Date: Sun, 07 Apr 2024 13:56:24 +0200 From: =?UTF-8?B?Q8OpZHJpYw==?= Weis <hawei@free.fr> To: "Chen, Alvin W" <Weike.Chen@Dell.com>, Gordon Tetlow <gordon@tetlows.org>, Shawn Webb <shawn.webb@hardenedbsd.org> Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: Disclosed backdoor in xz releases - FreeBSD not affected Message-ID: <A997BE31-9B73-4B5A-9AB2-5E6713C8025C@free.fr> In-Reply-To: <PH0PR19MB4938C9F692909F7A993E9C319E012@PH0PR19MB4938.namprd19.prod.outlook.com> References: <1C17C92B-AFC2-4B7A-9594-25864156A546@tetlows.org> <xeiec7rsjjd4sztlxztka4f5uopea3sqpm6jb6jalrxsraogrm@zpnprx5pg72c> <E00E547B-D7B9-4A6D-B439-EA95EA1FCE16@tetlows.org> <PH0PR19MB4938C9F692909F7A993E9C319E012@PH0PR19MB4938.namprd19.prod.outlook.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Unsubscribe me please. I don't know how to to it by myself. =EF=BB=BFLe 07/04/2024 11:35, =C2=AB Chen, Alvin W =C2=BB <owner-freebsd-security@freebsd= .org <mailto:owner-freebsd-security@freebsd.org> au nom de Weike.Chen@Dell.c= om <mailto:Weike.Chen@Dell.com>> a =C3=A9crit : > >> All supported FreeBSD releases include versions of xz that predate the > affected releases. > >> > >> The main, stable/14, and stable/13 branches do include the affected ve= rsion > (5.6.0), but the backdoor components were excluded from the vendor import= . > Additionally, FreeBSD does not use the upstream's build tooling, which wa= s a > required part of the attack. Lastly, the attack specifically targeted x86= _64 Linux > systems using glibc. > > > > Hey Gordon, > > > > Is there potential for Linux jails on FreeBSD systems (ie, deployments > > making use of the Linxulator) to be impacted? Assuming amd64 here, > > too. > > Hard to say for certain, but I suspect the answer is yes. If the jail has= the > vulnerable software installed, there is a decent chance it would be affec= ted. At > that point, I would refer to the vulnerability statement published by the= Linux > distro the jail is based on. I don=E2=80=99t believe the vulnerability has any = kernel > dependencies that FreeBSD would provide protection. > > Certainly, in the world of being conservatively cautious, I would immedia= tely > address any such Linux jails. > > Gordon My understanding is: the 'xz' built from FreeBSD is not impacted, but the '= xz' built from Linux and run based on FreeBSD Linux ABI could be impacted. Please correct my if I am wrong. Internal Use - Confidential
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?A997BE31-9B73-4B5A-9AB2-5E6713C8025C>