Impact of CVE-2024-3094? (xz/lzma backdoor)

[delize]

https://nvd.nist.gov/vuln/detail/CVE-2024-3094
https://www.openwall.com/lists/oss-security/2024/03/29/4
https://news.ycombinator.com/item?id=39865810

There have been some reports of KeepassXC being affected - what are the impacts of the CVE against KeepassXC?

[phoerious]

We don't depend on libxz, nor do we use it for building the releases. You may be affected indirectly if you built your own version using Homebrew, as it uses xz utils for building some of the dependencies. As of 2.7.7, we are not using Homebrew anymore and libxz is not among the build or runtime dependencies.

Could you point me to the reports claiming KeePassXC may be affected?

[delize]

So far I have seen this actually referring to a link between everything, not xz specifically, but the use of lzma, xz, and then keepassxc.

https://news.ycombinator.com/item?id=39868804

Otherwise, it has just been discussions around Passkeys, and the like:

https://news.ycombinator.com/item?id=39872418
https://news.ycombinator.com/item?id=39873343

Not trying to spread fear, more just wanting to check how/if anything is related in this case. Appreciate the comment re this.

[phoerious]

We do indeed have liblzma as a dependency, but from my understanding, the backdoor was in libxz and tried to patch itself into libzma from there. Correct me if I'm wrong.

[delize]

Correct me if I'm wrong.

No idea, that was the intended goal of this "bug", but, couldn't make this more of a discussion than a bug report in the issues section. :) I have only just been reading everything - so not too far into the weeds on how it encroaches just yet.

But given the current ongoing process with the discovery of the CVE, figured it was better suited in "issues" than in "discussions".

[phoerious]

It seems that liblzma and libxz come from the same source package. However, the liblzma that was used for building 2.7.7 is still 5.4.4, which is supposedly unaffected.

[phoerious]

I'll close this as completed for now. If new evidence comes up, we can reopen it. I'll pin it to the top, so people find this more easily.

[droidmonkey]

From my deep dive into this yesterday I came away with the following;

• There is only one known attack vector from xz as of this post
• xz dev added build script and test data files that combined together to build the exploit payload
• exploit payload was only built when deb or rpm packages were made (this may not be entirely true)
• exploit worked roughly as xz -> lzma -> systemd -> sshd
• There are two years of commits to comb through to know if other exploits were landed

Unless you run keepassxc from systemd, I am fairly confident we are isolated from this situation. I am watching and reading the news in case lzma or other dependency has a credible security concern.