From nobody Sun Mar 31 00:28:41 2024
X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V6Zkx5lrgz5GNC8
	for <freebsd-stable@mlmmj.nyi.freebsd.org>; Sun, 31 Mar 2024 00:28:57 +0000 (UTC)
	(envelope-from elid9122@gmail.com)
Received: from mail-ej1-x62e.google.com (mail-ej1-x62e.google.com [IPv6:2a00:1450:4864:20::62e])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4V6Zkw5FSTz58WJ
	for <freebsd-stable@freebsd.org>; Sun, 31 Mar 2024 00:28:56 +0000 (UTC)
	(envelope-from elid9122@gmail.com)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=gmail.com header.s=20230601 header.b=cfehEppZ;
	dmarc=pass (policy=none) header.from=gmail.com;
	spf=pass (mx1.freebsd.org: domain of elid9122@gmail.com designates 2a00:1450:4864:20::62e as permitted sender) smtp.mailfrom=elid9122@gmail.com
Received: by mail-ej1-x62e.google.com with SMTP id a640c23a62f3a-a4e37d4f4c0so178038066b.1
        for <freebsd-stable@freebsd.org>; Sat, 30 Mar 2024 17:28:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1711844933; x=1712449733; darn=freebsd.org;
        h=to:subject:message-id:date:from:reply-to:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=dtAgHj4MQqQxPvjqT4Qwpn/vi7ahLxPGqrLtfAFql5o=;
        b=cfehEppZy96YvIXl/AjfXFLNgLzkqfNXoySQuHdx22BtrjNVKetdZjpCcd3G6+ntuF
         J2Wf3sGsUrUJ82Je6Ls+6HekR8ddG7WDEms+LuNie8wjs6e9GKBpp6FjIVFKzL/pFxiL
         cdNjSur30xFshA44RNJj52MRDIQQuRxN63NNKHt9Ksg/yt2Yptfwa0GVF1fsBP4S6X94
         HPoX19eGFxWe8bF6Zx4EWM5NAwdx8tFBLiCY3j1BwXT/WWjrxFKbkkllOUOfMWncILgz
         6IFQHhSaTNT9B3aSAKyuAtb7n50Cpm4rDbN7eX6fUkvkHuwe3ILyn8p33X2J4ZcbZzcN
         gYng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1711844933; x=1712449733;
        h=to:subject:message-id:date:from:reply-to:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=dtAgHj4MQqQxPvjqT4Qwpn/vi7ahLxPGqrLtfAFql5o=;
        b=tAXGZ+0iCN4gXBj2YgG10UoAmQAsCxYk+xXu7m6BiIaG+elpbQzDBOAwMD+cBhuhHG
         Dy8tOPhod/Peu8iGCWmF3PPv4prOQF0reO7j4daueUwbmd0lcwYEjB7u5NDH/peBRPn4
         68HEFgdYoJ+BdZgfQcbZXB2XsG23bo2aJBZPTXU8arNXPWIFYsckRtKBjofjzWAfrCtg
         I5/g/GrgxSFHdGrFG/s4r10Mxv1Kqh6mAmcK3q5iXSgvteyl5+CMwiIfVxy2zN2g60Kp
         884wxo//PmlGfOVsuXaDOPJyh0SQZ/d6ouyjvWuvIeY4p4D+sbfgh+joqIBjooYFrFIO
         4y7g==
X-Gm-Message-State: AOJu0YzkNpL/IfawXo7YSyF0yeWOVI9BOnkpQkJU7R1gxqb6I7RxNfMh
	jU62QQbPwLB+oD89vnhpZGEVl9OIi89qVRSX1p8wORIxS2z/oSXzxovTWULnkFyG93tnfpzqYa6
	ss+k882IxeRBfbkMnmxRJf1NT13+eXWNh
X-Google-Smtp-Source: AGHT+IEiUnVV+i0dP9N2E+S/usMwsvhlHTOhJqQ9yOog2QPNHJ/KRT+mrwQ7umZBaW4FkvTzPsdsWnBQUS9/QLQL41k=
X-Received: by 2002:a17:906:d8e:b0:a4a:3557:6be8 with SMTP id
 m14-20020a1709060d8e00b00a4a35576be8mr3635460eji.53.1711844932978; Sat, 30
 Mar 2024 17:28:52 -0700 (PDT)
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
Sender: owner-freebsd-stable@freebsd.org
X-BeenThere: freebsd-stable@freebsd.org
MIME-Version: 1.0
References: <NuBvLSh--3-9@tuta.io> <WSRHEPLzq0oUN8lQ4GAgVaWmeVkSD2UpN7y96L-am-aQs3R3bjp7PbWvB9A9cE8f3EKrZOlShQ_TC66G-yzWk9FI0PXdkVOHIHofJ9sw6jA=@xyinn.org>
 <02919DCB-5778-47C3-8754-249F76596928@punkt.de>
In-Reply-To: <02919DCB-5778-47C3-8754-249F76596928@punkt.de>
Reply-To: Eli@devejian.net
From: Eli Devejian <elid9122@gmail.com>
Date: Sat, 30 Mar 2024 20:28:41 -0400
Message-ID: <CAO7WDFetC_Nm5k6mgsNTHwRX1DG9H5SZXT7=o75Mm+__FnMFzA@mail.gmail.com>
Subject: Re: xz 5.6.0/5.6.1 backdoored, possibly in src/contrib as well
To: Freebsd Stable <freebsd-stable@freebsd.org>
Content-Type: multipart/alternative; boundary="0000000000002410830614e9f5c0"
X-Spamd-Bar: ---
X-Spamd-Result: default: False [-3.86 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-0.86)[-0.860];
	DMARC_POLICY_ALLOW(-0.50)[gmail.com,none];
	R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36];
	R_DKIM_ALLOW(-0.20)[gmail.com:s=20230601];
	MIME_GOOD(-0.10)[multipart/alternative,text/plain];
	RCVD_TLS_LAST(0.00)[];
	ARC_NA(0.00)[];
	RCPT_COUNT_ONE(0.00)[1];
	FROM_HAS_DN(0.00)[];
	MIME_TRACE(0.00)[0:+,1:+,2:~];
	RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::62e:from];
	TO_DN_ALL(0.00)[];
	FREEMAIL_ENVFROM(0.00)[gmail.com];
	FREEMAIL_FROM(0.00)[gmail.com];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	DKIM_TRACE(0.00)[gmail.com:+];
	HAS_REPLYTO(0.00)[Eli@devejian.net];
	MID_RHS_MATCH_FROMTLD(0.00)[];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-stable@freebsd.org];
	FROM_EQ_ENVFROM(0.00)[];
	REPLYTO_DOM_NEQ_FROM_DOM(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-stable@freebsd.org];
	RCVD_COUNT_ONE(0.00)[1];
	ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US];
	MISSING_XM_UA(0.00)[];
	DWL_DNSWL_NONE(0.00)[gmail.com:dkim]
X-Rspamd-Queue-Id: 4V6Zkw5FSTz58WJ

--0000000000002410830614e9f5c0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

This is my understanding too: this vulnerability only affects versions
openssh compiled against compromised versions of xz with extra support for
systemd integration so freebsd is unaffected. Also, this only affects
release tarballs, with malicious binary blobs. Like arch Linux, as long as
we pull from the repo and compile in-house this should mitigate other
vulnerabilities possibly created by this rogue maintainer. I have not seen
any evidence that more action than this is needed.

Cheers,
-Eli

On Sat, Mar 30, 2024 at 6:31=E2=80=AFPM Patrick M. Hausen <hausen@punkt.de>=
 wrote:

> Hi all,
>
> On Fri, Mar 29, 2024 at 21:15, <henrichhartzer@tuta.io> wrote:
> >
> > I recently read through this:
> https://www.openwall.com/lists/oss-security/2024/03/29/4
> >
> > It sounds like xz 5.6.0 and 5.6.1 are backdoored. Not sure if FreeBSD i=
s
> or not, but it looks like 14-stable and main have xz 5.6.0. In my opinion=
,
> earlier versions may also be suspect given that this may have been a
> deliberate backdoor from a maintainer.
> >
> > I propose that we go back to a "known safe" version. It would probably
> be unwise to push 14.1 as-is, as well.
> >
> > [...]
>
> 1.      The point of this backdoor is - to my knowledge - to get a rogue
> login via SSH.
>
> 2.      The mechanism relies on the compromised liblzma being linked with
> sshd.
>
> 3.      Which is the case for some Linux distributions because they pull
> in some extra
>         functions for better systemd integration which then pulls in
> liblzma as a dependency.
>
> 4.      FreeBSD is - to my knowledge  - not susceptible to this attack
> because our sshd
>         is not linked to the compromised library at all.
>
> 5.      Even if you installed a supposedly compromised xz from ports,
> there are probably
>         no ill consequences.
>
> Kind regards,
> Patrick
>

--0000000000002410830614e9f5c0
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>This is my understanding too: this vulnerability only=
 affects versions openssh compiled against compromised versions of xz with =
extra support for systemd integration so freebsd is unaffected. Also, this =
only affects release tarballs, with malicious binary blobs. Like arch Linux=
, as long as we pull from the repo and compile in-house this should mitigat=
e other vulnerabilities possibly created by this rogue maintainer. I have n=
ot seen any evidence that more action than this is needed.</div><div><br></=
div><div>Cheers,</div><div>-Eli<br></div><br><div class=3D"gmail_quote"><di=
v dir=3D"ltr" class=3D"gmail_attr">On Sat, Mar 30, 2024 at 6:31=E2=80=AFPM =
Patrick M. Hausen &lt;<a href=3D"mailto:hausen@punkt.de">hausen@punkt.de</a=
>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px=
 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi =
all,<br>
<br>
On Fri, Mar 29, 2024 at 21:15, &lt;<a href=3D"mailto:henrichhartzer@tuta.io=
" target=3D"_blank">henrichhartzer@tuta.io</a>&gt; wrote:<br>
&gt; <br>
&gt; I recently read through this: <a href=3D"https://www.openwall.com/list=
s/oss-security/2024/03/29/4" rel=3D"noreferrer" target=3D"_blank">https://w=
ww.openwall.com/lists/oss-security/2024/03/29/4</a><br>
&gt; <br>
&gt; It sounds like xz 5.6.0 and 5.6.1 are backdoored. Not sure if FreeBSD =
is or not, but it looks like 14-stable and main have xz 5.6.0. In my opinio=
n, earlier versions may also be suspect given that this may have been a del=
iberate backdoor from a maintainer.<br>
&gt; <br>
&gt; I propose that we go back to a &quot;known safe&quot; version. It woul=
d probably be unwise to push 14.1 as-is, as well.<br>
&gt; <br>
&gt; [...]<br>
<br>
1.=C2=A0 =C2=A0 =C2=A0 The point of this backdoor is - to my knowledge - to=
 get a rogue login via SSH.<br>
<br>
2.=C2=A0 =C2=A0 =C2=A0 The mechanism relies on the compromised liblzma bein=
g linked with sshd.<br>
<br>
3.=C2=A0 =C2=A0 =C2=A0 Which is the case for some Linux distributions becau=
se they pull in some extra<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 functions for better systemd integration which =
then pulls in liblzma as a dependency.<br>
<br>
4.=C2=A0 =C2=A0 =C2=A0 FreeBSD is - to my knowledge=C2=A0 - not susceptible=
 to this attack because our sshd<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 is not linked to the compromised library at all=
.<br>
<br>
5.=C2=A0 =C2=A0 =C2=A0 Even if you installed a supposedly compromised xz fr=
om ports, there are probably<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 no ill consequences.<br>
<br>
Kind regards,<br>
Patrick<br>
</blockquote></div></div>

--0000000000002410830614e9f5c0--