Re: xz 5.6.0/5.6.1 backdoored, possibly in src/contrib as well

Good to know, thank you!

I do think in this case it may be worth going to an older version because the maintainer was actively malicious. Even if *this* vulnerability looks safe. Just feels like playing with fire at the moment.

Also, it sounds like libarchive had a suspicious commit by the author as well.

Good synopsis:
https://boehs.org/node/everything-i-know-about-the-xz-backdoor

I should probably join freebsd-security while I'm at it...

-Henrich

Mar 30, 2024, 01:22 by junchoon@dec.sakura.ne.jp:

> On Sat, 30 Mar 2024 02:15:53 +0100 (CET)
> henrichhartzer@tuta.io wrote:
>
>> Hi everyone,
>>
>> I recently read through this: https://www.openwall.com/lists/oss-security/2024/03/29/4
>>
>> It sounds like xz 5.6.0 and 5.6.1 are backdoored. Not sure if FreeBSD is or not, but it looks like 14-stable and main have xz 5.6.0. In my opinion, earlier versions may also be suspect given that this may have been a deliberate backdoor from a maintainer.
>>
>> I propose that we go back to a "known safe" version. It would probably be unwise to push 14.1 as-is, as well.
>>
>> The Github repository has currently been locked out.
>>
>> Hoping that someone more aware of what's going on can offer more insight.
>>
>> Thanks!
>>
>> -Henrich
>>
>
> At least base is not affected. See [1] and [2].
>
> [1]
> https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html
>
> [2]
> https://forums.freebsd.org/threads/backdoor-in-upstream-xz-liblzma-leading-to-ssh-server-compromise.92922/
>
>
> -- 
> Tomoaki AOKI    <junchoon@dec.sakura.ne.jp>
>