Add 2024-03-30-xz-utils-CVE-2024-3094.md

_posts/2024-03-30-xz-utils-CVE-2024-3094.md

@@ -0,0 +1,41 @@
+---
+layout: post
+title: CVE-2024-3094
+synopsis: CVE-2024-3094 - OmniOS is not vulnerable
+---
+
+Yesterday we learned of a supply chain back door in the `xz-utils` software
+via an announcement at
+<https://www.openwall.com/lists/oss-security/2024/03/29/4>
+The vulnerability was distributed with versions 5.6.0 and 5.6.1 of `xz`.
+
+**OmniOS is NOT affected by CVE-2024-3094**
+
+The malicious code is only present in binary artefacts if the build system
+is Linux (and there are some additional constraints too) and if the system
+linker is GNU ld -- neither of which are true for our packages. The payload is
+also a Linux ELF binary which would not successfully link into code built for
+OmniOS.
+
+We have also only ever shipped xz-utils 5.6.x as part of the unstable bloody
+testing release, stable releases contain older versions:
+
+ - r151038 ships version 5.2.6
+ - r151046 ships version 5.4.2
+ - r151048 ships version 5.4.4
+ - bloody ships version 5.6.1
+
+Despite not being affected, we have now
+[switched builds of `xz` in bloody](https://github.com/omniosorg/omnios-build/pull/3525)
+to using the raw source archive, which does not contain the malicious injection
+code, and generating the autoconf files ourselves. We have not downgraded to
+an earlier version as it is not clear which earlier version can be considered
+completely safe given that the perpetrator has been responsible for maintaining
+and signing releases back to version 5.4.3.
+
+Once a cleaned 5.6.2 release is available, we will upgrade to that.
+
+---
+
+Any problems or questions, please [get in touch](/about/contact.html).
+