. Please correct my if I am wrong. Internal Use - Confidentialhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?PH0PR19MB4938C9F692909F7A993E9C319E012>