Date: Sat, 30 Mar 2024 00:12:00 +0000 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: Alan Somers <asomers@freebsd.org> Cc: freebsd-security <freebsd-security@freebsd.org>, Xin Li <delphij@freebsd.org> Subject: Re: Backdoor in xz 5.6.0 Message-ID: <pqo5vx4ob34isiph5zwql2rsmx3kmoojyjoz6afveew4pmkmmw@c2t2vp35cqnl> In-Reply-To: <CAOtMX2gVo6p%2BsrDJjjJRu3USDTCFrkZ0OY_TkYooUQqAP1qkjw@mail.gmail.com> References: <CAOtMX2gVo6p%2BsrDJjjJRu3USDTCFrkZ0OY_TkYooUQqAP1qkjw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--gv3ejimxjmub7ohv Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Mar 29, 2024 at 05:47:51PM -0600, Alan Somers wrote: > A malicious developer added a backdoor to xz 5.6.0 and 5.6.1, and > snuck it into Fedora builds. That's the same version that FreeBSD > CURRENT uses. For multiple reasons we aren't vulnerable (the > malicious code isn't included in xz's git repo, only its dist > tarballs, the malicious code is only triggered on x86_64 linux in an > rpm or deb build, and the malicious code resides in a .m4 file which > our build process doesn't use). But upstream considers all of 5.6.0 > to be untrustworthy and recommends that everyone to 5.4.5. I haven't seen any statement by upstream (the Tukaani project), yet. The bad actor has enjoyed a maintainership role for the xz project for at least one-and-a-half years (since 2022). We might experience another "OpenSSL Heartbleed" reactionary moment whereby the entire project is audited. Until then, some folks would not consider it over-reactionary to distrust any work since the bad actor started contributing. This would apply to other projects the bad actor contributed to as well, like libarchive. Thanks, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50 https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A= 4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --gv3ejimxjmub7ohv Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmYHWMkACgkQ/y5nonf4 4foieg/+LHex7puyS+CTlKuP1mXMtR20pyJmhSt0yQ97FXLy2xR4+FcIXGME9Wes 1DgFEHhkSBkIw67+y/p1sqlYWzHvzDK3QbTcSei6wGOrS3ouFdWE8EnpFmOzea5z BSqPuTxRGNtBkG4/ZnD0Jt2JpAGY2cmIJZljHyQo8tFl6lHCIEhzcXwVpb2cnVYL M5GC2DUwgZfBmoG/6l5qn3fKW5chfF4rkggqP2EsUIpUnA8948LSvyGuD3A6kscR XcT7gxXFLEiBjx3+nwDGYsq1nS4nPHcGyg37ArJWPnUoT0zvSjdK7RFnPwoeuKER dbozWAVljcznJDabT0cdiHiSU4+s/RVIB2NY2rRCxi0v5gODLnTRZxZocYdFgbyo TTVp52AezcnxcdYL059bbEWXLADpp9X0ioL5JX1wwHhTv71+9JJwQ+sBMkHsm4x0 MtelHNWTDCv0/G7cdgSLraNT+/x/0WwQ+uNQp+0lPIgJ5hA+M2/LJUe0mx1sFR7/ +6LBb585s9BJ2B6UPk/cszdJbB5oYuHoL6gM3+Psk8YvaeNV0CKIViUfWZRLZVS9 BQS0sU6JyL48OL3trR9Z/DAW4wUWOWmW1iwaoBTJUZ6MxETY+04/LU2twJIEIfNe Gi4qq2fBvbo3eDmGW7+O564iCpPT8SZl89RnUF7l24Mzrb3MKF4= =HiTF -----END PGP SIGNATURE----- --gv3ejimxjmub7ohv--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?pqo5vx4ob34isiph5zwql2rsmx3kmoojyjoz6afveew4pmkmmw>