Re: CVE-2024-3094: malicious code in xz 5.6.0 and xz 5.6.1
On April 4, 2024 07:50:55 FreeBSD User wrote: Hello, I just stumbled over this CVE regarding xz 5.6.0 and 5.6.1: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094 FreeBSD starting with 14-STABLE seems to use xz 5.6.0, but my limited skills do not allow me to judge wether the described exploit mechanism also works on FreeBSD. RedHat already sent out a warning, the workaround is to move back towards an older variant. I have to report to my superiors (we're using 14-STABLE and CURRENT and I do so in private), so I would like to welcome any comment on that. Thanks in advance, O. Hartmann -- O. Hartmann As noted on freebsd-security last Friday: FreeBSD is not affected by the recently announced backdoor included in the 5.6.0 and 5.6.1 xz releases. All supported FreeBSD releases include versions of xz that predate the affected releases. The main, stable/14, and stable/13 branches do include the affected version (5.6.0), but the backdoor components were excluded from the vendor import. Additionally, FreeBSD does not use the upstream's build tooling, which was a required part of the attack. Lastly, the attack specifically targeted x86_64 Linux systems using glibc.
Re: CVE-2024-3094: malicious code in xz 5.6.0 and xz 5.6.1
On 4/4/24 00:49, FreeBSD User wrote: Hello, I just stumbled over this CVE regarding xz 5.6.0 and 5.6.1: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094 FreeBSD starting with 14-STABLE seems to use xz 5.6.0, but my limited skills do not allow me to judge wether the described exploit mechanism also works on FreeBSD. RedHat already sent out a warning, the workaround is to move back towards an older variant. I have to report to my superiors (we're using 14-STABLE and CURRENT and I do so in private), so I would like to welcome any comment on that. Thanks in advance, O. Hartmann See so@'s answer from a couple days ago: https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html TL;DR no Thanks, Kyle Evans
Re: CVE-2024-3094: malicious code in xz 5.6.0 and xz 5.6.1
Am Thu, 04 Apr 2024 08:06:26 +0200 (CEST) sth...@nethelp.no schrieb: > >> I have to report to my superiors (we're using 14-STABLE and CURRENT > >> and I do so in private), > >> so I would like to welcome any comment on that. > > > > No it does not affect FreeBSD. > > > > The autoconf script checks that it is running in a RedHat or Debian > > package build environment before trying to proceed. There are also > > checks for GCC and binutils ld.bfd. And I'm not sure that the payload > > (a precompiled Linux object file) would work with FreeBSD and > > /lib/libelf.so.2. > > > > See > > > > https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 > > See also the following message from the FreeBSD security officer: > > https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html > > Steinar Haug, Nethelp consulting, sth...@nethelp.no > Thank you very much for the quick answer. Kind regards oh -- O. Hartmann
Re: CVE-2024-3094: malicious code in xz 5.6.0 and xz 5.6.1
>> I have to report to my superiors (we're using 14-STABLE and CURRENT >> and I do so in private), >> so I would like to welcome any comment on that. > > No it does not affect FreeBSD. > > The autoconf script checks that it is running in a RedHat or Debian > package build environment before trying to proceed. There are also > checks for GCC and binutils ld.bfd. And I'm not sure that the payload > (a precompiled Linux object file) would work with FreeBSD and > /lib/libelf.so.2. > > See > > https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 See also the following message from the FreeBSD security officer: https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html Steinar Haug, Nethelp consulting, sth...@nethelp.no
Re: CVE-2024-3094: malicious code in xz 5.6.0 and xz 5.6.1
On 04-04-24 05:49, FreeBSD User wrote: Hello, I just stumbled over this CVE regarding xz 5.6.0 and 5.6.1: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094 FreeBSD starting with 14-STABLE seems to use xz 5.6.0, but my limited skills do not allow me to judge whether the described exploit mechanism also works on FreeBSD. RedHat already sent out a warning, the workaround is to move back towards an older variant. I have to report to my superiors (we're using 14-STABLE and CURRENT and I do so in private), so I would like to welcome any comment on that. No it does not affect FreeBSD. The autoconf script checks that it is running in a RedHat or Debian package build environment before trying to proceed. There are also checks for GCC and binutils ld.bfd. And I'm not sure that the payload (a precompiled Linux object file) would work with FreeBSD and /lib/libelf.so.2. See https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 A+ Paul