xz security issue ? (CVE-2024-3094)
- Reply: mike tancsa : "Re: xz security issue ? (CVE-2024-3094)"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 29 Mar 2024 18:22:52 UTC
From the redhat advisory, What is the malicious code? The malicious injection present in the xz versions 5.6.0 and 5.6.1 libraries is obfuscated and only included in full in the download package - the Git distribution lacks the M4 macro that triggers the build of the malicious code. The second-stage artifacts are present in the Git repository for the injection during the build time, in case the malicious M4 macro is present. The resulting malicious build interferes with authentication in sshd via systemd. SSH is a commonly used protocol for connecting remotely to systems, and sshd is the service that allows access. Under the right circumstances this interference could potentially enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely. Is there any exposure to this on FreeBSD ? ---Mike