Any relation between tukaani.xz.jar and the recent xz-utils CVE? #45
Replies: 1 comment 1 reply
-
|
JGit uses org.tukaani:xz:1.9 which is the latest release of xz-java.
CVE-2024-3094 has been reported for releases 5.6.0 and 5.6.1 of the C implementation of xz. I checked the history of xz-java source code for commits from Jia Tan and found the following 4 commits:
The only commit containing non-trivial code changes is 8e46fdf and looks ok. JGit does not use any of the classes in this commit. Hence I conclude that JGit is not affected by CVE-2024-3094. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks a lot for that thorough analysis and explanation, Matthias. That's very much appreciated. |
Beta Was this translation helpful? Give feedback.
-
There is currently a CVE about a backdoor in xz-utils being discussed all over the net:
https://tukaani.org/xz-backdoor/
https://www.openwall.com/lists/oss-security/2024/03/29/4
https://bsky.app/profile/did:plc:x2nsupeeo52oznrmplwapppl/post/3kowjkx2njy2b
The jgit project uses a Java library tukaani.xz in version 1.9: https://github.com/eclipse-jgit/jgit/blob/master/org.eclipse.jgit.packaging/org.eclipse.jgit.target/maven/dependencies.tpd#L264 (committers will probably also be able to point to the bazel dependency for this).
Can someone please explain whether there is any relation between the Java library and the above mentioned CVE relevant libraries? From previous experience with log4shell I know that companies often fail to clearly separate between affected and not affected components by just scanning for anything that matches a keyword like "tukaani AND xz", so it might be good to clearly tell the world in advance that this project is not(?) affected.
Beta Was this translation helpful? Give feedback.
All reactions