On Mon, Apr 01, 2024 at 11:42:51AM +0200, Fathi Boudra wrote: > On Sat, 30 Mar 2024 at 17:18, Richard Purdie > <richard.pur...@linuxfoundation.org> wrote: > > > > On Sat, 2024-03-30 at 14:06 +0100, Martin Jansa wrote: > > > From what is publicly known it injected malicious code (through m4 > > > macro using payload hidden in obfuscated compressed test file) into > > > built liblzma.so.5 which then hijacks RSA_public_decrypt call e.g. in > > > sshd (when sshd is built with patch adding systemd notifications > > > which brings liblzma dependency to sshd e.g. on debian and ubuntu > > > based systems). > > > > > > The build systems which just built this xz version shouldn't be > > > affected (as it won't be using the liblzma.so from the OE build on > > > the host). > > > > > > This publicly known part should be OK for OE, but it's right to be > > > worried about the other things which aren't known (not only from > > > these guys or from xz project). > > > > I concur. > > > > It is worrying but I've kind of been expecting something like this for > > a while unfortunately. > > > > We need to watch what is going on and act accordingly if/as anything > > else becomes known. > > https://nvd.nist.gov/vuln/detail/CVE-2024-3094 > > Distros have downgraded to older releases, still trying to figure out > which version to use.
While 5.4.6 version we've upgraded to in February was not yet compromised, it was already being taken over by Jia Tan, moving releases to controlled subdomain of xz.tukaani.org hosted off of GitHub directly, preparing for the malicious release of 5.6.0 and 5.6.1. So, we've pointed to GitHub location accordingly: https://git.openembedded.org/openembedded-core/commit/?id=9cc6c809c154019afe3bf6e6d617eab640faa4d0 https://git.openembedded.org/openembedded-core/commit/?id=5be69fc3ff6296411c736e5c7c9522d99c0be2c6 But GitHub has suspended the project and associated developer accounts. The original maintainer has posted some details on this matter here: https://tukaani.org/xz-backdoor/ Again, 5.4.6 tarball wasn't compromised, but it is no longer accessible from GitHub - should we revert back to 5.4.5 that was hosted on the original site? Though it should be mirrored... -- Denys
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#197849): https://lists.openembedded.org/g/openembedded-core/message/197849 Mute This Topic: https://lists.openembedded.org/mt/105226831/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
