On Fri, Mar 29 2024 at 06:46:59 PM +00:00:00, Christopher Klooz py0xc3@posteo.net wrote:
Yes, F40 beta is affected, along with rawhide, but not F38/F39.
Unless I'm misunderstanding something, it looks xz-5.6.0-1.fc40 and 5.6.0-2.fc40 are backdoored, yes? Then rjones unknowingly broke the backdoor in two different ways in 5.6.0-3.fc40, (a) by adding the --disable-ifunc configure flag [1], and also (b) by running everything through autoreconf to regenerate the malicious autogoo files [2]. So F40 stable was never affected, but F40 updates-testing looks like it really was backdoored for about one week, between February 27 [3] and March 4 [4].
Hey Richard, if you agree with my quick assessment, then we should ask secalert@redhat.com to update the warning article [5]. (I also don't like the confusing references to "Fedora 41" in that article, since Fedora 41 does not yet exist as something separate from rawhide.)
[1] https://src.fedoraproject.org/rpms/xz/c/c837ae96c716c6d63da2b4a016e9034ade2a... [2] https://src.fedoraproject.org/rpms/xz/c/d2408dde878851ca6350297a738a72496a95... [3] https://bodhi.fedoraproject.org/updates/FEDORA-2024-a7fba89402 [4] https://bodhi.fedoraproject.org/updates/FEDORA-2024-f5033032b8 [5] https://access.redhat.com/security/cve/CVE-2024-3094