From nobody Sat Mar 30 22:31:00 2024 X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V6X6y15vLz5G9mK for ; Sat, 30 Mar 2024 22:31:06 +0000 (UTC) (envelope-from hausen@punkt.de) Received: from DEU01-BE0-obe.outbound.protection.outlook.com (mail-be0deu01on2116.outbound.protection.outlook.com [40.107.127.116]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "DigiCert Cloud Services CA-1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4V6X6x5ycgz4xyH for ; Sat, 30 Mar 2024 22:31:05 +0000 (UTC) (envelope-from hausen@punkt.de) Authentication-Results: mx1.freebsd.org; none ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=crtqkev+qTnAqvQIiqvXfyRKQtVsmuk77cTSLYOjL7bTZmyLdYl13UhFYEQGTyiXTOEbR2OJTzewmmT78LW+NGvxcKiai2MNU5ZwbMmilWsuwFYq0bYQdFQxa6NsSjkc7O2t3KIdgarXKkpyB0Nz0RHK5wVP02kG4G6JDilFAuTNct0pHM8FnueMcoG/YkGRXiGwgoFHxyjgEqzqaYIwiOMDZqyMVDj0uSYDbSvlJlkng6y/bcn8hb3+lCifmjRS1NSI1qn9Kw79xizKR2+TPbT2KUy5Ugpn+s3RHy8Kdoee1io4DGjb4ZUzDb0PZtrOTMGTFBeEoUHjop+3T39/5Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=R1WbLLn3S9gbfGbXzQLweLxcTASBKw/QiELJdem02OE=; b=fz3ybuCSWcJeA6YUyAJsdTU3W16ey2HAfA/6NIEojbV2rfwbsfvu3iljibffb+2YORcGiIBXpPgXP7A27xH0y1BjWlNhxjzVsk3pZ81NYARDSqXuLA7AtDNa9UHVP26yqUFt2+r+bEJm+UV81BNI4oNPJKL9gRyNJj02UaUctlRvlZQT81vQ3WJk5HJm7VQaz8/MFclS8uA7dbXtuwldJ+uBJVgkWc1vvomdHkxs/4BB9RycDNhE3fZOb02aZV/CqLrIqgrgrn86SSCwGgdbYk5R2f9GT/eTA9kbJIKri6Tsgg3Mq0S2ICrzzSNvkNCrVktZhyDMzT+LtvZHc6ea5g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=punkt.de; dmarc=pass action=none header.from=punkt.de; dkim=pass header.d=punkt.de; arc=none Received: from FRYP281MB3306.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:73::11) by BE1P281MB2870.DEUP281.PROD.OUTLOOK.COM (2603:10a6:b10:4e::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7409.45; Sat, 30 Mar 2024 22:31:02 +0000 Received: from FRYP281MB3306.DEUP281.PROD.OUTLOOK.COM ([fe80::3e0e:ddc9:b987:28e0]) by FRYP281MB3306.DEUP281.PROD.OUTLOOK.COM ([fe80::3e0e:ddc9:b987:28e0%7]) with mapi id 15.20.7409.042; Sat, 30 Mar 2024 22:31:02 +0000 From: "Patrick M. Hausen" To: Freebsd Stable CC: "henrichhartzer@tuta.io" , Jonathan Vasquez Subject: Re: xz 5.6.0/5.6.1 backdoored, possibly in src/contrib as well Thread-Topic: xz 5.6.0/5.6.1 backdoored, possibly in src/contrib as well Thread-Index: AQHaguy+1D4KdLhcAUKDdyxaLT1i0bFQ3fwA Date: Sat, 30 Mar 2024 22:31:00 +0000 Message-ID: <02919DCB-5778-47C3-8754-249F76596928@punkt.de> References: In-Reply-To: Accept-Language: de-DE, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-traffictypediagnostic: FRYP281MB3306:EE_|BE1P281MB2870:EE_ x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: kq5ZWGx/E4o3GwHXoAFPrUEZk3+SuqpftX5oM5OstfrIKyCuKj74czWhSQRE4d2qkFPNaVoAUn0dpQtv7fqNRsBvbkdvzKMAeiN9UzrKT8zsSJ1hx22WOJXiktk5MAQ6sFbjau7bcUrNH0s+y6gdIsmcbeXYxmLo/IYUycbx/00SZ2+GAGoNZCXBPEPJ2eo409ZKir2VRHMYW1zEc5PvxFuHgL3In6yKN0J5C2cyvD/UBaRjjqumXzv3HCUD3Vl/NgxT0AdFAzFXkhpD8R0QlubTa03Erv3yVbHnmIxFgMYYXXz03LAQUp1XYfJQJBceYxamfXJocmS25TLGXI9yp2oCbzB9oS4rgjuXFv48k7Fh7R+HHTWMS/gZFkdtd7e3xaBQ8ami9QpuP9a1XJOxEh5bYrkC3EQ6IojHrqTBw5lXGCTB+2gI+tWB91O0XQKY4dE4rUbyHxALy9KjdC54KtCxWRWjuTP7Rtz89QM1i2Thsyjk+FIruAI7cExsCQ8jHRzQVDAGRE5Fb1/rI7hzw5+Nk+LdlKHMCjxNoMvPnGpb3gl0yFsEEB5ZVIaxMqgHvPDRIaPjWNPPTgac0EJCMEufG3lpAGpdimVWzRO53Hc= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:FRYP281MB3306.DEUP281.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230031)(1800799015)(366007)(376005);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?/ETYnD5qmMZxYjQMr+wwu++geb1YSnxfXwDyskrGZfHtjtju9rHXYku3A9Pb?= =?us-ascii?Q?TC8CixGiyoEAyyHmjs4lfZ4AO7jLceVhwatBUnjQmvbBQRfrFm2q8JCsC3nr?= =?us-ascii?Q?d9npIaToR7oGfOsuWNqP8z2fLgUFtFjzhr+lyCZJbtkmki6ldW+mL9MApDMe?= =?us-ascii?Q?QM5WqPk3p3P588rmms5LIQJ+U3R4502kYgPLn2oHonqVMELTSFfClTfuvf8G?= =?us-ascii?Q?n4Bu/LkWhCRRvHg41HGVthqKXU2sNUmfB6FKpsrBd1XUvfB67cinOGWi7YTE?= =?us-ascii?Q?LLO2ak78v5XHsQkpeeIBafXp3d54f5iXSoFEJvWBKETtTn6TdLe943I6Etdd?= =?us-ascii?Q?WXzaNmDbMxv+pye4MKmIgm4aPg037fLYAAIeDOjLPspFgGxliVYUq0pTtiPk?= =?us-ascii?Q?tFCbj5/a9pAdqm6W+p/5JVbOFKTdXnkJV+7tlDell02wfU08plLt5h4s/aXm?= =?us-ascii?Q?0+EVlJVh4ia5Smbsp7KBUZRTe+DDy9HTRYJHUlVI4Tahy7DKIn8s+KmD8ZXa?= =?us-ascii?Q?ZtHcdkgeLcF7KrKIgh7VEWlA2Zyt2+8rQJtySGiriz0S9Lou6r9vJWg0j4/p?= =?us-ascii?Q?f6+eOaNZBEpGgVzKVoXAKrPzp7KVpJ80rBaXH+uVokWURGZ4dLoRwmFZT0Gc?= =?us-ascii?Q?+F1eYORW4eRKf9ekwQ97rJekZdZi8/A8RIBXgoUT70cQdkLl0xHZ0vApwJoS?= =?us-ascii?Q?fb2UN7tBLb8ob62sT37vxx05oLGh4e5buDYxEXBQeEGJPxknKTw3KOrQruxo?= =?us-ascii?Q?glDjC3/bspEle083CBk3MwPbbqtpVM5p6pnoF333O22v6DmWhlrmEZO3/DlL?= =?us-ascii?Q?oQmX3F/bUGtiSWXNmWjGhCb2R70rpAmzJmxi/JlkaqUtDV0ojoQPVvW4wIy6?= =?us-ascii?Q?aVCrjoooB2i2AA/ga9cN2cyLWA4DOIHbzZkvJcP7caM1PomOSAwu1q7GVLv8?= =?us-ascii?Q?/kP8GnuWWGZsyj/bzNYYCqNqNX7lscH12eUAe6Dv2yUp+xv/SPb32KLd+iD2?= =?us-ascii?Q?prSsUkLcVqIEB6kcfgU0FAb1USHfbj9pVlrcAnLICNxHs7v8+sC4++d9sJJD?= =?us-ascii?Q?PVoIPRgC3fOpRVoyK9S4hbLTipEF38nD1VOOVKoF+Ev8bics/Ks1ajndgyJG?= =?us-ascii?Q?qNpEUW6i4Y05uUTRkVhPpfCfPiywtRAhol6hlWeOxg/fRpwDZic7sjQcWks6?= =?us-ascii?Q?gAJzC51Uhy16uljiN8SHTC90s/2v/BawfQEWIPaV1uRVnp3TCNd7ukyQJPR1?= =?us-ascii?Q?mQZX2pzUFywQSjQeAv7253yAQ92s9ZuH/1OWsSPAAlaKJJrfqnvlLNKOL0QN?= =?us-ascii?Q?TtPx0WCG3mNAHmgxxR8FSsKJa/zBvkI3IglfP5LnexpavD3D4EatLe8pqAex?= =?us-ascii?Q?3o1JwLVicm86bwWQXQmRmnsCMkdSfFTx4jI24RfBdAgVhNIVPuRbm4ikifNc?= =?us-ascii?Q?MrIcAjmdXUkLDCLfTOolh4vGoAM2VFOjNdmhimvHI46PEHsPg+aSAK0SQ+Gr?= =?us-ascii?Q?LpCCv+u3cljfPCTM4QMoMqECCkaA1WlEFEWP46t93Icr8JvQOAfNYzrnT8Ud?= =?us-ascii?Q?qfmLAeV2LMWG8+nbWPk+q5xveLzH49i6L+k8zC26ungHmeZRuGUsZxzeNYXE?= =?us-ascii?Q?DBd7irAkYsdZjmL7jsCfRcinHitlnIirgMqM9Y6ly1gn?= Content-Type: text/plain; charset="us-ascii" Content-ID: <8FD8C205E24D444183F86E5EABB6FB99@DEUP281.PROD.OUTLOOK.COM> Content-Transfer-Encoding: quoted-printable List-Id: Production branch of FreeBSD source code List-Archive: https://lists.freebsd.org/archives/freebsd-stable List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org MIME-Version: 1.0 X-OriginatorOrg: punkt.de X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: FRYP281MB3306.DEUP281.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-Network-Message-Id: afa3f388-ed70-4eca-fc91-08dc510913cb X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Mar 2024 22:31:00.7871 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: d1aa1808-3734-45fc-a490-f8ba49028756 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: oHCnXt2aUM8Jb+Ep/jfIOJpbEHRiJhR0Xz+WPkdwxC4RSO2GGv4RBuYu8tSOp0KT X-MS-Exchange-Transport-CrossTenantHeadersStamped: BE1P281MB2870 X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:8075, ipnet:40.104.0.0/14, country:US] X-Rspamd-Queue-Id: 4V6X6x5ycgz4xyH Hi all, On Fri, Mar 29, 2024 at 21:15, wrote: >=20 > I recently read through this: https://www.openwall.com/lists/oss-security= /2024/03/29/4 >=20 > It sounds like xz 5.6.0 and 5.6.1 are backdoored. Not sure if FreeBSD is = or not, but it looks like 14-stable and main have xz 5.6.0. In my opinion, = earlier versions may also be suspect given that this may have been a delibe= rate backdoor from a maintainer. >=20 > I propose that we go back to a "known safe" version. It would probably be= unwise to push 14.1 as-is, as well. >=20 > [...] 1. The point of this backdoor is - to my knowledge - to get a rogue login v= ia SSH. 2. The mechanism relies on the compromised liblzma being linked with sshd. 3. Which is the case for some Linux distributions because they pull in some= extra functions for better systemd integration which then pulls in liblzma as a = dependency. 4. FreeBSD is - to my knowledge - not susceptible to this attack because o= ur sshd is not linked to the compromised library at all. 5. Even if you installed a supposedly compromised xz from ports, there are = probably no ill consequences. Kind regards, Patrick=