CVE-2024-3094: malicious code in xz 5.6.0 and xz 5.6.1

Reply: Kyle Evans : "Re: CVE-2024-3094: malicious code in xz 5.6.0 and xz 5.6.1"
Reply: Ben C. O. Grimm: "Re: CVE-2024-3094: malicious code in xz 5.6.0 and xz 5.6.1"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: FreeBSD User <freebsd_at_walstatt-de.de>
Date: Thu, 04 Apr 2024 05:49:56 UTC

Hello,

I just stumbled over this CVE regarding xz 5.6.0 and 5.6.1:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094

FreeBSD starting with 14-STABLE seems to use xz 5.6.0, but my limited skills do not allow me
to judge wether the described exploit mechanism also works on FreeBSD.
RedHat already sent out a warning, the workaround is to move back towards an older variant.

I have to report to my superiors (we're using 14-STABLE and CURRENT and I do so in private),
so I would like to welcome any comment on that.

Thanks in advance,

O. Hartmann


-- 
O. Hartmann