Subject: [ASA-202403-1] xz: arbitrary code execution Arch Linux Security Advisory ASA-202403-1 ========================================= Severity: Critical Date : 2024-03-29 CVE-ID : CVE-2024-3094 Package : xz Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-2851 Summary ======= The package xz before version 5.6.1-2 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 5.6.1-2. # pacman -Syu "xz>=5.6.1-2" The problem has been fixed upstream in version 5.6.1. Workaround ========== None. Description =========== Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. The tarballs included extra .m4 files, which contained instructions for building with automake that did not exist in the repository. These instructions, through a series of complex obfuscations, extract a prebuilt object file from one of the test archives, which is then used to modify specific functions in the code while building the liblzma package. This issue results in liblzma being used by additional software, like sshd, to provide functionality that will be interpreted by the modified functions. Impact ====== The malicious code path does not exist in the arch version of sshd, as it does not link to liblzma. However, out of an abundance of caution, we advise users to avoid the vulnerable code in their system as it is possible it could be triggered from other, un-identified vectors. References ========== https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users https://security.archlinux.org/CVE-2024-3094