>From what is publicly known it injected malicious code (through m4 macro using payload hidden in obfuscated compressed test file) into built liblzma.so.5 which then hijacks RSA_public_decrypt call e.g. in sshd (when sshd is built with patch adding systemd notifications which brings liblzma dependency to sshd e.g. on debian and ubuntu based systems).
The build systems which just built this xz version shouldn't be affected (as it won't be using the liblzma.so from the OE build on the host). This publicly known part should be OK for OE, but it's right to be worried about the other things which aren't known (not only from these guys or from xz project). Regards, On Sat, Mar 30, 2024 at 1:52 PM Alexander Kanavin <[email protected]> wrote: > > I’m slightly worried. Does this compromise build systems (given that back > door was injected into autoconf scripts) or only systems where xz binaries > are installed? > > Ale > > On Sat 30. Mar 2024 at 13.26, Richard Purdie > <[email protected]> wrote: >> >> On Sat, 2024-03-30 at 13:08 +0100, Marta Rybczynska wrote: >> > Absolutely confirm. DO NOT UPDATE >> > >> > Marta >> > >> > On Sat, 30 Mar 2024, 02:04 Mark Hatle, >> > <[email protected]> wrote: >> > > I know this request is a week or so old.. >> > > >> > > But do NOT upgrade to 'xz' 5.6.0 or 5.6.1. It has been >> > > compromised: >> > > >> > > https://www.openwall.com/lists/oss-security/2024/03/29/4 >> > > >> > > --Mark >> >> We're not going to. The upgrade was already dropped after it failed >> build testing. I do wonder why it failed. >> >> https://autobuilder.yoctoproject.org/typhoon/#/builders/48/builds/8737 >> >> I've ensured the sources were removed from our mirrors too. >> >> Cheers, >> >> Richard >> >> >> > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#197651): https://lists.openembedded.org/g/openembedded-core/message/197651 Mute This Topic: https://lists.openembedded.org/mt/105226831/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
