On Mon, Apr 1, 2024 at 9:02 PM Denys Dmytriyenko <[email protected]> wrote: > > On Mon, Apr 01, 2024 at 11:42:51AM +0200, Fathi Boudra wrote: > > On Sat, 30 Mar 2024 at 17:18, Richard Purdie > > <[email protected]> wrote: > > > > > > On Sat, 2024-03-30 at 14:06 +0100, Martin Jansa wrote: > > > > From what is publicly known it injected malicious code (through m4 > > > > macro using payload hidden in obfuscated compressed test file) into > > > > built liblzma.so.5 which then hijacks RSA_public_decrypt call e.g. in > > > > sshd (when sshd is built with patch adding systemd notifications > > > > which brings liblzma dependency to sshd e.g. on debian and ubuntu > > > > based systems). > > > > > > > > The build systems which just built this xz version shouldn't be > > > > affected (as it won't be using the liblzma.so from the OE build on > > > > the host). > > > > > > > > This publicly known part should be OK for OE, but it's right to be > > > > worried about the other things which aren't known (not only from > > > > these guys or from xz project). > > > > > > I concur. > > > > > > It is worrying but I've kind of been expecting something like this for > > > a while unfortunately. > > > > > > We need to watch what is going on and act accordingly if/as anything > > > else becomes known. > > > > https://nvd.nist.gov/vuln/detail/CVE-2024-3094 > > > > Distros have downgraded to older releases, still trying to figure out > > which version to use. > > While 5.4.6 version we've upgraded to in February was not yet compromised, > it was already being taken over by Jia Tan, moving releases to controlled > subdomain of xz.tukaani.org hosted off of GitHub directly, preparing for the > malicious release of 5.6.0 and 5.6.1. So, we've pointed to GitHub location > accordingly: > > https://git.openembedded.org/openembedded-core/commit/?id=9cc6c809c154019afe3bf6e6d617eab640faa4d0 > https://git.openembedded.org/openembedded-core/commit/?id=5be69fc3ff6296411c736e5c7c9522d99c0be2c6 > > But GitHub has suspended the project and associated developer accounts. The > original maintainer has posted some details on this matter here: > > https://tukaani.org/xz-backdoor/ > > Again, 5.4.6 tarball wasn't compromised, but it is no longer accessible from > GitHub - should we revert back to 5.4.5 that was hosted on the original site? > Though it should be mirrored... >
The repository is disabled by GitHub, and the recipe does not work from this end. We need to switch to the older mirror and to the last version that was present. There are other parts of the attack coming out each day, so we should know to which version we need to revert quite soon. Regards, Marta
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#197850): https://lists.openembedded.org/g/openembedded-core/message/197850 Mute This Topic: https://lists.openembedded.org/mt/105226831/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
