[manjaro-security] [ASA-202403-1] xz: arbitrary code execution

Santiago Torres-Arias santiago at archlinux.org
Fri Mar 29 19:53:34 CET 2024

Arch Linux Security Advisory ASA-202403-1

Severity: Critical
Date    : 2024-03-29
CVE-ID  : CVE-2024-3094
Package : xz
Type    : arbitrary code execution
Remote  : Yes
Link    : https://security.archlinux.org/AVG-2851


The package xz before version 5.6.1-2 is vulnerable to arbitrary code


Upgrade to 5.6.1-2.

# pacman -Syu "xz>=5.6.1-2"

The problem has been fixed upstream in version 5.6.1.




Malicious code was discovered in the upstream tarballs of xz, starting
with version 5.6.0. The tarballs included extra .m4 files, which
contained instructions for building with automake that did not exist in
the repository. These instructions, through a series of complex
obfuscations, extract a prebuilt object file from one of the test
archives, which is then used to modify specific functions in the code
while building the liblzma package. This issue results in liblzma being
used by additional software, like sshd, to provide functionality that
will be interpreted by the modified functions.


The malicious code path does not exist in the arch version of sshd, as
it does not link to liblzma.

However, out of an abundance of caution, we advise users to avoid the
vulnerable code in their system as it is possible it could be triggered
from other, un-identified vectors.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20240329/78984302/attachment.sig>

More information about the manjaro-security mailing list