Date: Thu, 11 Apr 2024 10:26:11 -0700 From: Cy Schubert <Cy.Schubert@cschubert.com> To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@FreeBSD.org> Cc: "Chen, Alvin W" <Weike.Chen@Dell.com>, Gordon Tetlow <gordon@tetlows.org>, Shawn Webb <shawn.webb@hardenedbsd.org>, "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: Disclosed backdoor in xz releases - FreeBSD not affected Message-ID: <20240411172611.7FE6A3AD@slippy.cwsent.com> In-Reply-To: <86v84t5vio.fsf@ltc.des.dev> References: <1C17C92B-AFC2-4B7A-9594-25864156A546@tetlows.org> <xeiec7rsjjd4sztlxztka4f5uopea3sqpm6jb6jalrxsraogrm@zpnprx5pg72c> <E00E547B-D7B9-4A6D-B439-EA95EA1FCE16@tetlows.org> <PH0PR19MB4938C9F692909F7A993E9C319E012@PH0PR19MB4938.namprd19.prod.outlook.com> <86v84t5vio.fsf@ltc.des.dev>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <86v84t5vio.fsf@ltc.des.dev>, =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav? = w rites: > "Chen, Alvin W" <Weike.Chen@Dell.com> writes: > > My understanding is: the 'xz' built from FreeBSD is not impacted, but > > the 'xz' built from Linux and run based on FreeBSD Linux ABI could be > > impacted. > > It is certainly possible to build liblzma with the backdoor on a Linux > host (or in a Linux jail on a FreeBSD host) and run it on a FreeBSD > host. However, the backdoor does nothing unless loaded into an sshd > process, so you would still not be affected unless you were running a > Linux sshd binary and that sshd binary loaded the backdoored liblzma. > FreeBSD's sshd binary (whether from base or ports) does not load > liblzma, and if it did, it would not be able to load a Linux version of > the library. The backdoor also required sshd be linked against liblsma (because libsystemd requires it). OpenSSH doesn't use liblzma by default. liblzma is a systemd requirement. BTW, Lasse Collin's GH account and the xz repo have been re-enabled. It was pointed out to me at $JOB yesterday that he's been busy repairing xz. Looking at his commits, he certainly has been. This is good news. -- Cheers, Cy Schubert <Cy.Schubert@cschubert.com> FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org NTP: <cy@nwtime.org> Web: https://nwtime.org e^(i*pi)+1=0
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20240411172611.7FE6A3AD>