Re: Disclosed backdoor in xz releases - FreeBSD not affected
- In reply to: Dag-Erling_Smørgrav : "Re: Disclosed backdoor in xz releases - FreeBSD not affected"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 11 Apr 2024 17:26:11 UTC
In message <86v84t5vio.fsf@ltc.des.dev>, =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav? = w rites: > "Chen, Alvin W" <Weike.Chen@Dell.com> writes: > > My understanding is: the 'xz' built from FreeBSD is not impacted, but > > the 'xz' built from Linux and run based on FreeBSD Linux ABI could be > > impacted. > > It is certainly possible to build liblzma with the backdoor on a Linux > host (or in a Linux jail on a FreeBSD host) and run it on a FreeBSD > host. However, the backdoor does nothing unless loaded into an sshd > process, so you would still not be affected unless you were running a > Linux sshd binary and that sshd binary loaded the backdoored liblzma. > FreeBSD's sshd binary (whether from base or ports) does not load > liblzma, and if it did, it would not be able to load a Linux version of > the library. The backdoor also required sshd be linked against liblsma (because libsystemd requires it). OpenSSH doesn't use liblzma by default. liblzma is a systemd requirement. BTW, Lasse Collin's GH account and the xz repo have been re-enabled. It was pointed out to me at $JOB yesterday that he's been busy repairing xz. Looking at his commits, he certainly has been. This is good news. -- Cheers, Cy Schubert <Cy.Schubert@cschubert.com> FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org NTP: <cy@nwtime.org> Web: https://nwtime.org e^(i*pi)+1=0