Date: Fri, 29 Mar 2024 14:31:26 -0400 From: mike tancsa <mike@sentex.net> To: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: xz security issue ? (CVE-2024-3094) Message-ID: <c710debc-0a8a-49ef-887f-6c16ebf75077@sentex.net> In-Reply-To: <23a8dfb7-5d48-4473-970b-e8021f79fc38@sentex.net> References: <23a8dfb7-5d48-4473-970b-e8021f79fc38@sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Oh, I didnt see the earlier email for some reason. Thanks Gordon for the email clarification! ---Mike On 3/29/2024 2:22 PM, mike tancsa wrote: > From the redhat advisory, > > What is the malicious code? > The malicious injection present in the xz versions 5.6.0 and 5.6.1 > libraries is obfuscated and only included in full in the download > package - the Git distribution lacks the M4 macro that triggers the > build of the malicious code. The second-stage artifacts are present in > the Git repository for the injection during the build time, in case > the malicious M4 macro is present. > > The resulting malicious build interferes with authentication in sshd > via systemd. SSH is a commonly used protocol for connecting remotely > to systems, and sshd is the service that allows access. Under the > right circumstances this interference could potentially enable a > malicious actor to break sshd authentication and gain unauthorized > access to the entire system remotely. > > Is there any exposure to this on FreeBSD ? > > ---Mike > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?c710debc-0a8a-49ef-887f-6c16ebf75077>