From nobody Sun Apr 07 10:15:11 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VC7Q948k0z5GTq6 for ; Sun, 7 Apr 2024 10:15:13 +0000 (UTC) (envelope-from des@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VC7Q92SYHz4tFV; Sun, 7 Apr 2024 10:15:13 +0000 (UTC) (envelope-from des@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1712484913; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=e6X0nD0MnCCQM6kR5goHzjhwofqBtZl7OlS13bjoj4Y=; b=itZv+jHgM8j1FmHU8+0XPZQnQb34qkecWlmsYC1+NnLXerjg8G65N5C62bfHlVNlb37xWM 7zqHkloo77+wEXHQTzk5ELkdcOEtbPtgB/pBUZI2ZUkSV35xbjK2wWSQcYdRKV1PZHbhSY jlX5Trq+iSk20cOEEV3yMJgTyz7E8n8sPIeaLgjdYLHY8M4prwHX/jGKyw99EJcAGGhp2F taSD+1GwiQvx0QxWctmkWJnhKzqSjN8Ms6PT0fTHIO8nsiZ5LugHyWCs/EWBMsVVuh2dhk MLxcxQouYyYU8Y759Wcnlp5y1+tq3Gk8/Bf52s2Na0iX+gsYqWNMHyeW/9hBBQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1712484913; a=rsa-sha256; cv=none; b=Z5U8P4gMESNFpIZqZwf4P5gFyOVNXrAFo7O+c2j/KcIJV0EmOjc0+nwS3kdbY7hDaykU2X rxios+3cGB0kwdyPa2x1aOYUdyMA+Fg5TZiOjv+X+ajoKcOzkzuUjQd6Tfb50L1g2qPRel w4ASoo7rgiA8BZc5qr1Mury7vxufs6DQCTxFOLBXwBLpf71a3Y1S5evQQu5gAckU50Z59Z 2eOTWxi/X26OBMBeF777gzL5x0ZtBJUCwppl8RvNIZQdZ79DemMpZt835WNb0lkHzXdlIG fbXEWdJ9bAQ60g67T26ffrHlyObkuRb544aEKLqkwKJU84Oty28wKnfac2p2sA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1712484913; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=e6X0nD0MnCCQM6kR5goHzjhwofqBtZl7OlS13bjoj4Y=; b=yzdQvDSx+OKEVLHO0uVHnFg+eVCarp2dncJ42YEroxqBkl8lR4v0UrQn8lMQsGxEHJHCm2 rSPwEHlMrEP2+pB3HGfDerjJfp5hPrASfTzFKiG+l0SOAxSlClSJ9WY7n0dOZAF/N7guzu 14Xfem32EqkwDocgAoZbdXOkaaRhdyyzPU8a6OXobzn8HDYD8rSzHndBMtcLueYxtQIOwE hh3pkjsD8kn1BhdHbDUGSlXllKS0hfL0+8Gj/lEgVjz7JVNhRNh7+SLKbbKeGvQIJUWr1Z yxCMAJ90ehHd2KJK+4F8f7kjuKyB4PW+NGTT7ufzerUSvaTFdhOtEYYNP02Z0Q== Received: from ltc.des.dev (2a02-8428-0993-f001-922e-16ff-fef1-acef.rev.sfr.net [IPv6:2a02:8428:993:f001:922e:16ff:fef1:acef]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: des) by smtp.freebsd.org (Postfix) with ESMTPSA id 4VC7Q91JkZz13x4; Sun, 7 Apr 2024 10:15:13 +0000 (UTC) (envelope-from des@freebsd.org) Received: by ltc.des.dev (Postfix, from userid 1001) id 7FD611E949; Sun, 07 Apr 2024 12:15:11 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: "Chen, Alvin W" Cc: Gordon Tetlow , Shawn Webb , "freebsd-security@freebsd.org" Subject: Re: Disclosed backdoor in xz releases - FreeBSD not affected In-Reply-To: (Alvin W. Chen's message of "Sun, 7 Apr 2024 09:34:33 +0000") References: <1C17C92B-AFC2-4B7A-9594-25864156A546@tetlows.org> User-Agent: Gnus/5.13 (Gnus v5.13) Date: Sun, 07 Apr 2024 12:15:11 +0200 Message-ID: <86v84t5vio.fsf@ltc.des.dev> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable "Chen, Alvin W" writes: > My understanding is: the 'xz' built from FreeBSD is not impacted, but > the 'xz' built from Linux and run based on FreeBSD Linux ABI could be > impacted. It is certainly possible to build liblzma with the backdoor on a Linux host (or in a Linux jail on a FreeBSD host) and run it on a FreeBSD host. However, the backdoor does nothing unless loaded into an sshd process, so you would still not be affected unless you were running a Linux sshd binary and that sshd binary loaded the backdoored liblzma. FreeBSD's sshd binary (whether from base or ports) does not load liblzma, and if it did, it would not be able to load a Linux version of the library. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@FreeBSD.org