From nobody Mon Apr 01 11:04:27 2024 X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V7Snn0K5Mz5GFNv for ; Mon, 1 Apr 2024 11:04:29 +0000 (UTC) (envelope-from des@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4V7Snm6sT1z57xf; Mon, 1 Apr 2024 11:04:28 +0000 (UTC) (envelope-from des@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1711969469; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=8QRlFrFihigBNdLg1qhnduHfnMd2VJonaMj9tzJBDjY=; b=JdsqztM0IuTRXkSajokO+6b/kixbF7W5c8tzeiplF0s3ahTxf12DWTIwe4mYqlutIomPUX guwGMXZvlKgh1xcrDhJP9wgJxN98SGuXI2TVnjxPFx4CBuktFVJLc2L5ty4yg8ZAJ8EX1K R7uTH3Qh0ePom1Ew/iaRdFo1U1JVPB7Z3TgcquBTQatM3bRio3A0xCLbUvaKjfg54OcBZ/ oJSP/TywkGUR3pqfZAidrbbDfAmOs8yenz1azfRD3ztagHnLVbiI2PKkALOIdHFK1VULT4 txlFNJMWmPS47TXbpBJSwda9Mgm8Z+fzWP38iDZZ2i0Pj+47sMpfw3pcATqq0w== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1711969469; a=rsa-sha256; cv=none; b=oOdY7xox0rhxLXrmOv4QQNiDqLQOm3tpUP0iDMRBVJs0kzJ2R2HIVDEizOQnbx4QGmVu// 1V2TMtn2uBxzNEcIQDREgtYZja+GC8s2nJFSjf4tUNTh9k/E7zqhnMtu94XBBebDDUDkxq zqqlA8FPus1XvmTyjzM3B5IyvOx0Of6Q0yCBOPf8CgMJpcK0Arjt6rxbS2S7bbpipuk0wV upNVvqWg+2MNFrhoSzzyHu6WzEyEPnvwsxeVVdZpy0VTyJkoQIE6lDBO82NU6g5/nwiXDZ pGLpPF7XtOlceQxpSem3SDQHVRK2HpVeWYTXmb5+9IfQaszX3GJMwUlrzhfT7Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1711969469; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=8QRlFrFihigBNdLg1qhnduHfnMd2VJonaMj9tzJBDjY=; b=v+OUa0uzeNlo+4e8J6ocDWANhLDzY9dWIObEUNhHfUMA8A3vxNE0oLm4GaSbtX4k2rbWC8 LbrTgktTU9SCtwWbeOAhZJ0nG4wdsh3dx06CibnnsP5EP+iQ7sy/lsu/2XWKYXn++6+DJa iTKSkub1CV5n/HkmUbtLNeIdLXkN72rUQXhXoPOWWlTPWMlG9rFuCe1wrMRqwiDbURkSUn ppDDV/EOmRV2gFc8XhQ/zjvaelGG3KToroaeIbaJAycuMUEMdSKutgN3iZtv2ITGIs9R6h 9UQGf0P87FocDR/ASpCFNBE249khho0yBpmL8yhAtXzTkMGtjAFzcG9CVVQBBQ== Received: from ltc.des.dev (163.23.65.37.rev.sfr.net [37.65.23.163]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: des) by smtp.freebsd.org (Postfix) with ESMTPSA id 4V7Snm5ggMz17dy; Mon, 1 Apr 2024 11:04:28 +0000 (UTC) (envelope-from des@freebsd.org) Received: by ltc.des.dev (Postfix, from userid 1001) id 8378F732; Mon, 01 Apr 2024 13:04:27 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: "Patrick M. Hausen" Cc: Freebsd Stable , "henrichhartzer@tuta.io" , Jonathan Vasquez Subject: Re: xz 5.6.0/5.6.1 backdoored, possibly in src/contrib as well In-Reply-To: <02919DCB-5778-47C3-8754-249F76596928@punkt.de> (Patrick M. Hausen's message of "Sat, 30 Mar 2024 22:31:00 +0000") References: <02919DCB-5778-47C3-8754-249F76596928@punkt.de> User-Agent: Gnus/5.13 (Gnus v5.13) Date: Mon, 01 Apr 2024 13:04:27 +0200 Message-ID: <86jzlh9wec.fsf@ltc.des.dev> List-Id: Production branch of FreeBSD source code List-Archive: https://lists.freebsd.org/archives/freebsd-stable List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable "Patrick M. Hausen" writes: > 4. FreeBSD is - to my knowledge - not susceptible to this attack because= our sshd > is not linked to the compromised library at all. That's not sufficient. The attack payload is a binary blob and has not been fully analyzed; it could have other effects which haven't yet been discovered. However, FreeBSD is not vulnerable because the version of xz included in FreeBSD includes neither the attack payload nor the trojaned build script which injects the payload into the library. > 5. Even if you installed a supposedly compromised xz from ports, there ar= e probably > no ill consequences. We don't have an xz or liblzma port. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@FreeBSD.org