Project statement about xz 5.6.1 (CVE-2024-3094)

Petr Štetiar ynezz at true.cz
Sat Mar 30 05:08:14 PDT 2024


Hi,

tl;dr OpenWrt seems to be not affected by the CVE-2024-3094

As you may be aware, malicious code was identified[1] in the xz upstream
tarballs starting from version 5.6.0. The development snapshots of OpenWrt
were utilizing this compromised library version.

Fortunately, the snapshots builds relied on source code tarballs from GitHub
releases, which are generated automatically. These contained only the dormant
segment of the malicious code. The crucial component that would activate the
backdoor during the build process was not detected in the scrutinized tarball
archives.

For those interested, the source tarballs employed in the official OpenWrt
snapshot builds are still accessible at
http://sources.openwrt.org/xz-5.6.1.tar.xz.backdoored and
http://sources.openwrt.org/xz-5.6.1.tar.bz2.backdoored, with their respective
sha256sums:

 d300422649a0124b1121630be559c890ceedf32667d7064b8128933166c217c8  xz-5.6.1.tar.bz2
 f334777310ca3ae9ba07206d78ed286a655aa3f44eec27854f740c26b2cd2ed0  xz-5.6.1.tar.xz

Binary packages built using affected xz sources can be downloaded from
https://mirror-03.infra.openwrt.org/snapshots/packages/xz-5.6.1-ipks.tar.gz,
sha256sum is a376b30cc8afe2ebf92316b47c640e845cd76bef4f2c593ca22e6fc12deb580d.

Timeline, 2024-03-29, CET timezone:

  16:17 - Started investigating the issue
  16:59 - Reverting the xz 5.6.1 package version bumps
  17:11 - Moved affected sources/packages to .backdoored file suffixes on
          downloads.openwrt.org and sources.openwrt.org servers
  19:08 - CDN cache invalidated as well


1. https://www.openwall.com/lists/oss-security/2024/03/29/4


Happy Easter! :-)


Cheers,

Petr
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.openwrt.org/pipermail/openwrt-announce/attachments/20240330/5ac6b814/attachment.sig>


More information about the openwrt-announce mailing list