Re: Disclosed backdoor in xz releases - FreeBSD not affected

From: Dag-Erling_Smørgrav <des_at_FreeBSD.org>
Date: Sun, 07 Apr 2024 10:15:11 UTC
"Chen, Alvin W" <Weike.Chen@Dell.com> writes:
> My understanding is: the 'xz' built from FreeBSD is not impacted, but
> the 'xz' built from Linux and run based on FreeBSD Linux ABI could be
> impacted.

It is certainly possible to build liblzma with the backdoor on a Linux
host (or in a Linux jail on a FreeBSD host) and run it on a FreeBSD
host.  However, the backdoor does nothing unless loaded into an sshd
process, so you would still not be affected unless you were running a
Linux sshd binary and that sshd binary loaded the backdoored liblzma.
FreeBSD's sshd binary (whether from base or ports) does not load
liblzma, and if it did, it would not be able to load a Linux version of
the library.

DES
-- 
Dag-Erling Smørgrav - des@FreeBSD.org