From nobody Fri Mar 29 18:43:48 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V5q7R0y2dz5FS6Z for ; Fri, 29 Mar 2024 18:44:03 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from pv50p00im-ztbu10011701.me.com (pv50p00im-ztbu10011701.me.com [17.58.6.53]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4V5q7Q6FjKz4sJj for ; Fri, 29 Mar 2024 18:44:02 +0000 (UTC) (envelope-from gordon@tetlows.org) Authentication-Results: mx1.freebsd.org; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tetlows.org; s=sig1; t=1711737841; bh=pkFmDuEFKJJSCTbGixvTerOBA3OMxqP0AVft9dyvofo=; h=Content-Type:Mime-Version:Subject:From:Date:Message-Id:To; b=ZiMkEBkaGyMBueV1q/0FnrOl378QT+eKX2HR4aDLY+4CpW9z2PzemxCxuFzavYa4T JCNq2DVbd4tyGilME6CKs1SKyuLA0GZDW9yYR1UEnmUpeXTisPhHarN/oAjRCtMDnP R6uzmSF6gBXkg5vTusKKoWj5N8NnYahwP3Yi5Ib+uTFHZZnHnszBY/OuTo8BFbpHFe SwpLoTHX6ngbGSugBQeG9jt17CdOhD1ILnYjft6dPBO+RVy+IHOCfyiCZvz4j4dHC/ gD7g+du6Jcbm7XZw9v/4Lfc8LbEk4pJG4jir/4FSWybom4+jfY+wm4nB0VrIrMhBei ma/YiXO2Y0RZg== Received: from smtpclient.apple (pv50p00im-dlb-asmtp-mailmevip.me.com [17.56.9.10]) by pv50p00im-ztbu10011701.me.com (Postfix) with ESMTPSA id 5919C7401FF; Fri, 29 Mar 2024 18:44:00 +0000 (UTC) Content-Type: multipart/signed; boundary="Apple-Mail=_E21D4664-2E19-4986-B23D-7F434F4FB850"; protocol="application/pgp-signature"; micalg=pgp-sha512 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.400.31\)) Subject: Re: Disclosed backdoor in xz releases - FreeBSD not affected From: Gordon Tetlow In-Reply-To: Date: Fri, 29 Mar 2024 11:43:48 -0700 Cc: freebsd-security@freebsd.org Message-Id: References: <1C17C92B-AFC2-4B7A-9594-25864156A546@tetlows.org> To: Shawn Webb X-Mailer: Apple Mail (2.3774.400.31) X-Proofpoint-ORIG-GUID: n5Y4X-gVJE0q9T0VR1kaQTZi_X4UzbiI X-Proofpoint-GUID: n5Y4X-gVJE0q9T0VR1kaQTZi_X4UzbiI X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-03-29_13,2024-03-28_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 clxscore=1030 suspectscore=0 mlxscore=0 spamscore=0 phishscore=0 malwarescore=0 bulkscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2308100000 definitions=main-2403290167 X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:714, ipnet:17.58.0.0/20, country:US] X-Rspamd-Queue-Id: 4V5q7Q6FjKz4sJj --Apple-Mail=_E21D4664-2E19-4986-B23D-7F434F4FB850 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On Mar 29, 2024, at 11:15=E2=80=AFAM, Shawn Webb = wrote: >=20 > On Fri, Mar 29, 2024 at 10:02:14AM -0700, Gordon Tetlow wrote: >> FreeBSD is not affected by the recently announced backdoor included = in the 5.6.0 and 5.6.1 xz releases. >>=20 >> All supported FreeBSD releases include versions of xz that predate = the affected releases. >>=20 >> The main, stable/14, and stable/13 branches do include the affected = version (5.6.0), but the backdoor components were excluded from the = vendor import. Additionally, FreeBSD does not use the upstream's build = tooling, which was a required part of the attack. Lastly, the attack = specifically targeted x86_64 Linux systems using glibc. >=20 > Hey Gordon, >=20 > Is there potential for Linux jails on FreeBSD systems (ie, deployments > making use of the Linxulator) to be impacted? Assuming amd64 here, > too. Hard to say for certain, but I suspect the answer is yes. If the jail = has the vulnerable software installed, there is a decent chance it would = be affected. At that point, I would refer to the vulnerability statement = published by the Linux distro the jail is based on. I don=E2=80=99t = believe the vulnerability has any kernel dependencies that FreeBSD would = provide protection. Certainly, in the world of being conservatively cautious, I would = immediately address any such Linux jails. Gordon= --Apple-Mail=_E21D4664-2E19-4986-B23D-7F434F4FB850 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEuyjUCzYO7pNq7RVv5fe8y6O93fgFAmYHC+QACgkQ5fe8y6O9 3fgcIAf+K4raQimnBh0/A9Dds+6eGVShohcAAyPUCFy0B1sSvbmz2S4X1LE6aSmf P+h1zsbxxqUwOeWbPdRLHFeqRyO6zK3Y72S5w0o/EuFvGbTi00hIOZcut1tIcfEc XhWWcUjQYJ0FWBtqwxO/Ukl1epqjOA2KqJplKJ/r9f8gFcOAK/A6EOXeEqud2Knm MNQcSEzZdbX+g8tM4HOENDgRVYbClPy73XK203rsLWDJtO75CtJ9FDWKfJG/TR0n Pd149zG92TEg23AVZLGas7ABGXbhdO/7tYg5qZ+iQkG6PgAiguJE+zswfu09QE4Q BQcsL/TcDzPv29tpNaAnMa1QoNFskg== =R74j -----END PGP SIGNATURE----- --Apple-Mail=_E21D4664-2E19-4986-B23D-7F434F4FB850--