New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Impact of CVE-2024-3094? (xz/lzma backdoor) #10520
Comments
We don't depend on libxz, nor do we use it for building the releases. You may be affected indirectly if you built your own version using Homebrew, as it uses xz utils for building some of the dependencies. As of 2.7.7, we are not using Homebrew anymore and libxz is not among the build or runtime dependencies. Could you point me to the reports claiming KeePassXC may be affected? |
So far I have seen this actually referring to a link between everything, not xz specifically, but the use of lzma, xz, and then keepassxc. https://news.ycombinator.com/item?id=39868804 Otherwise, it has just been discussions around Passkeys, and the like: https://news.ycombinator.com/item?id=39872418 Not trying to spread fear, more just wanting to check how/if anything is related in this case. Appreciate the comment re this. |
We do indeed have liblzma as a dependency, but from my understanding, the backdoor was in libxz and tried to patch itself into libzma from there. Correct me if I'm wrong. |
No idea, that was the intended goal of this "bug", but, couldn't make this more of a discussion than a bug report in the issues section. :) I have only just been reading everything - so not too far into the weeds on how it encroaches just yet. But given the current ongoing process with the discovery of the CVE, figured it was better suited in "issues" than in "discussions". |
It seems that liblzma and libxz come from the same source package. However, the liblzma that was used for building 2.7.7 is still 5.4.4, which is supposedly unaffected. |
I'll close this as completed for now. If new evidence comes up, we can reopen it. I'll pin it to the top, so people find this more easily. |
From my deep dive into this yesterday I came away with the following;
Unless you run keepassxc from systemd, I am fairly confident we are isolated from this situation. I am watching and reading the news in case lzma or other dependency has a credible security concern. |
https://nvd.nist.gov/vuln/detail/CVE-2024-3094
https://www.openwall.com/lists/oss-security/2024/03/29/4
https://news.ycombinator.com/item?id=39865810
There have been some reports of KeepassXC being affected - what are the impacts of the CVE against KeepassXC?
The text was updated successfully, but these errors were encountered: