Re: Disclosed backdoor in xz releases - FreeBSD not affected

From: Cédric Weis <hawei_at_free.fr>
Date: Sun, 07 Apr 2024 11:56:24 UTC
Unsubscribe me please. I don't know how to to it by myself.

Le 07/04/2024 11:35, « Chen, Alvin W » <owner-freebsd-security@freebsd.org <mailto:owner-freebsd-security@freebsd.org> au nom de Weike.Chen@Dell.com <mailto:Weike.Chen@Dell.com>> a écrit :


> >> All supported FreeBSD releases include versions of xz that predate the
> affected releases.
> >>
> >> The main, stable/14, and stable/13 branches do include the affected version
> (5.6.0), but the backdoor components were excluded from the vendor import.
> Additionally, FreeBSD does not use the upstream's build tooling, which was a
> required part of the attack. Lastly, the attack specifically targeted x86_64 Linux
> systems using glibc.
> >
> > Hey Gordon,
> >
> > Is there potential for Linux jails on FreeBSD systems (ie, deployments
> > making use of the Linxulator) to be impacted? Assuming amd64 here,
> > too.
>
> Hard to say for certain, but I suspect the answer is yes. If the jail has the
> vulnerable software installed, there is a decent chance it would be affected. At
> that point, I would refer to the vulnerability statement published by the Linux
> distro the jail is based on. I don’t believe the vulnerability has any kernel
> dependencies that FreeBSD would provide protection.
>
> Certainly, in the world of being conservatively cautious, I would immediately
> address any such Linux jails.
>
> Gordon
My understanding is: the 'xz' built from FreeBSD is not impacted, but the 'xz' built from Linux and run based on FreeBSD Linux ABI could be impacted.
Please correct my if I am wrong.


Internal Use - Confidential