Hi, due to checking if vulnerable versions of xz are installed on our systems, I discovered that xz 5.4.5 / liblzma 5.4.5 is installed on our opnsense systems. Suprisingly there seems to be no package related to /usr/bin/xz, so I'm wondering, where it comes from:
$ xz --version
xz (XZ Utils) 5.4.5
liblzma 5.4.5
$ which xz
/usr/bin/xz
$ pkg which /usr/bin/xz
/usr/bin/xz was not found in the database
Version of OpnSense is: 25.1.5_5-amd64
xz 5.4.5 was released on Nov 1, 2023. So it is pretty old and IMHO should be upgraded.
We did a vulnerability check because of CVE-2025-31115 (https://tukaani.org/xz/threaded-decoder-early-free.html). Upstream released 5.8.1 to fix this issue.
So my questions are:
- Where does /usr/bin/xz come from?
- Would it be possible to roll out a current version of xz?
Regards,
Jan-Marten Brüggemann
Quote from: brueggemann on April 28, 2025, 03:58:31 PM- Where does /usr/bin/xz come from?
It's part of the FreeBSD base system.
Quote from: brueggemann on April 28, 2025, 03:58:31 PM- Would it be possible to roll out a current version of xz?
Only with a FreeBSD update. So far there has been no security advisory by the FreeBSD project. Work on importing the latest version is under way:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=286252
HTH,
Patrick
OK, Thank you. Then I will wait for FreeBSD updating xz and after that for OPNsense to upgrade its FreeBSD base.
Patrick, are you sure that is going to happen anytime soon?
The cited bug tracker is for FreeBSD 15.0 only. That in turn is neither the base for 25.1.x nor will it be for any upcoming version of OpnSense, AFAIK. Usually, a FreeBSD upgrade is done with either security fixes for the current version (14.2) (which is not in scope, because the bug 286252 does not seem CVE-related), or with the next FreeBSD X.1 release, never an X.0 one.
So, for the latter to occur, there would have to be a FreeBSD 15.1 release before the next OpnSense upgrade would use it.
Fixes always go to HEAD first, then if the security team deems it necessary are backported (MFC - "merge from current") to the supported release branches.
I doubt in a firewall appliance context anyone will be able to feed untrusted data to liblzma.
I am not at all concerned about that vulnerability, either, just wanted to limit expectations on timelines... ;-)
If anything security advisory related pops up in FreeBSD 14.2 we will have it rather quickly too. But it's a short week in this part of the world at the moment so realistically a kernel update (with 25.1.6 attached) will not happen before next week either way.
Cheers,
Franco
Quote from: Patrick M. Hausen on April 28, 2025, 06:05:14 PMI doubt in a firewall appliance context anyone will be able to feed untrusted data to liblzma.
I am also not overly concerned about this bug. However, just out of curiosity, what are the file types of e.g. Suricata rule updates or DNS block lists that OPNSense downloads regularly? I'd assume they are provided as .gz rather than .xz.
I updated to 25.1.6 and checked the xz version. It's still 5.4.5.
Do we have any ETA for the roll-out of a fixed version?
Quote from: adk20 on May 09, 2025, 11:11:40 PMI updated to 25.1.6 and checked the xz version. It's still 5.4.5.
Do we have any ETA for the roll-out of a fixed version?
What exactly is the security relevant problem with any current version of OPNsense?
Quote from: Patrick M. Hausen on May 10, 2025, 12:02:49 AMWhat exactly is the security relevant problem with any current version of OPNsense?
Probably nothing, it only affects services that are linked to liblzma and use the lzma_stream_decoder_mt function. After a quick and not representative research (searching for lzma_stream_decoder_mt and comparing the hit count to lzma_stream_decoder on github) the multithreaded variant is hardly used.