OpenWrt and CVE-2024-3094 (xz backdoor)

CVE-2024-3094 — the xz 5.6.x backdoor — does not appear to affect OpenWrt builds.

OpenWrt sources xz from GitHub release tarballs, which contained only a dormant fragment of the malicious code. The component that activates the backdoor during the build (the autoconf macros and the test-data triggers shipped in the upstream xz-utils source release on tukaani.org) was not present in the tarballs we examined. Without that activation path, the dormant fragment is inert.

We are continuing to monitor the situation. The relevant discussion is on openwrt-adm and on the forum thread linked from the original mailing-list post.