From ca6dbcc1099714386da3614d38c8b001ff532fca Mon Sep 17 00:00:00 2001 From: Alexander von Gluck IV Date: Sat, 30 Mar 2024 13:41:25 -0500 Subject: [PATCH] security: Improve our posture to announce critical CVEs * I think we should only commit to critical severity disclosures given the size of our team. --- content/about/security.md | 4 ++++ content/community/ml/_index.html | 9 +++++++++ content/security/_index.md | 14 ++++++++++++++ content/security/cve-2024-3094.md | 28 ++++++++++++++++++++++++++++ 4 files changed, 55 insertions(+) create mode 100644 content/security/_index.md create mode 100644 content/security/cve-2024-3094.md diff --git a/content/about/security.md b/content/about/security.md index b6fbb5b70..f088d2254 100644 --- a/content/about/security.md +++ b/content/about/security.md @@ -23,3 +23,7 @@ While Haiku is under heavy development, we still desire to create a secure opera ## Haikuports (ported software) Any serious vulnerabilities should be reported to the [Haikuports issue tracker](https://github.com/haikuports/haikuports/issues) + +## Disclosure + +Any critical vulnerabilities with a CVE attached impacting Haiku will be disclosed on our [website](/security), and via our [haiku-security mailing list](/community/ml). diff --git a/content/community/ml/_index.html b/content/community/ml/_index.html index 4a2363941..2a6f3280c 100644 --- a/content/community/ml/_index.html +++ b/content/community/ml/_index.html @@ -37,6 +37,15 @@

Main Development List

RSS feed

+ +

Security Mailing List

+

A low traffic mailing list for Haiku, Inc. to announce critical security vulnerabilities in Haiku.

+

+Subscribe | +Message archive | +RSS feed +

+

Third Party Development List

Development of third party applications that run on Haiku are discussed in this list. (e.g. new native software to run on Haiku).

diff --git a/content/security/_index.md b/content/security/_index.md new file mode 100644 index 000000000..3f88c16af --- /dev/null +++ b/content/security/_index.md @@ -0,0 +1,14 @@ ++++ +type = "article" +title = "Security Disclosure" +date = "2024-03-30T00:00:00.000Z" +tags = ["security", "CVE", "Exploit"] ++++ + +Here, Haiku documents critical security vulnerabilities which may impact users + +# Critical Vulnerabilities + +Package | CVE +---------|-------------------- +Xz | [CVE-2024-3094](/security/CVE-2024-3094) diff --git a/content/security/cve-2024-3094.md b/content/security/cve-2024-3094.md new file mode 100644 index 000000000..383e40531 --- /dev/null +++ b/content/security/cve-2024-3094.md @@ -0,0 +1,28 @@ ++++ +type = "article" +title = "CVE-2024-3094" +date = "2024-03-30T00:00:00.000Z" +tags = ["security", "CVE", "Exploit"] ++++ + +# Xz: malicious code in distributed source + +* Date: 2024-03-30 +* Severity: Critical +* Type: Authentication bypass / Remote code execution +* Source: [CVE](https://www.cve.org/CVERecord?id=CVE-2024-3094) +* Communication: Mailing Lists - haiku,haiku-developers,[haiku-security](https://freelists.org/post/haiku-security/NOTICE-Major-CVE-backdoor-in-xz-utils5611,1) + +## Description + +Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library. + +## Impacts + +While Haiku users may not be directly impacted given the Linux target for this backdoor, it's recommended to upgrade to a unaffected version as soon as possible. Haiku will closely monitor updates from the Xz team and take recommended actions. + +## HaikuPorts + +Package | Affected | Fixed | Fix +------------|---------------------|-------------------------|------------------------------ +xz_utils | xz_utils-5.6.1-1 | xz_utils-5.6.1-2 | [Update SOURCE_URI](https://github.com/haikuports/haikuports/commit/3644a3db2a0ad46971aa433c105e2cce9d141b46)