Date: Fri, 29 Mar 2024 14:22:52 -0400 From: mike tancsa <mike@sentex.net> To: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: xz security issue ? (CVE-2024-3094) Message-ID: <23a8dfb7-5d48-4473-970b-e8021f79fc38@sentex.net>
next in thread | raw e-mail | index | archive | help
From the redhat advisory, What is the malicious code? The malicious injection present in the xz versions 5.6.0 and 5.6.1 libraries is obfuscated and only included in full in the download package - the Git distribution lacks the M4 macro that triggers the build of the malicious code. The second-stage artifacts are present in the Git repository for the injection during the build time, in case the malicious M4 macro is present. The resulting malicious build interferes with authentication in sshd via systemd. SSH is a commonly used protocol for connecting remotely to systems, and sshd is the service that allows access. Under the right circumstances this interference could potentially enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely. Is there any exposure to this on FreeBSD ? ---Mike
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?23a8dfb7-5d48-4473-970b-e8021f79fc38>