xz / liblzma version

[brueggemann]

Hi, due to checking if vulnerable versions of xz are installed on our systems, I discovered that xz 5.4.5 / liblzma 5.4.5 is installed on our opnsense systems. Suprisingly there seems to be no package related to /usr/bin/xz, so I'm wondering, where it comes from:

Code Select Expand

$ xz --version
xz (XZ Utils) 5.4.5
liblzma 5.4.5


Code Select Expand

$ which xz
/usr/bin/xz


Code Select Expand

$ pkg which /usr/bin/xz
/usr/bin/xz was not found in the database

Version of OpnSense is: 25.1.5_5-amd64

xz 5.4.5 was released on Nov 1, 2023. So it is pretty old and IMHO should be upgraded.

We did a vulnerability check because of CVE-2025-31115 (https://tukaani.org/xz/threaded-decoder-early-free.html). Upstream released 5.8.1 to fix this issue.

So my questions are:
- Where does /usr/bin/xz come from?
- Would it be possible to roll out a current version of xz?

Regards,
Jan-Marten Brüggemann

[Patrick M. Hausen]

- Where does /usr/bin/xz come from?

It's part of the FreeBSD base system.

- Would it be possible to roll out a current version of xz?

Only with a FreeBSD update. So far there has been no security advisory by the FreeBSD project. Work on importing the latest version is under way:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=286252

HTH,
Patrick

[brueggemann]

OK, Thank you. Then I will wait for FreeBSD updating xz and after that for OPNsense to upgrade its FreeBSD base.

[meyergru]

Patrick, are you sure that is going to happen anytime soon?

The cited bug tracker is for FreeBSD 15.0 only. That in turn is neither the base for 25.1.x nor will it be for any upcoming version of OpnSense, AFAIK. Usually, a FreeBSD upgrade is done with either security fixes for the current version (14.2) (which is not in scope, because the bug 286252 does not seem CVE-related), or with the next FreeBSD X.1 release, never an X.0 one.

So, for the latter to occur, there would have to be a FreeBSD 15.1 release before the next OpnSense upgrade would use it.

[Patrick M. Hausen]

Fixes always go to HEAD first, then if the security team deems it necessary are backported (MFC - "merge from current") to the supported release branches.

I doubt in a firewall appliance context anyone will be able to feed untrusted data to liblzma.

[meyergru]

I am not at all concerned about that vulnerability, either, just wanted to limit expectations on timelines... ;-)

[franco]

If anything security advisory related pops up in FreeBSD 14.2 we will have it rather quickly too. But it's a short week in this part of the world at the moment so realistically a kernel update (with 25.1.6 attached) will not happen before next week either way.


Cheers,
Franco

[adk20]

I doubt in a firewall appliance context anyone will be able to feed untrusted data to liblzma.

I am also not overly concerned about this bug. However, just out of curiosity, what are the file types of e.g. Suricata rule updates or DNS block lists that OPNSense downloads regularly? I'd assume they are provided as .gz rather than .xz.

[adk20]

I updated to 25.1.6 and checked the xz version. It's still 5.4.5.

Do we have any ETA for the roll-out of a fixed version?

[Patrick M. Hausen]

I updated to 25.1.6 and checked the xz version. It's still 5.4.5.

Do we have any ETA for the roll-out of a fixed version?

What exactly is the security relevant problem with any current version of OPNsense?

[brueggemann]

What exactly is the security relevant problem with any current version of OPNsense?

Probably nothing, it only affects services that are linked to liblzma and use the lzma_stream_decoder_mt function. After a quick and not representative research (searching for lzma_stream_decoder_mt and comparing the hit count to lzma_stream_decoder on github) the multithreaded variant is hardly used.