Arch Linux Security Advisory ASA-202403-1

Severity: Critical
Date : 2024-03-29
CVE-ID : CVE-2024-3094
Package : xz
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-2851

Summary

The package xz before version 5.6.1-2 is vulnerable to arbitrary code
execution.

Resolution

Upgrade to 5.6.1-2.

pacman -Syu “xz>=5.6.1-2”

The problem has been fixed upstream in version 5.6.1.

Workaround

None.

Description

Malicious code was discovered in the upstream tarballs of xz, starting
with version 5.6.0. The tarballs included extra .m4 files, which
contained instructions for building with automake that did not exist in
the repository. These instructions, through a series of complex
obfuscations, extract a prebuilt object file from one of the test
archives, which is then used to modify specific functions in the code
while building the liblzma package. This issue results in liblzma being
used by additional software, like sshd, to provide functionality that
will be interpreted by the modified functions.

Impact

The malicious code path does not exist in the arch version of sshd, as
it does not link to liblzma.

However, out of an abundance of caution, we advise users to avoid the
vulnerable code in their system as it is possible it could be triggered
from other, un-identified vectors.

References

https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
https://security.archlinux.org/CVE-2024-3094