Impact of CVE-2024-3094? (xz/lzma backdoor)

keepassxreboot / keepassxc

KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.

https://keepassxc.org/

Other

20.04k stars 1.42k forks source link

Impact of CVE-2024-3094? (xz/lzma backdoor) #10520

Closed delize closed 3 months ago

delize commented 3 months ago

https://nvd.nist.gov/vuln/detail/CVE-2024-3094 https://www.openwall.com/lists/oss-security/2024/03/29/4 https://news.ycombinator.com/item?id=39865810

There have been some reports of KeepassXC being affected - what are the impacts of the CVE against KeepassXC?

phoerious commented 3 months ago

We don't depend on libxz, nor do we use it for building the releases. You may be affected indirectly if you built your own version using Homebrew, as it uses xz utils for building some of the dependencies. As of 2.7.7, we are not using Homebrew anymore and libxz is not among the build or runtime dependencies.

Could you point me to the reports claiming KeePassXC may be affected?

delize commented 3 months ago

So far I have seen this actually referring to a link between everything, not xz specifically, but the use of lzma, xz, and then keepassxc.

https://news.ycombinator.com/item?id=39868804

Otherwise, it has just been discussions around Passkeys, and the like:

https://news.ycombinator.com/item?id=39872418 https://news.ycombinator.com/item?id=39873343

Not trying to spread fear, more just wanting to check how/if anything is related in this case. Appreciate the comment re this.

phoerious commented 3 months ago

We do indeed have liblzma as a dependency, but from my understanding, the backdoor was in libxz and tried to patch itself into libzma from there. Correct me if I'm wrong.

delize commented 3 months ago

Correct me if I'm wrong.

No idea, that was the intended goal of this "bug", but, couldn't make this more of a discussion than a bug report in the issues section. :) I have only just been reading everything - so not too far into the weeds on how it encroaches just yet.

But given the current ongoing process with the discovery of the CVE, figured it was better suited in "issues" than in "discussions".

phoerious commented 3 months ago

It seems that liblzma and libxz come from the same source package. However, the liblzma that was used for building 2.7.7 is still 5.4.4, which is supposedly unaffected.

phoerious commented 3 months ago

I'll close this as completed for now. If new evidence comes up, we can reopen it. I'll pin it to the top, so people find this more easily.

droidmonkey commented 3 months ago

From my deep dive into this yesterday I came away with the following;

There is only one known attack vector from xz as of this post
xz dev added build script and test data files that combined together to build the exploit payload
exploit payload was only built when deb or rpm packages were made (this may not be entirely true)
exploit worked roughly as xz -> lzma -> systemd -> sshd
There are two years of commits to comb through to know if other exploits were landed

Unless you run keepassxc from systemd, I am fairly confident we are isolated from this situation. I am watching and reading the news in case lzma or other dependency has a credible security concern.