From nobody Sun Apr 07 11:56:24 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VC9g33zssz5Gfsj for ; Sun, 7 Apr 2024 11:56:31 +0000 (UTC) (envelope-from hawei@free.fr) Received: from smtp5-g21.free.fr (smtp5-g21.free.fr [212.27.42.5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4VC9g31Stmz54l6 for ; Sun, 7 Apr 2024 11:56:31 +0000 (UTC) (envelope-from hawei@free.fr) Authentication-Results: mx1.freebsd.org; none Received: from [192.168.86.27] (unknown [81.65.149.193]) (Authenticated sender: hawei@free.fr) by smtp5-g21.free.fr (Postfix) with ESMTPSA id 9F0B15FF3F; Sun, 7 Apr 2024 13:56:24 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=free.fr; s=smtp-20201208; t=1712490989; bh=VnoAtR1g+ac/6C2fZ/J8rej7kidLygp+Bw46+EDF7oQ=; h=Date:Subject:From:To:CC:References:In-Reply-To:From; b=i5kmGZJeirf7FjM8H40g+A7WcL8uu9/woaYMdJ8CxqwVBua6AR/R/Ys5PZBdUMBfp wu9kxIY5dA1Cevq4hNTOPTSgP9mYqimeMU/GRb+vwQ8rjgsjrHTRLPo1JlfGp0I/lu 5ylhSjyu5otgjXQWLxaLxXad7NykDP9fHHm2PfOmigS2K11J2I5Z4a4qvsuwh2vMWu 0qhPDVpjQ9ygIYoMfqEQut5anB4wQg8wt3y1fNLHt+YONtGqnd341mtOIb9u90esfk ZoR1K8wxl6vYiQ1lUtD25AEwNLvstY3BGVF1/jhpD3Rh6hNm0BCpWcPid0yRoVvSZD bBXaF37HHdCNw== User-Agent: Microsoft-MacOutlook/16.83.24032318 Date: Sun, 07 Apr 2024 13:56:24 +0200 Subject: Re: Disclosed backdoor in xz releases - FreeBSD not affected From: =?UTF-8?B?Q8OpZHJpYw==?= Weis To: "Chen, Alvin W" , Gordon Tetlow , Shawn Webb CC: "freebsd-security@freebsd.org" Message-ID: Thread-Topic: Disclosed backdoor in xz releases - FreeBSD not affected References: <1C17C92B-AFC2-4B7A-9594-25864156A546@tetlows.org> In-Reply-To: List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org Mime-version: 1.0 Content-type: text/plain; charset="UTF-8" Content-transfer-encoding: quoted-printable X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:12322, ipnet:212.27.32.0/19, country:FR] X-Rspamd-Queue-Id: 4VC9g31Stmz54l6 Unsubscribe me please. I don't know how to to it by myself. =EF=BB=BFLe 07/04/2024 11:35, =C2=AB Chen, Alvin W =C2=BB au nom de Weike.Chen@Dell.c= om > a =C3=A9crit : > >> All supported FreeBSD releases include versions of xz that predate the > affected releases. > >> > >> The main, stable/14, and stable/13 branches do include the affected ve= rsion > (5.6.0), but the backdoor components were excluded from the vendor import= . > Additionally, FreeBSD does not use the upstream's build tooling, which wa= s a > required part of the attack. Lastly, the attack specifically targeted x86= _64 Linux > systems using glibc. > > > > Hey Gordon, > > > > Is there potential for Linux jails on FreeBSD systems (ie, deployments > > making use of the Linxulator) to be impacted? Assuming amd64 here, > > too. > > Hard to say for certain, but I suspect the answer is yes. If the jail has= the > vulnerable software installed, there is a decent chance it would be affec= ted. At > that point, I would refer to the vulnerability statement published by the= Linux > distro the jail is based on. I don=E2=80=99t believe the vulnerability has any = kernel > dependencies that FreeBSD would provide protection. > > Certainly, in the world of being conservatively cautious, I would immedia= tely > address any such Linux jails. > > Gordon My understanding is: the 'xz' built from FreeBSD is not impacted, but the '= xz' built from Linux and run based on FreeBSD Linux ABI could be impacted. Please correct my if I am wrong. Internal Use - Confidential