On Fri, Mar 29, 2024 at 03:01:34PM -0500, Michael Catanzaro wrote:
On Fri, Mar 29 2024 at 07:56:49 PM +00:00:00, Richard W.M. Jones
<rjones(a)redhat.com> wrote:
>secalert are already well aware and have approved the update. Kevin
>Fenzi, myself and others were working on it late last night :-(
Sorry, I linked to the wrong article. I meant to link to [1] which
says that "At this time the Fedora Linux 40 builds have not been
shown to be compromised. We believe the malicious code injection did
not take effect in these builds." But this statement contradicts my
findings above, and you just replied "yes" to those, implying that
my understanding is correct. So I guess either this blog post is
wrong and needs to be updated, or you're wrong about me being right.
Er, correct? :)
[1]
https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhid...
These are the exact builds which were vulnerable. Note the tags are
all empty because Kevin untagged them last night, so you'll probably
need to cross-reference these with bodhi updates.
xz-5.6.0-1.fc41
https://koji.fedoraproject.org/koji/buildinfo?buildID=2411083
xz-5.6.0-1.fc40
https://koji.fedoraproject.org/koji/buildinfo?buildID=2411092
xz-5.6.0-2.fc41
https://koji.fedoraproject.org/koji/buildinfo?buildID=2412686
xz-5.6.0-2.fc40
https://koji.fedoraproject.org/koji/buildinfo?buildID=2412698
xz-5.6.0-2.eln136
https://koji.fedoraproject.org/koji/buildinfo?buildID=2412908
xz-5.6.1-1.fc41
https://koji.fedoraproject.org/koji/buildinfo?buildID=2417414
xz-5.6.1-1.eln136
https://koji.fedoraproject.org/koji/buildinfo?buildID=2417425
NOT known to be vulnerable:
* xz-5.6.0-3.fc41 (because --disable-ifunc)
* xz-5.6.0-3.fc40 (because --disable-ifunc)
* anything < 5.6.0
You can also use the detection script "detect.sh" written by Vegard
Nossum (
https://www.openwall.com/lists/oss-security/2024/03/29/4)
Rich.
--
Richard Jones, Virtualization Group, Red Hat
http://people.redhat.com/~rjones
Read my programming and virtualization blog:
http://rwmj.wordpress.com
libguestfs lets you edit virtual machines. Supports shell scripting,
bindings from many languages.
http://libguestfs.org