Discussion:
CVE-2024-3094: malicious code in xz 5.6.0 and xz 5.6.1
(too old to reply)
FreeBSD User
2024-04-04 05:49:56 UTC
Permalink
Hello,

I just stumbled over this CVE regarding xz 5.6.0 and 5.6.1:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094

FreeBSD starting with 14-STABLE seems to use xz 5.6.0, but my limited skills do not allow me
to judge wether the described exploit mechanism also works on FreeBSD.
RedHat already sent out a warning, the workaround is to move back towards an older variant.

I have to report to my superiors (we're using 14-STABLE and CURRENT and I do so in private),
so I would like to welcome any comment on that.

Thanks in advance,

O. Hartmann
--
O. Hartmann


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Paul Floyd
2024-04-04 06:03:56 UTC
Permalink
Post by FreeBSD User
Hello,
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094
FreeBSD starting with 14-STABLE seems to use xz 5.6.0, but my limited skills do not allow me
to judge whether the described exploit mechanism also works on FreeBSD.
RedHat already sent out a warning, the workaround is to move back towards an older variant.
I have to report to my superiors (we're using 14-STABLE and CURRENT and I do so in private),
so I would like to welcome any comment on that.
No it does not affect FreeBSD.

The autoconf script checks that it is running in a RedHat or Debian
package build environment before trying to proceed. There are also
checks for GCC and binutils ld.bfd. And I'm not sure that the payload (a
precompiled Linux object file) would work with FreeBSD and /lib/libelf.so.2.

See

https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27

A+
Paul


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
s***@nethelp.no
2024-04-04 06:06:26 UTC
Permalink
Post by Paul Floyd
Post by FreeBSD User
I have to report to my superiors (we're using 14-STABLE and CURRENT
and I do so in private),
so I would like to welcome any comment on that.
No it does not affect FreeBSD.
The autoconf script checks that it is running in a RedHat or Debian
package build environment before trying to proceed. There are also
checks for GCC and binutils ld.bfd. And I'm not sure that the payload
(a precompiled Linux object file) would work with FreeBSD and
/lib/libelf.so.2.
See
https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
See also the following message from the FreeBSD security officer:

https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html

Steinar Haug, Nethelp consulting, ***@nethelp.no


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
FreeBSD User
2024-04-04 06:13:02 UTC
Permalink
Am Thu, 04 Apr 2024 08:06:26 +0200 (CEST)
Post by s***@nethelp.no
Post by Paul Floyd
Post by FreeBSD User
I have to report to my superiors (we're using 14-STABLE and CURRENT
and I do so in private),
so I would like to welcome any comment on that.
No it does not affect FreeBSD.
The autoconf script checks that it is running in a RedHat or Debian
package build environment before trying to proceed. There are also
checks for GCC and binutils ld.bfd. And I'm not sure that the payload
(a precompiled Linux object file) would work with FreeBSD and
/lib/libelf.so.2.
See
https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html
Thank you very much for the quick answer.

Kind regards
oh
--
O. Hartmann


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Kyle Evans
2024-04-04 06:14:52 UTC
Permalink
Post by FreeBSD User
Hello,
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094
FreeBSD starting with 14-STABLE seems to use xz 5.6.0, but my limited skills do not allow me
to judge wether the described exploit mechanism also works on FreeBSD.
RedHat already sent out a warning, the workaround is to move back towards an older variant.
I have to report to my superiors (we're using 14-STABLE and CURRENT and I do so in private),
so I would like to welcome any comment on that.
Thanks in advance,
O. Hartmann
See so@'s answer from a couple days ago:

https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html

TL;DR no

Thanks,

Kyle Evans


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
FreeBSD User
2024-04-06 07:23:49 UTC
Permalink
Am Thu, 4 Apr 2024 01:14:52 -0500
Post by s***@nethelp.no
Post by FreeBSD User
Hello,
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094
FreeBSD starting with 14-STABLE seems to use xz 5.6.0, but my limited skills do not allow
me to judge wether the described exploit mechanism also works on FreeBSD.
RedHat already sent out a warning, the workaround is to move back towards an older variant.
I have to report to my superiors (we're using 14-STABLE and CURRENT and I do so in
private), so I would like to welcome any comment on that.
Thanks in advance,
O. Hartmann
https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html
TL;DR no
Thanks,
Kyle Evans
Thank you very much.

Kind regards,

oh
--
O. Hartmann


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Ben C. O. Grimm
2024-04-04 06:56:28 UTC
Permalink
Post by FreeBSD User
Hello,
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094
FreeBSD starting with 14-STABLE seems to use xz 5.6.0, but my limited
skills do not allow me
to judge wether the described exploit mechanism also works on FreeBSD.
RedHat already sent out a warning, the workaround is to move back towards an older variant.
I have to report to my superiors (we're using 14-STABLE and CURRENT and I
do so in private),
so I would like to welcome any comment on that.
Thanks in advance,
O. Hartmann
--
O. Hartmann
As noted on freebsd-security last Friday:

FreeBSD is not affected by the recently announced backdoor included in the
5.6.0 and 5.6.1 xz releases.



All supported FreeBSD releases include versions of xz that predate the
affected releases.



The main, stable/14, and stable/13 branches do include the affected version
(5.6.0), but the backdoor components were excluded from the vendor import.
Additionally, FreeBSD does not use the upstream's build tooling, which was
a required part of the attack. Lastly, the attack specifically targeted
x86_64 Linux systems using glibc.
Loading...