Re: CVE-2024-3094: malicious code in xz 5.6.0 and xz 5.6.1

Reply: FreeBSD User : "Re: CVE-2024-3094: malicious code in xz 5.6.0 and xz 5.6.1"
In reply to: Paul Floyd : "Re: CVE-2024-3094: malicious code in xz 5.6.0 and xz 5.6.1"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <sthaug_at_nethelp.no>
Date: Thu, 04 Apr 2024 06:06:26 UTC

>> I have to report to my superiors (we're using 14-STABLE and CURRENT
>> and I do so in private),
>> so I would like to welcome any comment on that.
> 
> No it does not affect FreeBSD.
> 
> The autoconf script checks that it is running in a RedHat or Debian
> package build environment before trying to proceed. There are also
> checks for GCC and binutils ld.bfd. And I'm not sure that the payload
> (a precompiled Linux object file) would work with FreeBSD and
> /lib/libelf.so.2.
> 
> See
> 
> https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27

See also the following message from the FreeBSD security officer:

https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html

Steinar Haug, Nethelp consulting, sthaug@nethelp.no