Date: Thu, 4 Apr 2024 06:03:56 +0000 From: Paul Floyd <paulf2718@gmail.com> To: freebsd-current@freebsd.org Subject: Re: CVE-2024-3094: malicious code in xz 5.6.0 and xz 5.6.1 Message-ID: <5e546bba-7d06-452b-ad8c-76555e1b1c14@gmail.com> In-Reply-To: <20240404075023.3de63e28@thor.intern.walstatt.dynvpn.de> References: <20240404075023.3de63e28@thor.intern.walstatt.dynvpn.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On 04-04-24 05:49, FreeBSD User wrote: > Hello, > > I just stumbled over this CVE regarding xz 5.6.0 and 5.6.1: > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094 > > FreeBSD starting with 14-STABLE seems to use xz 5.6.0, but my limited skills do not allow me > to judge whether the described exploit mechanism also works on FreeBSD. > RedHat already sent out a warning, the workaround is to move back towards an older variant. > > I have to report to my superiors (we're using 14-STABLE and CURRENT and I do so in private), > so I would like to welcome any comment on that. No it does not affect FreeBSD. The autoconf script checks that it is running in a RedHat or Debian package build environment before trying to proceed. There are also checks for GCC and binutils ld.bfd. And I'm not sure that the payload (a precompiled Linux object file) would work with FreeBSD and /lib/libelf.so.2. See https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 A+ Paul
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5e546bba-7d06-452b-ad8c-76555e1b1c14>