From bb35e2c26ef26b819567c27e364625ea26d23c0f Mon Sep 17 00:00:00 2001 From: Andy Fiddaman Date: Sun, 31 Mar 2024 10:44:09 +0000 Subject: [PATCH] Add 2024-03-30-xz-utils-CVE-2024-3094.md --- _posts/2024-03-30-xz-utils-CVE-2024-3094.md | 41 +++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 _posts/2024-03-30-xz-utils-CVE-2024-3094.md diff --git a/_posts/2024-03-30-xz-utils-CVE-2024-3094.md b/_posts/2024-03-30-xz-utils-CVE-2024-3094.md new file mode 100644 index 0000000..deadfc6 --- /dev/null +++ b/_posts/2024-03-30-xz-utils-CVE-2024-3094.md @@ -0,0 +1,41 @@ +--- +layout: post +title: OmniOS is not affected by CVE-2024-3094 +synopsis: CVE-2024-3094 - OmniOS is not vulnerable +--- + +Yesterday we learned of a supply chain back door in the `xz-utils` software +via an announcement at + +The vulnerability was distributed with versions 5.6.0 and 5.6.1 of `xz`. + +**OmniOS is NOT affected by CVE-2024-3094** + +The malicious code is only present in binary artefacts if the build system +is Linux (and there are some additional constraints too) and if the system +linker is GNU ld -- neither of which are true for our packages. The payload is +also a Linux ELF binary which would not successfully link into code built for +OmniOS. + +We have also only ever shipped xz-utils 5.6.x as part of the unstable bloody +testing release, stable releases contain older versions: + + - r151038 ships version 5.2.6 + - r151046 ships version 5.4.2 + - r151048 ships version 5.4.4 + - bloody ships version 5.6.1 + +Despite not being affected, we have now +[switched builds of `xz` in bloody](https://github.com/omniosorg/omnios-build/pull/3525) +to using the raw source archive, which does not contain the malicious injection +code, and generating the autoconf files ourselves. We have not downgraded to +an earlier version as it is not clear which earlier version can be considered +completely safe given that the perpetrator has been responsible for maintaining +and signing releases back to version 5.4.3. + +Once a cleaned 5.6.2 release is available, we will upgrade to that. + +--- + +Any problems or questions, please [get in touch](/about/contact.html). +