__ __ __
\ \_________\ \____________\ \___
\ _ \ _\ _ \ _\ __ \ __\ /
\___/\__/\__/ \_\ \___/\__/\_\_\
Bedrock Linux
Introductory Material
Current Release (0.7 Poki)
Miscellaneous
Community
Bedrock Linux is a meta Linux distribution which allows users to mix-and-match components from other, typically incompatible distributions. Bedrock integrates these components into one largely cohesive system.
For example, one could have:
All at the same time and working together mostly as though they were packaged for the same distribution.
2024-04-22
2024-03-29
A common compression project, xz, appears to have recent releases 5.6.0 and
5.6.1 compromised, tracked as
CVE-2024-3094. No stable
Bedrock Linux release uses such a new xz build, and we are confident stable
channel users remain unaffected.
0.7.30beta1 did build against xz 5.6.1. However:
The exploit build code is only included in the xz source tarball
releases.[0]
Bedrock Linux builds xz from git. We checked for and were unable to find
any code path which builds/includes the exploit. We do not believe the
exploit was ever built or included in 0.7.30beta1 despite the xz version.
The exploit appears to depend on glibc's ifunc functionality.[0] Bedrock Linux builds against musl-libc, which does not offer this functionality, and thus the exploit, were it included, is unlikely to work.
The exploit appears to explicitly check for known argv[0] such as
/usr/sbin/sshd.[0]
While not impossible it, this has yet to be reported to check for the only
Bedrock Linux component which is built against xz, kmod.
[0] https://www.openwall.com/lists/oss-security/2024/03/29/4
While we do not believe 0.7.30beta1 users are vulnerable, as a precaution we have pulled the release and push 0.7.30beta2 built against the older xz 5.4.6 and encourage beta channel users to update to it immediately.
2023-08-06