On Fri, Mar 29, 2024 at 02:40:48PM -0500, Michael Catanzaro wrote:
On Fri, Mar 29 2024 at 06:46:59 PM +00:00:00, Christopher Klooz py0xc3@posteo.net wrote:
Yes, F40 beta is affected, along with rawhide, but not F38/F39.
Unless I'm misunderstanding something, it looks xz-5.6.0-1.fc40 and 5.6.0-2.fc40 are backdoored, yes? Then rjones unknowingly broke the backdoor in two different ways in 5.6.0-3.fc40, (a) by adding the --disable-ifunc configure flag [1],
Yes.
and also (b) by running everything through autoreconf to regenerate the malicious autogoo files [2].
Sadly this on its own was not sufficient. You also have to delete m4/build-to-host.m4 first. But (a) was sufficient to prevent the backdoor on its own.
So F40 stable was never affected, but F40 updates-testing looks like it really was backdoored for about one week, between February 27 [3] and March 4 [4].
Hey Richard, if you agree with my quick assessment, then we should ask secalert@redhat.com to update the warning article [5]. (I also don't like the confusing references to "Fedora 41" in that article, since Fedora 41 does not yet exist as something separate from rawhide.)
secalert are already well aware and have approved the update. Kevin Fenzi, myself and others were working on it late last night :-(
Rich.
[1] https://src.fedoraproject.org/rpms/xz/c/c837ae96c716c6d63da2b4a016e9034ade2a... [2] https://src.fedoraproject.org/rpms/xz/c/d2408dde878851ca6350297a738a72496a95... [3] https://bodhi.fedoraproject.org/updates/FEDORA-2024-a7fba89402 [4] https://bodhi.fedoraproject.org/updates/FEDORA-2024-f5033032b8 [5] https://access.redhat.com/security/cve/CVE-2024-3094