CVE-2024-3094 xz/liblzma supply chain vulnerability

TLDR openwrt does not seem to be affected but it's still a good read about a supply chain attack

https://nvd.nist.gov/vuln/detail/CVE-2024-3094

https://www.openwall.com/lists/oss-security/2024/03/29/4

The affected binary xz and attached library liblzma are only used as tools for cross compiling and was reverted already

4 Likes

See here. Summary is that the trojan checked to see if the xz binary was being built from RPM or deb-based-system before injecting the malicious code. I do not believe OpenWrt's build system is in scope. Please correct me if I am mistaken.

1 Like

For the record as far as I can see 23.05.3 was still on 5.4.6 so is not affected?

1 Like

Thank you for bringing this to the community's attention. We have also issued an official statement on the matter.

FYI, packages have been built with xz version 5.6.1 since 2024-03-20T23:00:00Z, as the xz package version was upgraded earlier. We have inspected those packages and found no evidence of CVE-2024-3094. However, we cannot dismiss the possibility of other undiscovered vulnerabilities. Therefore, we have adopted a rigorous 'better safe than sorry' approach.

4 Likes