Login
Log in using an SSO provider:
Fedora Account System
Red Hat Associate
Login using a Red Hat Bugzilla account
Forgot Password
Create an Account
Red Hat Bugzilla – Bug 2272210
Home
New
Search
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh94 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
[?]
This site requires JavaScript to be enabled to function correctly, please enable it.
Bug 2272210
(
CVE-2024-3094
) -
CVE-2024-3094
xz: malicious code in distributed source
Summary:
CVE-2024-3094 xz: malicious code in distributed source
Keywords
:
Security
Status
:
NEW
Alias:
CVE-2024-3094
Product:
Security Response
Classification:
Other
Component:
vulnerability
Sub Component:
---
Version:
unspecified
Hardware:
All
OS:
Linux
Priority:
urgent
Severity:
urgent
Target Milestone:
---
Assignee:
Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
2272206
TreeView+
depends on
/
blocked
Reported:
2024-03-29 15:56 UTC by
Zack Miele
Modified:
2024-04-17 06:56 UTC (
History
)
CC List:
51 users
(
show
)
adudiak
asoldano
bbaranow
bdettelb
bdm
bmaxwell
brian.stansberry
caswilli
cdewolf
chazlett
darran.lofthouse
dfreiber
dkreling
dosoudil
drow
fjansen
fjuma
gabravier
germano.massullo
hkataria
ivassile
iweiss
jburrell
jmitchel
jsherril
jtanner
kaycoth
klaas
kshier
lgao
luizcosta
luke
mosmerov
msochure
mstefank
msvehla
nwallace
nweather
oezr
piotr.zygielo
pjindal
pmackay
rstancel
security-response-team
sidakwo
smaestri
stcannon
thomas
tom.jenkinson
vkumar
yguenane
Fixed In Version:
Doc Type:
If docs needed, set a value
Doc Text:
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
Clone Of:
Environment:
Last Closed:
Embargoed:
Attachments
(Terms of Use)
Description
Zack Miele
2024-03-29 15:56:47 UTC
Malicious code discovered in the tarballs distributed from upstream sources beginning in 5.6.0.
Note
You need to
log in
before you can comment on or make changes to this bug.