[ GLSA 202403-04 ] XZ utils: Backdoor in release tarballsHEADmaster

Bug: https://bugs.gentoo.org/928134
Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
Signed-off-by: Hans de Graaff <graaff@gentoo.org>

1 files changed, 47 insertions, 0 deletions

diff --git a/glsa-202403-04.xml b/glsa-202403-04.xml
new file mode 100644
index 00000000..abe20743
--- /dev/null
+++ b/glsa-202403-04.xml
@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202403-04">
+    <title>XZ utils: Backdoor in release tarballs</title>
+    <synopsis>A backdoor has been discovered in XZ utils that could lead to remote compromise of systems.</synopsis>
+    <product type="ebuild">xz-utils</product>
+    <announced>2024-03-29</announced>
+    <revised count="1">2024-03-29</revised>
+    <bug>928134</bug>
+    <access>remote</access>
+    <affected>
+        <package name="app-arch/xz-utils" auto="yes" arch="*">
+            <unaffected range="lt">5.6.0</unaffected>
+            <vulnerable range="ge">5.6.0</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>XZ Utils is free general-purpose data compression software with a high compression ratio.</p>
+    </background>
+    <description>
+        <p>A backdoor has been discovered in XZ utils. Please review the CVE identifier referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>Our current understanding of the backdoor is that is does not affect Gentoo systems, because

+

+1. the backdoor only appears to be included on specific systems and Gentoo does not qualify;

+2. the backdoor as it is currently understood targets OpenSSH patched to work with systemd-notify support. Gentoo does not support or include these patches;

+

+Analysis is still ongoing, however, and additional vectors may still be identified. For this reason we are still issuing this advisory as if that will be the case.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All XZ utils users should downgrade to the latest version before the backdoor was introduced:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose "&lt;app-arch/xz-utils-5.6.0"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3094">CVE-2024-3094</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-03-29T21:48:56.283016Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-03-29T21:48:56.285132Z">graaff</metadata>
+</glsa>