Re: Disclosed backdoor in xz releases - FreeBSD not affected

From: Gordon Tetlow <gordon_at_tetlows.org>
Date: Fri, 29 Mar 2024 18:43:48 UTC
> On Mar 29, 2024, at 11:15 AM, Shawn Webb <shawn.webb@hardenedbsd.org> wrote:
> 
> On Fri, Mar 29, 2024 at 10:02:14AM -0700, Gordon Tetlow wrote:
>> FreeBSD is not affected by the recently announced backdoor included in the 5.6.0 and 5.6.1 xz releases.
>> 
>> All supported FreeBSD releases include versions of xz that predate the affected releases.
>> 
>> The main, stable/14, and stable/13 branches do include the affected version (5.6.0), but the backdoor components were excluded from the vendor import. Additionally, FreeBSD does not use the upstream's build tooling, which was a required part of the attack. Lastly, the attack specifically targeted x86_64 Linux systems using glibc.
> 
> Hey Gordon,
> 
> Is there potential for Linux jails on FreeBSD systems (ie, deployments
> making use of the Linxulator) to be impacted? Assuming amd64 here,
> too.

Hard to say for certain, but I suspect the answer is yes. If the jail has the vulnerable software installed, there is a decent chance it would be affected. At that point, I would refer to the vulnerability statement published by the Linux distro the jail is based on. I don’t believe the vulnerability has any kernel dependencies that FreeBSD would provide protection.

Certainly, in the world of being conservatively cautious, I would immediately address any such Linux jails.

Gordon