Skip to content

Backdoored liblzma (CVSS 10.0) might be present in qubes-template-archlinux 4.2.0-202403061411 #9067

New issue
New issue
Closed
Bug
Closed
Backdoored liblzma (CVSS 10.0) might be present in qubes-template-archlinux 4.2.0-202403061411#9067
Bug
Labels
C: Arch LinuxThis issue pertains to Arch Linux templates or standalones.P: defaultPriority: default. Default priority for new issues, to be replaced given sufficient information.affects-4.2This issue affects Qubes OS 4.2.community templateThis issue pertains to a community-maintained template.diagnosedTechnical diagnosis of this issue has been performed.securityThis issue pertains to the security of Qubes OS.
@no-usernames-left

Description

@no-usernames-left
no-usernames-left
opened on Mar 29, 2024

Hello,

liblzma has been backdoored upstream (CVE-2024-3094, CVSS 10.0):
https://www.openwall.com/lists/oss-security/2024/03/29/4

It would appear as though this has affected users of Qubes OS:
https://forum.qubes-os.org/t/qubes-users-kernel-paman-8748-segfault-at-58326dd13cf4-ip-00005837ecf00a71-sp-00007fff91f540b0-error-4-in-paman-5837ecefd000-1b000-likely-on-cpu-1-core-0-socket-0/25029

I am on mobile right now and cannot develop this issue further, but I wanted to make some noise about it to get people's attention.

Metadata

Metadata

Assignees

No one assigned

    Labels

    C: Arch LinuxThis issue pertains to Arch Linux templates or standalones.P: defaultPriority: default. Default priority for new issues, to be replaced given sufficient information.affects-4.2This issue affects Qubes OS 4.2.community templateThis issue pertains to a community-maintained template.diagnosedTechnical diagnosis of this issue has been performed.securityThis issue pertains to the security of Qubes OS.

    Type

    Bug

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions