The officially official Devuan Forum!

You are not logged in.

#1 2024-03-31 23:04:42

siva
Member
Registered: 2018-01-25
Posts: 282  

CVE-2024-3094: LZMA/XZ security report

Thought the group might find this interesting.

From Red Hat:

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

Related:
- https://gynvael.coldwind.pl/?lang=en&id=782
- https://www.openwall.com/lists/oss-secu … 24/03/29/4
- https://nvd.nist.gov/vuln/detail/CVE-2024-3094

Last edited by siva (2024-03-31 23:17:35)

Offline

#2 2024-04-01 01:29:48

soren
Member
Registered: 2023-04-30
Posts: 142  

Re: CVE-2024-3094: LZMA/XZ security report

Perhaps admin might sticky this one instead of having more of these threads pop up, at least until this category 5 hurricane of an exploit is fully fleshed out and realized. No disrespect siva but this is about the 5th thread on this subject.

Offline

#3 2024-04-02 14:55:33

siva
Member
Registered: 2018-01-25
Posts: 282  

Re: CVE-2024-3094: LZMA/XZ security report

My references weren't related directly to Devuan but I get your point.

Offline

#4 2024-04-08 12:10:28

EDX-0
Member
Registered: 2020-12-12
Posts: 81  

Re: CVE-2024-3094: LZMA/XZ security report

fun enough, systemd does link xz-utils so machines running systemd with xz-utils 5.6.0 are extra compromised with an init level backdoor...

Offline

Board footer