CVE-2024-3094 reported for upstream xz

[ChanTsune]

Announcement

CVE-2024-3094 reported for upstream xz

https://nvd.nist.gov/vuln/detail/CVE-2024-3094
https://www.openwall.com/lists/oss-security/2024/03/29/4

This project has a version (liblzma-sys 0.3.0, 0.3.1) that depends on xz 5.6.0 and 5.6.1, but we have confirmed that it does not use a tarball with a backdoor and is not directly affected.

However, if xz 5.6.0 or 5.6.1 is already installed on the system, it may be linked to the xz already installed on the system.
In this case, you can avoid using the xz installed on your system and build from sources that do not contain malicious code by enabling the static future of liblzma-sys (this build process does not use upstream build scripts, and this project's own method of secure build).

liblzma-sys = { version = "0.3.1", futures = ["static"] }
# If you use liblzma
liblzma = { version = "0.3.0", futures = ["static"] }

If you are concerned, avoid using the versions (0.3.x, 0.3.1) that depend on xz 5.6.0, 5.6.1 and use liblzma-sys 0.2.x instead.
liblzma-sys 0.2.x depends on xz 5.4.x before this affected.

even in 0.2.x, if xz is installed on the system, it may be used. Even in 0.2.x, need to enable the static feature to avoid using the system's xz.

Related issue

#95 thank you for report @amousset

[eduardosm]

Will liblzma-sys 0.2.x reject system's liblzma from xz 5.6.0?

According to the build script, it checks that the version is 5.4.4 or greater.

liblzma-rs/liblzma-sys/build.rs

Line 6 in 0f73c14

const MIN_LIBLZMA: &str = "5.4.4";

liblzma-rs/liblzma-sys/build.rs

Lines 22 to 24 in 0f73c14

	let pkg = pkg_config::Config::new()
	.atleast_version(MIN_LIBLZMA)
	.probe("liblzma");

[ChanTsune]

thanks for your questions @eduardosm

As you say, even in 0.2.x, if xz is installed on the system, it may be used. Even in 0.2.x, need to enable the static feature to avoid using the system's xz. I will correct this to avoid any misunderstanding.