Conclusions from CVE-2024-3094 (libxz disaster)

Thibaut hacks at slashdirt.org
Sun Mar 31 03:05:03 PDT 2024


> Le 31 mars 2024 à 01:07, Elliott Mitchell <ehem+openwrt at m5p.com> a écrit :
> 
>> Normally upstream publishes release tarballs that are different than the
>> automatically generated ones in GitHub. In these modified tarballs, a
>> malicious version of build-to-host.m4 is included to execute a script
>> during the build process.
> 
> So the malicious source code was part of all tarballs, but only the
> tarballs with the modified `build-to-host.m4` would trigger the malicious
> payload.
> 
> So obtaining GitHub's tarballs which came directly from the Git
> repository *does* avoid the breach.

https://git.tukaani.org/?p=xz.git;a=commitdiff;h=f9cf4c05edd14dedfe63833f8ccbe41b55823b00

Let’s not lure ourselves into thinking that not using upstream-provided tarballs but upstream-provided repo instead is inherently safer. With adversarial upstream, *nothing* is safe anyway.

And even when upstream repo isn’t entirely under adversarial control, a bad actor can sneak stuff in:
https://github.com/libarchive/libarchive/commit/6110e9c82d8ba830c3440f36b990483ceaaea52c

My 2c.
T


More information about the openwrt-devel mailing list