security: Improve our posture to announce critical CVEs

* I think we should only commit to critical severity disclosures given the size of our team.
haiku · Mar 30, 2024 · d86c00f · d86c00f
1 parent 8715863
commit d86c00f
Show file tree

Hide file tree

Showing 4 changed files with 55 additions and 0 deletions.
diff --git a/content/about/security.md b/content/about/security.md
@@ -23,3 +23,7 @@ While Haiku is under heavy development, we still desire to create a secure opera
 ## Haikuports (ported software)
 
 Any serious vulnerabilities should be reported to the [Haikuports issue tracker](https://github.com/haikuports/haikuports/issues)
+
+## Disclosure
+
+Any critical vulnerabilities with a CVE attached impacting Haiku will be disclosed on our [website](/security), and via our [haiku-security mailing list](/community/ml).
diff --git a/content/community/ml/_index.html b/content/community/ml/_index.html
@@ -37,6 +37,15 @@ <h4>Main Development List</h4>
 <a href="https://www.freelists.org/feed/haiku-development">RSS feed</a>
 </p>
 
+<a name="security"></a>
+<h4>Security Mailing List</h4>
+<p>A low traffic mailing list for Haiku, Inc. to announce critical security vulnerabilities in Haiku.</p>
+<p>
+<a href="https://www.freelists.org/list/haiku-security">Subscribe</a> |
+<a href="https://www.freelists.org/archive/haiku-security">Message archive</a> |
+<a href="https://www.freelists.org/feed/haiku-security">RSS feed</a>
+</p>
+
 <a name="3rdparty-dev"></a>
 <h4>Third Party Development List</h4>
 <p>Development of third party applications that run on Haiku are discussed in this list. (e.g. new native software to run on Haiku).</p>

diff --git a/content/security/_index.md b/content/security/_index.md
@@ -0,0 +1,14 @@
++++
+type = "article"
+title = "Security Disclosure"
+date = "2024-03-30T00:00:00.000Z"
+tags = ["security", "CVE", "Exploit"]
++++
+
+Here, Haiku documents critical security vulnerabilities which may impact users
+
+# Critical Vulnerabilities
+
+Package  | CVE
+---------|--------------------
+Xz       | [CVE-2024-3094](/security/CVE-2024-3094)
diff --git a/content/security/cve-2024-3094.md b/content/security/cve-2024-3094.md
@@ -0,0 +1,28 @@
++++
+type = "article"
+title = "CVE-2024-3094"
+date = "2024-03-30T00:00:00.000Z"
+tags = ["security", "CVE", "Exploit"]
++++
+
+# Xz: malicious code in distributed source
+
+* Date: 2024-03-30
+* Severity: Critical
+* Type: Authentication bypass / Remote code execution
+* Source: [CVE](https://www.cve.org/CVERecord?id=CVE-2024-3094)
+* Communication: Mailing Lists - haiku,haiku-developers,[haiku-security](https://freelists.org/post/haiku-security/NOTICE-Major-CVE-backdoor-in-xz-utils5611,1)
+
+## Description
+
+Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
+
+## Impacts
+
+While Haiku users may not be directly impacted given the Linux target for this backdoor, it's recommended to upgrade to a unaffected version as soon as possible.  Haiku will closely monitor updates from the Xz team and take recommended actions.
+
+## HaikuPorts
+
+Package     | Affected            | Fixed                   | Fix
+------------|---------------------|-------------------------|------------------------------
+xz_utils    | xz_utils-5.6.1-1    | xz_utils-5.6.1-2        | [Update SOURCE_URI](https://github.com/haikuports/haikuports/commit/3644a3db2a0ad46971aa433c105e2cce9d141b46)