CVE-2024-3094 reported for upstream xz

[ChanTsune]

Announcement

CVE-2024-3094 reported for upstream xz

https://nvd.nist.gov/vuln/detail/CVE-2024-3094 https://www.openwall.com/lists/oss-security/2024/03/29/4

This project has a version (liblzma-sys 0.3.0, 0.3.1) that depends on xz 5.6.0 and 5.6.1, but we have confirmed that it does not use a tarball with a backdoor and is not directly affected.

However, if xz 5.6.0 or 5.6.1 is already installed on the system, it may be linked to the xz already installed on the system. In this case, you can avoid using the xz installed on your system and build from sources that do not contain malicious code by enabling the static future of liblzma-sys (this build process does not use upstream build scripts, and this project's own method of secure build).

liblzma-sys = { version = "0.3.1", futures = ["static"] }
# If you use liblzma
liblzma = { version = "0.3.0", futures = ["static"] }

If you are concerned, avoid using the versions (0.3.x, 0.3.1) that depend on xz 5.6.0, 5.6.1 and use liblzma-sys 0.2.x instead. liblzma-sys 0.2.x depends on xz 5.4.x before this affected.

even in 0.2.x, if xz is installed on the system, it may be used. Even in 0.2.x, need to enable the static feature to avoid using the system's xz.

Related issue

95 thank you for report @amousset

[eduardosm]

Will liblzma-sys 0.2.x reject system's liblzma from xz 5.6.0?

According to the build script, it checks that the version is 5.4.4 or greater.

https://github.com/Portable-Network-Archive/liblzma-rs/blob/0f73c144bb49febeea8faa68ac38780e766f7988/liblzma-sys/build.rs#L6

https://github.com/Portable-Network-Archive/liblzma-rs/blob/0f73c144bb49febeea8faa68ac38780e766f7988/liblzma-sys/build.rs#L22-L24

[ChanTsune]

thanks for your questions @eduardosm

As you say, even in 0.2.x, if xz is installed on the system, it may be used. Even in 0.2.x, need to enable the static feature to avoid using the system's xz. I will correct this to avoid any misunderstanding.