From nobody Thu Apr 04 05:49:56 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V99hC1Y3Nz5GHsX; Thu, 4 Apr 2024 05:50:35 +0000 (UTC) (envelope-from freebsd@walstatt-de.de) Received: from smtp6.goneo.de (smtp6.goneo.de [85.220.129.31]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4V99h94FYQz4Kl6; Thu, 4 Apr 2024 05:50:33 +0000 (UTC) (envelope-from freebsd@walstatt-de.de) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=walstatt-de.de header.s=DKIM001 header.b=QZdzpZjl; dmarc=none; spf=pass (mx1.freebsd.org: domain of freebsd@walstatt-de.de designates 85.220.129.31 as permitted sender) smtp.mailfrom=freebsd@walstatt-de.de Received: from hub1.goneo.de (hub1.goneo.de [IPv6:2001:1640:5::8:52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by smtp6.goneo.de (Postfix) with ESMTPS id 123C5240124; Thu, 4 Apr 2024 07:50:26 +0200 (CEST) Received: from hub1.goneo.de (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by hub1.goneo.de (Postfix) with ESMTPS id 427ED24012A; Thu, 4 Apr 2024 07:50:24 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=walstatt-de.de; s=DKIM001; t=1712209824; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=rgmiFR5UmzWhC8md1Kqwc8Fd39sXZ9P0SUJ2ZSXJ9D4=; b=QZdzpZjl0bJMAqlp7V9TLtKKHig2JhIqCc/xr3f6/4yCIDRLFdhCyRJApAd6asAqhZbLbP nJ1fUn8AVj/CJH+JT2n4HRLt4aw3DzvNVjWMKqV8XmglTWDj1pqFlWAh7vb0PHALQN/g0l bDFdGAafXzqJ3iBEVaAXrSdZTVZX3+UXkjzSnheNYfvfLhMO5TEUR38E4WDVJZbmsL74r1 DKtslpaA9mu1rAgnetC1tZ+GG4Qb83eesTsPLtyVnqqekPEMiWpwfPXKjaHQjIOrOSl8v9 CxgFbjmo7gkiN/jnaR2kI3qn8nkcvlNVoTWR6gJLQFuZBUi3yfPo2lyH5x1EVg== Received: from thor.intern.walstatt.dynvpn.de (dynamic-089-014-109-072.89.14.pool.telefonica.de [89.14.109.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by hub1.goneo.de (Postfix) with ESMTPSA id 0DAE6240125; Thu, 4 Apr 2024 07:50:24 +0200 (CEST) Date: Thu, 4 Apr 2024 07:49:56 +0200 From: FreeBSD User To: FreeBSD CURRENT , freebsd-security@freebsd.org Subject: CVE-2024-3094: malicious code in xz 5.6.0 and xz 5.6.1 Message-ID: <20240404075023.3de63e28@thor.intern.walstatt.dynvpn.de> Organization: walstatt-de.de List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Rspamd-UID: 9b3015 X-Rspamd-UID: 901608 X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.49 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.988]; R_SPF_ALLOW(-0.20)[+ip4:85.220.129.0/25]; R_DKIM_ALLOW(-0.20)[walstatt-de.de:s=DKIM001]; MIME_GOOD(-0.10)[text/plain]; TO_DN_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; MIME_TRACE(0.00)[0:+]; ARC_NA(0.00)[]; HAS_ORG_HEADER(0.00)[]; ASN(0.00)[asn:25394, ipnet:85.220.128.0/17, country:DE]; RCVD_TLS_ALL(0.00)[]; DMARC_NA(0.00)[walstatt-de.de]; RCPT_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; MISSING_XM_UA(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MLMMJ_DEST(0.00)[freebsd-current@freebsd.org,freebsd-security@freebsd.org]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[walstatt-de.de:+] X-Rspamd-Queue-Id: 4V99h94FYQz4Kl6 Hello, I just stumbled over this CVE regarding xz 5.6.0 and 5.6.1: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094 FreeBSD starting with 14-STABLE seems to use xz 5.6.0, but my limited skills do not allow me to judge wether the described exploit mechanism also works on FreeBSD. RedHat already sent out a warning, the workaround is to move back towards an older variant. I have to report to my superiors (we're using 14-STABLE and CURRENT and I do so in private), so I would like to welcome any comment on that. Thanks in advance, O. Hartmann -- O. Hartmann