From nobody Fri Mar 29 23:47:51 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V5xtF529Yz5FYXS for ; Fri, 29 Mar 2024 23:48:05 +0000 (UTC) (envelope-from asomers@gmail.com) Received: from mail-vk1-f170.google.com (mail-vk1-f170.google.com [209.85.221.170]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4V5xtF0MCQz4Xj6; Fri, 29 Mar 2024 23:48:05 +0000 (UTC) (envelope-from asomers@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=freebsd.org (policy=none); spf=pass (mx1.freebsd.org: domain of asomers@gmail.com designates 209.85.221.170 as permitted sender) smtp.mailfrom=asomers@gmail.com Received: by mail-vk1-f170.google.com with SMTP id 71dfb90a1353d-4d47000f875so929258e0c.2; Fri, 29 Mar 2024 16:48:05 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711756083; x=1712360883; h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=Lxym8R2SAtLtvea+zQRZz6IVqe9svRHWYEa1NOqSbbo=; b=vQf+YP70Fk+gCOtRTOxVWvSKlCwL/CMu8hro1VkNPT2a6vnN/vZ5oz1aSBmf9q+PHO dftBmMpeMUSdP9F6ZzN2xWbIhbG2k2CVbUcZHcip5Sn16csYgvaJkK3ZhtHyz2JCijXi Ty7LMPnEQrEJSnC2EU/lenQOjn/NTTbMWYF6jrt+7SieBLyDMmtb9jtEW+TgAnxUYrac 8lj4pdU2CuyYbXfzGnSNibszdlk4+ZwwNFWqyxANpfygEk6koEVyINLSGhonoFy4g+pF 20c0VKf0D5ncJ1ORplYCjHw/8D1KYqwVIcZIuyIS8SdbR0k42/mxfq5o5XAwunwdBNh6 ogqg== X-Gm-Message-State: AOJu0YzsMl0KbZykZnXuH+bZ+0kLtZYm5SNhnZmhFzKoErsM3pXwyrdL 6gyHH3VZS9xQxWcK7o8q+wZNdhkUCI6RDVhyjANoF9pmmHve4KvxWx9EOqL2EstEVtcmPnEZFIT GuQ7KT+8RtWosw+cFmR6F/5xX+Kt5wpnpmRI= X-Google-Smtp-Source: AGHT+IEUAqRAu5XhmhIjNZ2daNMhjO0zkPeV209y+zq4RBmqQiAZpncDKaKG2+or7f27/jlNpCDSp0zpaGrMfuKNDCU= X-Received: by 2002:a05:6102:11ef:b0:478:428e:a9bd with SMTP id e15-20020a05610211ef00b00478428ea9bdmr3023891vsg.33.1711756083080; Fri, 29 Mar 2024 16:48:03 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 From: Alan Somers Date: Fri, 29 Mar 2024 17:47:51 -0600 Message-ID: Subject: Backdoor in xz 5.6.0 To: freebsd-security Cc: Xin Li Content-Type: text/plain; charset="UTF-8" X-Spamd-Bar: -- X-Spamd-Result: default: False [-2.78 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-0.98)[-0.982]; NEURAL_HAM_SHORT(-0.90)[-0.897]; FORGED_SENDER(0.30)[asomers@freebsd.org,asomers@gmail.com]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17]; MIME_GOOD(-0.10)[text/plain]; DMARC_POLICY_SOFTFAIL(0.10)[freebsd.org : SPF not aligned (relaxed), No valid DKIM,none]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; FREEFALL_USER(0.00)[asomers]; MISSING_XM_UA(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; RCVD_COUNT_ONE(0.00)[1]; RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.221.170:from]; RCPT_COUNT_TWO(0.00)[2]; R_DKIM_NA(0.00)[]; FROM_NEQ_ENVFROM(0.00)[asomers@freebsd.org,asomers@gmail.com]; FROM_HAS_DN(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[209.85.221.170:from]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_TLS_LAST(0.00)[]; TO_DN_ALL(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; ARC_NA(0.00)[] X-Rspamd-Queue-Id: 4V5xtF0MCQz4Xj6 A malicious developer added a backdoor to xz 5.6.0 and 5.6.1, and snuck it into Fedora builds. That's the same version that FreeBSD CURRENT uses. For multiple reasons we aren't vulnerable (the malicious code isn't included in xz's git repo, only its dist tarballs, the malicious code is only triggered on x86_64 linux in an rpm or deb build, and the malicious code resides in a .m4 file which our build process doesn't use). But upstream considers all of 5.6.0 to be untrustworthy and recommends that everyone to 5.4.5. summary: https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/ details: https://www.openwall.com/lists/oss-security/2024/03/29/4