From nobody Sun Apr 7 20:42:59 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VCPLs4mqQz5HVjn for ; Sun, 7 Apr 2024 20:43:17 +0000 (UTC) (envelope-from alex-freebsd-security@alexburke.ca) Received: from out-189.mta1.migadu.com (out-189.mta1.migadu.com [IPv6:2001:41d0:203:375::bd]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4VCPLq5cMnz4lMh for ; Sun, 7 Apr 2024 20:43:15 +0000 (UTC) (envelope-from alex-freebsd-security@alexburke.ca) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=alexburke.ca header.s=key1 header.b=ruatvm+O; dmarc=pass (policy=reject) header.from=alexburke.ca; spf=pass (mx1.freebsd.org: domain of alex-freebsd-security@alexburke.ca designates 2001:41d0:203:375::bd as permitted sender) smtp.mailfrom=alex-freebsd-security@alexburke.ca Date: Sun, 7 Apr 2024 20:42:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alexburke.ca; s=key1; t=1712522586; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=PGJgwRWkp0WbMWQ8E7jAVAFulg6VLaQsEA5Ps77Cv9I=; b=ruatvm+OZyQXj3yVm000vvSqLnYc2Up3h3sUQZmSXEuV0dBYmhmGoSzH2DgSNnYK7rOi5C HBWNU7OZrO4yMiKoUQSIGy+CKENaOXF3pdWpGvB3bDNGowSnGl6kmR/3nD8HxO1ZxO9A3a HePV9bV7PA0vadUROdP3a5sXwcAHj1w= X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Alexander Burke To: =?UTF-8?Q?C=C3=A9dric_Weis?= Cc: freebsd-security@freebsd.org Message-ID: <281a2f41-7bbf-4e20-bb4a-630d839e9708@alexburke.ca> Subject: Re: Disclosed backdoor in xz releases - FreeBSD not affected List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Correlation-ID: <281a2f41-7bbf-4e20-bb4a-630d839e9708@alexburke.ca> X-Migadu-Flow: FLOW_OUT X-Spamd-Bar: -- X-Spamd-Result: default: False [-3.00 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FAKE_REPLY(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.999]; DMARC_POLICY_ALLOW(-0.50)[alexburke.ca,reject]; R_DKIM_ALLOW(-0.20)[alexburke.ca:s=key1]; R_SPF_ALLOW(-0.20)[+ip6:2001:41d0:203:375::/64]; MIME_GOOD(-0.10)[text/plain]; MISSING_XM_UA(0.00)[]; ASN(0.00)[asn:16276, ipnet:2001:41d0::/32, country:FR]; MIME_TRACE(0.00)[0:+]; TO_DN_SOME(0.00)[]; ARC_NA(0.00)[]; FREEMAIL_TO(0.00)[free.fr]; MID_RHS_MATCH_FROM(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCVD_COUNT_ZERO(0.00)[0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; DKIM_TRACE(0.00)[alexburke.ca:+] X-Rspamd-Queue-Id: 4VCPLq5cMnz4lMh Bonjour C=C3=A9dric, We can't; you must do it yourself by sending an email (even a blank one) to= : freebsd-security+unsubscribe@freebsd.org ---------------------------------------- 2024-04-07T11:57:04Z C=C3=A9dric Weis : > Unsubscribe me please. I don't know how to to it by myself. >=20 > =EF=BB=BFLe 07/04/2024 11:35, =C2=AB Chen, Alvin W =C2=BB au nom de W= eike.Chen@Dell.com > a =C3=A9crit : >=20 >=20 >>>> All supported FreeBSD releases include versions of xz that predate the >> affected releases. >>>>=20 >>>> The main, stable/14, and stable/13 branches do include the affected ve= rsion >> (5.6.0), but the backdoor components were excluded from the vendor impor= t. >> Additionally, FreeBSD does not use the upstream's build tooling, which w= as a >> required part of the attack. Lastly, the attack specifically targeted x8= 6_64 Linux >> systems using glibc. >>>=20 >>> Hey Gordon, >>>=20 >>> Is there potential for Linux jails on FreeBSD systems (ie, deployments >>> making use of the Linxulator) to be impacted? Assuming amd64 here, >>> too. >>=20 >> Hard to say for certain, but I suspect the answer is yes. If the jail ha= s the >> vulnerable software installed, there is a decent chance it would be affe= cted. At >> that point, I would refer to the vulnerability statement published by th= e Linux >> distro the jail is based on. I don=E2=80=99t believe the vulnerability h= as any kernel >> dependencies that FreeBSD would provide protection. >>=20 >> Certainly, in the world of being conservatively cautious, I would immedi= ately >> address any such Linux jails. >>=20 >> Gordon > My understanding is: the 'xz' built from FreeBSD is not impacted, but the= 'xz' built from Linux and run based on FreeBSD Linux ABI could be impacted= . > Please correct my if I am wrong. >=20 >=20 > Internal Use - Confidential