From nobody Sat Mar 30 01:15:53 2024
X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V5zqc5sL3z5Fl29
	for <freebsd-stable@mlmmj.nyi.freebsd.org>; Sat, 30 Mar 2024 01:15:56 +0000 (UTC)
	(envelope-from henrichhartzer@tuta.io)
Received: from w1.tutanota.de (w1.tutanota.de [81.3.6.162])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "mail.tutanota.de", Issuer "Sectigo RSA Domain Validation Secure Server CA" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4V5zqb3jvBz4kjG
	for <freebsd-stable@freebsd.org>; Sat, 30 Mar 2024 01:15:55 +0000 (UTC)
	(envelope-from henrichhartzer@tuta.io)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=tuta.io header.s=s1 header.b=sISTaDNm;
	dmarc=pass (policy=quarantine) header.from=tuta.io;
	spf=pass (mx1.freebsd.org: domain of henrichhartzer@tuta.io designates 81.3.6.162 as permitted sender) smtp.mailfrom=henrichhartzer@tuta.io
Received: from tutadb.w10.tutanota.de (unknown [192.168.1.10])
	by w1.tutanota.de (Postfix) with ESMTP id 5B214FBF88F
	for <freebsd-stable@freebsd.org>; Sat, 30 Mar 2024 01:15:53 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1711761353;
	s=s1; d=tuta.io;
	h=From:From:To:To:Subject:Subject:Content-Description:Content-ID:Content-Type:Content-Type:Content-Transfer-Encoding:Content-Transfer-Encoding:Cc:Date:Date:In-Reply-To:MIME-Version:MIME-Version:Message-ID:Message-ID:Reply-To:References:Sender;
	bh=WQtmNyWcMDtf9LJ3eDcXN/gQyqHIFvYrosMDkylZ1S4=;
	b=sISTaDNm7mJhdyeRyHh8dJZkmbhldG2qBWA+y8M/DONAcTFlS9Jtr3HtsCSp5DWI
	qZ0HMIUabFZFsd4roHbuiklJXnGP0kWQIpmE0+FrwGPxYTaa48Hnfpzf2bx0yIQ7UDZ
	r2T+bbSgCJ8FrDzNB/AeUiFhMjBCb7xqcZcm5u9Bpt7EUeWqL1nJrjnBf6IMxwtq8lk
	DEEleJjAkqccam7Qx1aRddbzEwja2KF614783QCLizs4fyTdU+P6EPQGPIW9JeAxtCH
	ITnM+WGy0wRdqppb9Hp/tOoO8hfLrTngI8jqKpxrz3XRYzUzSWrTGq46DDrolEtvHB+
	3TYsocr7Nw==
Date: Sat, 30 Mar 2024 02:15:53 +0100 (CET)
From: henrichhartzer@tuta.io
To: Freebsd Stable <freebsd-stable@freebsd.org>
Message-ID: <NuBvLSh--3-9@tuta.io>
Subject: xz 5.6.0/5.6.1 backdoored, possibly in src/contrib as well
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
Sender: owner-freebsd-stable@freebsd.org
X-BeenThere: freebsd-stable@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Spamd-Bar: ----
X-Spamd-Result: default: False [-4.10 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-1.000];
	DMARC_POLICY_ALLOW(-0.50)[tuta.io,quarantine];
	R_SPF_ALLOW(-0.20)[+ip4:81.3.6.160/28];
	R_DKIM_ALLOW(-0.20)[tuta.io:s=s1];
	RWL_MAILSPIKE_VERYGOOD(-0.20)[81.3.6.162:from];
	MIME_GOOD(-0.10)[text/plain];
	ONCE_RECEIVED(0.10)[];
	FROM_NO_DN(0.00)[];
	ASN(0.00)[asn:24679, ipnet:81.3.0.0/18, country:DE];
	MIME_TRACE(0.00)[0:+];
	RCVD_COUNT_ONE(0.00)[1];
	MISSING_XM_UA(0.00)[];
	ARC_NA(0.00)[];
	TO_DN_ALL(0.00)[];
	RCPT_COUNT_ONE(0.00)[1];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-stable@freebsd.org];
	FROM_EQ_ENVFROM(0.00)[];
	RCVD_TLS_LAST(0.00)[];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-stable@freebsd.org];
	MID_RHS_MATCH_FROM(0.00)[];
	DKIM_TRACE(0.00)[tuta.io:+]
X-Rspamd-Queue-Id: 4V5zqb3jvBz4kjG

Hi everyone,

I recently read through this: https://www.openwall.com/lists/oss-security/2024/03/29/4

It sounds like xz 5.6.0 and 5.6.1 are backdoored. Not sure if FreeBSD is or not, but it looks like 14-stable and main have xz 5.6.0. In my opinion, earlier versions may also be suspect given that this may have been a deliberate backdoor from a maintainer.

I propose that we go back to a "known safe" version. It would probably be unwise to push 14.1 as-is, as well.

The Github repository has currently been locked out.

Hoping that someone more aware of what's going on can offer more insight.

Thanks!

-Henrich