Date: Thu, 04 Apr 2024 08:06:26 +0200 (CEST) From: sthaug@nethelp.no To: freebsd-current@freebsd.org Subject: Re: CVE-2024-3094: malicious code in xz 5.6.0 and xz 5.6.1 Message-ID: <20240404.080626.2156450008475679449.sthaug@nethelp.no> In-Reply-To: <5e546bba-7d06-452b-ad8c-76555e1b1c14@gmail.com> References: <20240404075023.3de63e28@thor.intern.walstatt.dynvpn.de> <5e546bba-7d06-452b-ad8c-76555e1b1c14@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>> I have to report to my superiors (we're using 14-STABLE and CURRENT >> and I do so in private), >> so I would like to welcome any comment on that. > > No it does not affect FreeBSD. > > The autoconf script checks that it is running in a RedHat or Debian > package build environment before trying to proceed. There are also > checks for GCC and binutils ld.bfd. And I'm not sure that the payload > (a precompiled Linux object file) would work with FreeBSD and > /lib/libelf.so.2. > > See > > https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 See also the following message from the FreeBSD security officer: https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html Steinar Haug, Nethelp consulting, sthaug@nethelp.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20240404.080626.2156450008475679449.sthaug>