On 04-04-24 05:49, FreeBSD User wrote:
Hello,
I just stumbled over this CVE regarding xz 5.6.0 and 5.6.1:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094
FreeBSD starting with 14-STABLE seems to use xz 5.6.0, but my limited skills do
not allow me
to judge whether the described exploit mechanism also works on FreeBSD.
RedHat already sent out a warning, the workaround is to move back towards an
older variant.
I have to report to my superiors (we're using 14-STABLE and CURRENT and I do so
in private),
so I would like to welcome any comment on that.
No it does not affect FreeBSD.
The autoconf script checks that it is running in a RedHat or Debian
package build environment before trying to proceed. There are also
checks for GCC and binutils ld.bfd. And I'm not sure that the payload (a
precompiled Linux object file) would work with FreeBSD and /lib/libelf.so.2.
See
https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
A+
Paul
