I have been looking at the xz builds for Fedora to see whether my test containers are affected by CVE-2024-3094. It looks like annocheck from static analysis checker has detected the attack, e.g. build xz-5.6.0-2.fc40 has failed tests:
Command: annocheck --ignore-unknown --verbose --profile=rawhide /usr/lib64/liblzma.so.5.6.0
Exit Code: 1
...
Hardened: /usr/lib64/liblzma.so.5.6.0: FAIL: cf-protection test because .note.gnu.property section did not contain the necessary flags
Hardened: /usr/lib64/liblzma.so.5.6.0: info: For more information visit: https://sourceware.org/annobin/annobin.html/Test-cf-protection.html
Hardened: /usr/lib64/liblzma.so.5.6.0: skip: dynamic-tags test because AArch64 specific
Hardened: /usr/lib64/liblzma.so.5.6.0: PASS: fast test
Hardened: /usr/lib64/liblzma.so.5.6.0: skip: fortify test because sources compiled as if they were assembler are not checked by this test
Hardened: /usr/lib64/liblzma.so.5.6.0: WARN: If real assembler source code is used it may need updating to support the tested feature
Hardened: /usr/lib64/liblzma.so.5.6.0: WARN: and it definitely needs updating to add notes about its security protections.
Hardened: /usr/lib64/liblzma.so.5.6.0: WARN: For more details see https://sourceware.org/annobin/annobin.html/Absence-of-compiled-code.html
...
Hardened: /usr/lib64/liblzma.so.5.6.0: skip: warnings test because sources compiled as if they were assembler are not checked by this test
Hardened: /usr/lib64/liblzma.so.5.6.0: Overall: FAIL.
For help debugging failed Fedora CI tests (fedora-ci.*), contact the Fedora CI team.
For help debugging failed Fedora CoreOS tests (coreos.*), contact the Fedora CoreOS team.
For help debugging failed openQA tests (update.*), contact the Fedora Quality team, who will usually investigate and diagnose all failures within 24 hours.
This update has been submitted for testing by rjones.
This update's test gating status has been changed to 'waiting'.
This update's test gating status has been changed to 'waiting'.
This update's test gating status has been changed to 'failed'.
adamwill edited this update.
New build(s):
Karma has been reset.
This update has obsoleted perl-Compress-Raw-Lzma-2.209-3.fc40, and has inherited its bugs and notes.
This update's test gating status has been changed to 'waiting'.
This update's test gating status has been changed to 'passed'.
This update has been pushed to testing.
This update's test gating status has been changed to 'failed'.
This update's test gating status has been changed to 'waiting'.
This update's test gating status has been changed to 'failed'.
Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.
This update has been unpushed.
I have been looking at the xz builds for Fedora to see whether my test containers are affected by CVE-2024-3094. It looks like annocheck from static analysis checker has detected the attack, e.g. build xz-5.6.0-2.fc40 has failed tests:
If you are looking for more information, please check out Richard W.M. Jones' emails on the Fedora devel list, xz backdoor, xz backdoor