Hi, tl;dr OpenWrt seems to be not affected by the CVE-2024-3094
As you may be aware, malicious code was identified[1] in the xz upstream tarballs starting from version 5.6.0. The development snapshots of OpenWrt were utilizing this compromised library version. Fortunately, the snapshots builds relied on source code tarballs from GitHub releases, which are generated automatically. These contained only the dormant segment of the malicious code. The crucial component that would activate the backdoor during the build process was not detected in the scrutinized tarball archives. For those interested, the source tarballs employed in the official OpenWrt snapshot builds are still accessible at http://sources.openwrt.org/xz-5.6.1.tar.xz.backdoored and http://sources.openwrt.org/xz-5.6.1.tar.bz2.backdoored, with their respective sha256sums: d300422649a0124b1121630be559c890ceedf32667d7064b8128933166c217c8 xz-5.6.1.tar.bz2 f334777310ca3ae9ba07206d78ed286a655aa3f44eec27854f740c26b2cd2ed0 xz-5.6.1.tar.xz Binary packages built using affected xz sources can be downloaded from https://mirror-03.infra.openwrt.org/snapshots/packages/xz-5.6.1-ipks.tar.gz, sha256sum is a376b30cc8afe2ebf92316b47c640e845cd76bef4f2c593ca22e6fc12deb580d. Timeline, 2024-03-29, CET timezone: 16:17 - Started investigating the issue 16:59 - Reverting the xz 5.6.1 package version bumps 17:11 - Moved affected sources/packages to .backdoored file suffixes on downloads.openwrt.org and sources.openwrt.org servers 19:08 - CDN cache invalidated as well 1. https://www.openwall.com/lists/oss-security/2024/03/29/4 Happy Easter! :-) Cheers, Petr
signature.asc
Description: PGP signature
_______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
