Re: xz security issue ? (CVE-2024-3094)

From: mike tancsa <mike_at_sentex.net>
Date: Fri, 29 Mar 2024 18:31:26 UTC
Oh, I didnt see the earlier email for some reason. Thanks Gordon for the 
email clarification!

     ---Mike

On 3/29/2024 2:22 PM, mike tancsa wrote:
> From the redhat advisory,
>
> What is the malicious code?
> The malicious injection present in the xz versions 5.6.0 and 5.6.1 
> libraries is obfuscated and only included in full in the download 
> package - the Git distribution lacks the M4 macro that triggers the 
> build of the malicious code. The second-stage artifacts are present in 
> the Git repository for the injection during the build time, in case 
> the malicious M4 macro is present.
>
> The resulting malicious build interferes with authentication in sshd 
> via systemd.  SSH is a commonly used protocol for connecting remotely 
> to systems, and sshd is the service that allows access. Under the 
> right circumstances this interference could potentially enable a 
> malicious actor to break sshd authentication and gain unauthorized 
> access to the entire system remotely.
>
> Is there any exposure to this on FreeBSD ?
>
>     ---Mike
>
>