Re: CVE-2024-3094: malicious code in xz 5.6.0 and xz 5.6.1

Reply: sthaug_a_nethelp.no: "Re: CVE-2024-3094: malicious code in xz 5.6.0 and xz 5.6.1"
In reply to: FreeBSD User : "CVE-2024-3094: malicious code in xz 5.6.0 and xz 5.6.1"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Paul Floyd <paulf2718_at_gmail.com>
Date: Thu, 04 Apr 2024 06:03:56 UTC

On 04-04-24 05:49, FreeBSD User wrote:
> Hello,
> 
> I just stumbled over this CVE regarding xz 5.6.0 and 5.6.1:
> 
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094
> 
> FreeBSD starting with 14-STABLE seems to use xz 5.6.0, but my limited skills do not allow me
> to judge whether the described exploit mechanism also works on FreeBSD.
> RedHat already sent out a warning, the workaround is to move back towards an older variant.
> 
> I have to report to my superiors (we're using 14-STABLE and CURRENT and I do so in private),
> so I would like to welcome any comment on that.

No it does not affect FreeBSD.

The autoconf script checks that it is running in a RedHat or Debian 
package build environment before trying to proceed. There are also 
checks for GCC and binutils ld.bfd. And I'm not sure that the payload (a 
precompiled Linux object file) would work with FreeBSD and /lib/libelf.so.2.

See

https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27

A+
Paul