From nobody Fri Mar 29 18:15:55 2024
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V5pW449bwz5FP0H
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Fri, 29 Mar 2024 18:16:00 +0000 (UTC)
	(envelope-from shawn.webb@hardenedbsd.org)
Received: from mail-il1-x12d.google.com (mail-il1-x12d.google.com [IPv6:2607:f8b0:4864:20::12d])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4V5pW42Vpfz4lTq
	for <freebsd-security@freebsd.org>; Fri, 29 Mar 2024 18:16:00 +0000 (UTC)
	(envelope-from shawn.webb@hardenedbsd.org)
Authentication-Results: mx1.freebsd.org;
	none
Received: by mail-il1-x12d.google.com with SMTP id e9e14a558f8ab-36874406ac8so8968275ab.3
        for <freebsd-security@freebsd.org>; Fri, 29 Mar 2024 11:16:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=hardenedbsd.org; s=google; t=1711736159; x=1712340959; darn=freebsd.org;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to;
        bh=sFy4NgMkTDNUow8bRw3rRG2KoI/fgdepdhPRNkiS+4Q=;
        b=V+9tuLCZX18QidTqNvoO0w+t+Gy+IVMa91A1+A9+3nzyGdQMPLX7YCoBz+PepizWA5
         sWTEQ9SWZTBQDvvKi7LiY699dD6FsJ+RSWZRJhaaJk+6AV3eAjxa5JEXZLES5nqVLQ7N
         D1kRPAed6Sw1jLuAyeQQKUlQf+cfOxwRP7kKNj+8UK8MmQg8H3VEbqOXW1Dfo6Bf8ogf
         p7d0G+LiPwIm0+S4qvLb9FRkUu4ZBRtucOKMVKRv9LlNpWclGLim4C8pasaPmopGdQvY
         teqgmst1OR43GpmfWHcukuuZBXltBGrUQqlrJNHebdSw50blUL81wL9kU3LsJn96fSuv
         K9Ag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1711736159; x=1712340959;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=sFy4NgMkTDNUow8bRw3rRG2KoI/fgdepdhPRNkiS+4Q=;
        b=ELD1fvs0Q2DZMSGTqhM/utdjctnjISJfH2SixqL8bt20Vr8YSkBZVEO1R/bum0cPwN
         LA9G63uLFlvrRF2U3m0dmSZyahFVmEwNt4fH9/MY/x5ZIkHFb3GMzzqwjdtbotnpFNBB
         OKHNrIp4prctJyekw3LmlYwVb8eQTwHczya+i3f3s8PdP2T1qCbdWwdrz4Q+ca2+INzs
         5ViWgpLoQggsaEq1Kp/AOnD4yWqnYDdr93VwpDGraeWYi1uO4DRFJ6cAkE/gB1xMn3rk
         srzqjsaS12yZ58RNh9WtENlwKyN7gWb9p94cguikTLBIr3GsHA2B3KVUXhgFZbxjv2cC
         wcYg==
X-Gm-Message-State: AOJu0YxPBfakmLyJqDoLsd4ftvXxbOucOxnZ5JtUZ9loWZCaFHk4YCTg
	+BrXqhiVVNPbmnMDzMGS5CyK2eUXHcNnoQLjGiYE7xzq2s/IkL2OybK3SG2GlTeZiDLCJzG1AlT
	l
X-Google-Smtp-Source: AGHT+IH2sVnlexRR+gRlknVmaYVT+u/sb04pPiULJ9zi2xUe519Wi6NLJuhG8WQRtx9pzvFND6GI+A==
X-Received: by 2002:a05:6e02:152d:b0:368:a16a:d924 with SMTP id i13-20020a056e02152d00b00368a16ad924mr3460201ilu.10.1711736159053;
        Fri, 29 Mar 2024 11:15:59 -0700 (PDT)
Received: from mutt-hbsd (174-24-72-211.clsp.qwest.net. [174.24.72.211])
        by smtp.gmail.com with ESMTPSA id j5-20020a056e02154500b003646ea50e5asm1242876ilu.57.2024.03.29.11.15.58
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 29 Mar 2024 11:15:58 -0700 (PDT)
Date: Fri, 29 Mar 2024 18:15:55 +0000
From: Shawn Webb <shawn.webb@hardenedbsd.org>
To: Gordon Tetlow <gordon@tetlows.org>
Cc: freebsd-security@freebsd.org
Subject: Re: Disclosed backdoor in xz releases - FreeBSD not affected
Message-ID: <xeiec7rsjjd4sztlxztka4f5uopea3sqpm6jb6jalrxsraogrm@zpnprx5pg72c>
X-Operating-System: FreeBSD mutt-hbsd 15.0-CURRENT-HBSD FreeBSD
 15.0-CURRENT-HBSD 
X-PGP-Key: https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/blob/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
References: <1C17C92B-AFC2-4B7A-9594-25864156A546@tetlows.org>
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
Sender: owner-freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="tbqw4vnogsux722s"
Content-Disposition: inline
In-Reply-To: <1C17C92B-AFC2-4B7A-9594-25864156A546@tetlows.org>
X-Spamd-Bar: ----
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[];
	ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]
X-Rspamd-Queue-Id: 4V5pW42Vpfz4lTq


--tbqw4vnogsux722s
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Mar 29, 2024 at 10:02:14AM -0700, Gordon Tetlow wrote:
> FreeBSD is not affected by the recently announced backdoor included in th=
e 5.6.0 and 5.6.1 xz releases.
>=20
> All supported FreeBSD releases include versions of xz that predate the af=
fected releases.
>=20
> The main, stable/14, and stable/13 branches do include the affected versi=
on (5.6.0), but the backdoor components were excluded from the vendor impor=
t. Additionally, FreeBSD does not use the upstream's build tooling, which w=
as a required part of the attack. Lastly, the attack specifically targeted =
x86_64 Linux systems using glibc.

Hey Gordon,

Is there potential for Linux jails on FreeBSD systems (ie, deployments
making use of the Linxulator) to be impacted? Assuming amd64 here,
too.

Thanks,

--=20
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A=
4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc

--tbqw4vnogsux722s
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmYHBU0ACgkQ/y5nonf4
4frPkg/+MsaHaW/5Z0JdDM/KmEscvaYCvMEGz0OaVkrgDpBg2f08gt96QOGRk15i
Vzr67y2mYcZCxwbUlIVeq54RjPbBE7+5j7z/x8+96uEphg7Nf5z+MLQI8jHlPDFY
BPgScOrdThj7N1u0MgewyCca33kQ25eywTy9zUxKmSHmI069jAdxQQZV8u59vY8u
hx8tRSdvOb29WZQdFLJnI6DoYU9EeJYPT1zOODLALN0hHwIQdSIOnQMGkwNxsztW
7u3rPBke9/wKTljfjxW9Kw/rjbb1BDSLYCs0UDzQb7C3p36mWkkFmWSeDaVOuFfH
cNJEuD0kyU/Clib4V7/8yn0FjD93mNdG/YnPm4ko2PdY7wi3XM3EDLHK4Y+009F6
oV9t6Vi6sWlcQUj4NUI+X2X3CP8pQ97I+TfBPx7WDF5gNzwupRfvV4UOSlk1G7TB
cl/zFS36EFr22uNuixPXsGSn/vBTgIcOf8QsFX5HtZBAVZwIOLV9XwEYEt4lKhC6
U/0pA4MmDDQ91gA49cPCqo8SxvFBY/n7uHjZOsqOCOazj7qW/Z9aX3+WM6dXdJlQ
+wYzOh0ckwc4pZ6WGjArg/+QSjSpG6922kbXjWSRfuWtV5cEqV9JL9pRD30rVyBF
rhu/Up4KzrEsh+JgSLupFs2svt+/lbNMNkBlPpV5HsJXwCM9d5k=
=n0dI
-----END PGP SIGNATURE-----

--tbqw4vnogsux722s--