Date: Sat, 30 Mar 2024 20:28:41 -0400 From: Eli Devejian <elid9122@gmail.com> To: Freebsd Stable <freebsd-stable@freebsd.org> Subject: Re: xz 5.6.0/5.6.1 backdoored, possibly in src/contrib as well Message-ID: <CAO7WDFetC_Nm5k6mgsNTHwRX1DG9H5SZXT7=o75Mm%2B__FnMFzA@mail.gmail.com> In-Reply-To: <02919DCB-5778-47C3-8754-249F76596928@punkt.de> References: <NuBvLSh--3-9@tuta.io> <WSRHEPLzq0oUN8lQ4GAgVaWmeVkSD2UpN7y96L-am-aQs3R3bjp7PbWvB9A9cE8f3EKrZOlShQ_TC66G-yzWk9FI0PXdkVOHIHofJ9sw6jA=@xyinn.org> <02919DCB-5778-47C3-8754-249F76596928@punkt.de>
next in thread | previous in thread | raw e-mail | index | archive | help
--0000000000002410830614e9f5c0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable This is my understanding too: this vulnerability only affects versions openssh compiled against compromised versions of xz with extra support for systemd integration so freebsd is unaffected. Also, this only affects release tarballs, with malicious binary blobs. Like arch Linux, as long as we pull from the repo and compile in-house this should mitigate other vulnerabilities possibly created by this rogue maintainer. I have not seen any evidence that more action than this is needed. Cheers, -Eli On Sat, Mar 30, 2024 at 6:31=E2=80=AFPM Patrick M. Hausen <hausen@punkt.de>= wrote: > Hi all, > > On Fri, Mar 29, 2024 at 21:15, <henrichhartzer@tuta.io> wrote: > > > > I recently read through this: > https://www.openwall.com/lists/oss-security/2024/03/29/4 > > > > It sounds like xz 5.6.0 and 5.6.1 are backdoored. Not sure if FreeBSD i= s > or not, but it looks like 14-stable and main have xz 5.6.0. In my opinion= , > earlier versions may also be suspect given that this may have been a > deliberate backdoor from a maintainer. > > > > I propose that we go back to a "known safe" version. It would probably > be unwise to push 14.1 as-is, as well. > > > > [...] > > 1. The point of this backdoor is - to my knowledge - to get a rogue > login via SSH. > > 2. The mechanism relies on the compromised liblzma being linked with > sshd. > > 3. Which is the case for some Linux distributions because they pull > in some extra > functions for better systemd integration which then pulls in > liblzma as a dependency. > > 4. FreeBSD is - to my knowledge - not susceptible to this attack > because our sshd > is not linked to the compromised library at all. > > 5. Even if you installed a supposedly compromised xz from ports, > there are probably > no ill consequences. > > Kind regards, > Patrick > --0000000000002410830614e9f5c0 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><div>This is my understanding too: this vulnerability only= affects versions openssh compiled against compromised versions of xz with = extra support for systemd integration so freebsd is unaffected. Also, this = only affects release tarballs, with malicious binary blobs. Like arch Linux= , as long as we pull from the repo and compile in-house this should mitigat= e other vulnerabilities possibly created by this rogue maintainer. I have n= ot seen any evidence that more action than this is needed.</div><div><br></= div><div>Cheers,</div><div>-Eli<br></div><br><div class=3D"gmail_quote"><di= v dir=3D"ltr" class=3D"gmail_attr">On Sat, Mar 30, 2024 at 6:31=E2=80=AFPM = Patrick M. Hausen <<a href=3D"mailto:hausen@punkt.de">hausen@punkt.de</a= >> wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px= 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi = all,<br> <br> On Fri, Mar 29, 2024 at 21:15, <<a href=3D"mailto:henrichhartzer@tuta.io= " target=3D"_blank">henrichhartzer@tuta.io</a>> wrote:<br> > <br> > I recently read through this: <a href=3D"https://www.openwall.com/list= s/oss-security/2024/03/29/4" rel=3D"noreferrer" target=3D"_blank">https://w= ww.openwall.com/lists/oss-security/2024/03/29/4</a><br> > <br> > It sounds like xz 5.6.0 and 5.6.1 are backdoored. Not sure if FreeBSD = is or not, but it looks like 14-stable and main have xz 5.6.0. In my opinio= n, earlier versions may also be suspect given that this may have been a del= iberate backdoor from a maintainer.<br> > <br> > I propose that we go back to a "known safe" version. It woul= d probably be unwise to push 14.1 as-is, as well.<br> > <br> > [...]<br> <br> 1.=C2=A0 =C2=A0 =C2=A0 The point of this backdoor is - to my knowledge - to= get a rogue login via SSH.<br> <br> 2.=C2=A0 =C2=A0 =C2=A0 The mechanism relies on the compromised liblzma bein= g linked with sshd.<br> <br> 3.=C2=A0 =C2=A0 =C2=A0 Which is the case for some Linux distributions becau= se they pull in some extra<br> =C2=A0 =C2=A0 =C2=A0 =C2=A0 functions for better systemd integration which = then pulls in liblzma as a dependency.<br> <br> 4.=C2=A0 =C2=A0 =C2=A0 FreeBSD is - to my knowledge=C2=A0 - not susceptible= to this attack because our sshd<br> =C2=A0 =C2=A0 =C2=A0 =C2=A0 is not linked to the compromised library at all= .<br> <br> 5.=C2=A0 =C2=A0 =C2=A0 Even if you installed a supposedly compromised xz fr= om ports, there are probably<br> =C2=A0 =C2=A0 =C2=A0 =C2=A0 no ill consequences.<br> <br> Kind regards,<br> Patrick<br> </blockquote></div></div> --0000000000002410830614e9f5c0--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAO7WDFetC_Nm5k6mgsNTHwRX1DG9H5SZXT7=o75Mm%2B__FnMFzA>