From nobody Sat Mar 30 01:46:53 2024 X-Original-To: stable@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V60WL6n5cz5Fp3q for ; Sat, 30 Mar 2024 01:46:54 +0000 (UTC) (envelope-from henrichhartzer@tuta.io) Received: from w1.tutanota.de (w1.tutanota.de [81.3.6.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits)) (Client CN "mail.tutanota.de", Issuer "Sectigo RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4V60WL5s3Jz4pCq for ; Sat, 30 Mar 2024 01:46:54 +0000 (UTC) (envelope-from henrichhartzer@tuta.io) Authentication-Results: mx1.freebsd.org; none Received: from tutadb.w10.tutanota.de (unknown [192.168.1.10]) by w1.tutanota.de (Postfix) with ESMTP id D47E7FBF88F; Sat, 30 Mar 2024 01:46:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1711763213; s=s1; d=tuta.io; h=From:From:To:To:Subject:Subject:Content-Description:Content-ID:Content-Type:Content-Type:Content-Transfer-Encoding:Content-Transfer-Encoding:Cc:Cc:Date:Date:In-Reply-To:In-Reply-To:MIME-Version:MIME-Version:Message-ID:Message-ID:Reply-To:References:References:Sender; bh=tsQFPjqJRBRx4IwNKZYHDIh2MEAv9JeF2+VmeRRRAIw=; b=plgDgLdwph9Zg5/hgkttmK0TsDJ+iWyZCrppMt7yGUvPe/ze9fODPkA5uIXYjuQ6 9PgzPXPJc1HZZytIIMqBL6lIuVhSs20ZJI/05D/aR8U+/hbaK/R1fLG/QtktVnMSYZq baz4IfsfO+0xHun2aYjF+GRyFRGZD+xTTfZDSpLV6R3778NVpSMUBu/CS8+ATRIgJHE XaPppmsEZs7P79POWGp/ZyH6oc3BB6dQge/mYYck6cC1xvXGB7kujAD4XCY/u8GQsdS yrR75P9zQIuOrGR//kKWY6D613ZQYVHBBa804JpK0sDw3+nW0Dq9/GuvIpxjbyS6DRe e5ryT0S5Bw== Date: Sat, 30 Mar 2024 02:46:53 +0100 (CET) From: henrichhartzer@tuta.io To: Tomoaki AOKI Cc: "stable@freebsd.org" Message-ID: In-Reply-To: <20240330102205.6da8d3ca7cba362cb3d2ebe8@dec.sakura.ne.jp> References: <20240330102205.6da8d3ca7cba362cb3d2ebe8@dec.sakura.ne.jp> Subject: Re: xz 5.6.0/5.6.1 backdoored, possibly in src/contrib as well List-Id: Production branch of FreeBSD source code List-Archive: https://lists.freebsd.org/archives/freebsd-stable List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:24679, ipnet:81.3.0.0/18, country:DE] X-Rspamd-Queue-Id: 4V60WL5s3Jz4pCq Good to know, thank you! I do think in this case it may be worth going to an older version because the maintainer was actively malicious. Even if *this* vulnerability looks safe. Just feels like playing with fire at the moment. Also, it sounds like libarchive had a suspicious commit by the author as well. Good synopsis: https://boehs.org/node/everything-i-know-about-the-xz-backdoor I should probably join freebsd-security while I'm at it... -Henrich Mar 30, 2024, 01:22 by junchoon@dec.sakura.ne.jp: > On Sat, 30 Mar 2024 02:15:53 +0100 (CET) > henrichhartzer@tuta.io wrote: > >> Hi everyone, >> >> I recently read through this: https://www.openwall.com/lists/oss-security/2024/03/29/4 >> >> It sounds like xz 5.6.0 and 5.6.1 are backdoored. Not sure if FreeBSD is or not, but it looks like 14-stable and main have xz 5.6.0. In my opinion, earlier versions may also be suspect given that this may have been a deliberate backdoor from a maintainer. >> >> I propose that we go back to a "known safe" version. It would probably be unwise to push 14.1 as-is, as well. >> >> The Github repository has currently been locked out. >> >> Hoping that someone more aware of what's going on can offer more insight. >> >> Thanks! >> >> -Henrich >> > > At least base is not affected. See [1] and [2]. > > [1] > https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html > > [2] > https://forums.freebsd.org/threads/backdoor-in-upstream-xz-liblzma-leading-to-ssh-server-compromise.92922/ > > > -- > Tomoaki AOKI >