Date: Sun, 07 Apr 2024 12:15:11 +0200 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@FreeBSD.org> To: "Chen, Alvin W" <Weike.Chen@Dell.com> Cc: Gordon Tetlow <gordon@tetlows.org>, Shawn Webb <shawn.webb@hardenedbsd.org>, "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: Disclosed backdoor in xz releases - FreeBSD not affected Message-ID: <86v84t5vio.fsf@ltc.des.dev> In-Reply-To: <PH0PR19MB4938C9F692909F7A993E9C319E012@PH0PR19MB4938.namprd19.prod.outlook.com> (Alvin W. Chen's message of "Sun, 7 Apr 2024 09:34:33 %2B0000") References: <1C17C92B-AFC2-4B7A-9594-25864156A546@tetlows.org> <xeiec7rsjjd4sztlxztka4f5uopea3sqpm6jb6jalrxsraogrm@zpnprx5pg72c> <E00E547B-D7B9-4A6D-B439-EA95EA1FCE16@tetlows.org> <PH0PR19MB4938C9F692909F7A993E9C319E012@PH0PR19MB4938.namprd19.prod.outlook.com>
next in thread | previous in thread | raw e-mail | index | archive | help
"Chen, Alvin W" <Weike.Chen@Dell.com> writes: > My understanding is: the 'xz' built from FreeBSD is not impacted, but > the 'xz' built from Linux and run based on FreeBSD Linux ABI could be > impacted. It is certainly possible to build liblzma with the backdoor on a Linux host (or in a Linux jail on a FreeBSD host) and run it on a FreeBSD host. However, the backdoor does nothing unless loaded into an sshd process, so you would still not be affected unless you were running a Linux sshd binary and that sshd binary loaded the backdoored liblzma. FreeBSD's sshd binary (whether from base or ports) does not load liblzma, and if it did, it would not be able to load a Linux version of the library. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86v84t5vio.fsf>