Arch Linux Security Advisory ASA-202403-1
=========================================

Severity: Critical
Date    : 2024-03-29
CVE-ID  : CVE-2024-3094
Package : xz
Type    : arbitrary code execution
Remote  : Yes
Link    : https://security.archlinux.org/AVG-2851

Summary
=======

The package xz before version 5.6.1-2 is vulnerable to arbitrary code
execution.

Resolution
==========

Upgrade to 5.6.1-2.

# pacman -Syu "xz>=5.6.1-2"

The problem has been fixed upstream in version 5.6.1.

Workaround
==========

None.

Description
===========

Malicious code was discovered in the upstream tarballs of xz, starting
with version 5.6.0. The tarballs included extra .m4 files, which
contained instructions for building with automake that did not exist in
the repository. These instructions, through a series of complex
obfuscations, extract a prebuilt object file from one of the test
archives, which is then used to modify specific functions in the code
while building the liblzma package. This issue results in liblzma being
used by additional software, like sshd, to provide functionality that
will be interpreted by the modified functions.

Impact
======

The malicious code path does not exist in the arch version of sshd, as
it does not link to liblzma.

However, out of an abundance of caution, we advise users to avoid the
vulnerable code in their system as it is possible it could be triggered
from other, un-identified vectors.

References
==========

https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
https://security.archlinux.org/CVE-2024-3094