Closed delize closed 3 months ago
We don't depend on libxz, nor do we use it for building the releases. You may be affected indirectly if you built your own version using Homebrew, as it uses xz utils for building some of the dependencies. As of 2.7.7, we are not using Homebrew anymore and libxz is not among the build or runtime dependencies.
Could you point me to the reports claiming KeePassXC may be affected?
So far I have seen this actually referring to a link between everything, not xz specifically, but the use of lzma, xz, and then keepassxc.
https://news.ycombinator.com/item?id=39868804
Otherwise, it has just been discussions around Passkeys, and the like:
https://news.ycombinator.com/item?id=39872418 https://news.ycombinator.com/item?id=39873343
Not trying to spread fear, more just wanting to check how/if anything is related in this case. Appreciate the comment re this.
We do indeed have liblzma as a dependency, but from my understanding, the backdoor was in libxz and tried to patch itself into libzma from there. Correct me if I'm wrong.
Correct me if I'm wrong.
No idea, that was the intended goal of this "bug", but, couldn't make this more of a discussion than a bug report in the issues section. :) I have only just been reading everything - so not too far into the weeds on how it encroaches just yet.
But given the current ongoing process with the discovery of the CVE, figured it was better suited in "issues" than in "discussions".
It seems that liblzma and libxz come from the same source package. However, the liblzma that was used for building 2.7.7 is still 5.4.4, which is supposedly unaffected.
I'll close this as completed for now. If new evidence comes up, we can reopen it. I'll pin it to the top, so people find this more easily.
From my deep dive into this yesterday I came away with the following;
Unless you run keepassxc from systemd, I am fairly confident we are isolated from this situation. I am watching and reading the news in case lzma or other dependency has a credible security concern.
https://nvd.nist.gov/vuln/detail/CVE-2024-3094 https://www.openwall.com/lists/oss-security/2024/03/29/4 https://news.ycombinator.com/item?id=39865810
There have been some reports of KeepassXC being affected - what are the impacts of the CVE against KeepassXC?