Is xz-utils/lzmadec version 5.6.1.0 not vulnerable? I.e. is Git for Windows v2.45.0 insecure?

[mnowrot]

• I was not able to find an open or closed issue matching what I'm seeing

Setup

• Which version of Git for Windows are you using? Is it 32-bit or 64-bit?

git version 2.45.0.windows.1
cpu: x86_64
built from commit:
sizeof-long: 4
sizeof-size_t: 8
shell-path: /bin/sh
feature: fsmonitor--daemon

• Which version of Windows are you running? Vista, 7, 8, 10? Is it 32-bit or 64-bit?

Microsoft Windows [Version 10.0.22631.3527]

• What options did you set as part of the installation? Or did you choose the
  defaults?

Editor Option: Notepad++
Custom Editor Path:
Default Branch Option:
Path Option: Cmd
SSH Option: OpenSSH
Tortoise Option: false
CURL Option: OpenSSL
CRLF Option: LFOnly
Bash Terminal Option: MinTTY
Git Pull Behavior Option: Merge
Use Credential Manager: Enabled
Performance Tweaks FSCache: Enabled
Enable Symlinks: Disabled
Enable Pseudo Console Support: Disabled
Enable FSMonitor: Disabled

Details

The following has been detected by MS Defender after upgrading to 2.45

Attention required: vulnerabilities in Tukaani Xz Utils
Remediation required

C:\Program Files\Git\mingw64\bin\lzmadec.exe

[dscho]

tl;dr No, Git for Windows v2.45.0 does not contain a critical vulnerability.

And to be utterly precise, CVE-2024-3094 does not describe a vulnerability, it is much worse: It is a backdoor. Even so, Git for Windows v2.45.0 does not contain said backdoor.

Unfortunately, Defender as well as the information provided in https://nvd.nist.gov/vuln/detail/CVE-2024-3094 is quite terse, too terse
if you ask me: It does not talk about SSH, systemd, let alone about the affected Operating Systems (Windows is not one of them).

I got aware of the report of a xz backdoor on March 30th, 2024, and analyzed the impact on Git for Windows immediately. I came to the conclusion that the backdoor does not affect it in the slightest.

Already the first findings were quite clear that the backdoor is compiled in only when building Debian or RedHat packages. Neither Cygwin nor Git for Windows do that, not even for development.

And then there is another compile-time check that completely excludes the backdoor on non-Linux machines.

And then the backdoor uses a little-known glibc functionality called ifunc. As far as I understand, glibc would not even work on Windows.
In any case, neither Git for Windows nor Cygwin use glibc. Without ifunc, the backdoor cannot intercept anything.

And then there is a runtime check that activates the backdoor only if the current process is called /usr/sbin/sshd. Since this is missing the
.exe suffix, it would not trigger in Cygwin. And due to the way the executable name is determined, it would not even work in Git for Windows.

And then there is the fact that Git for Windows does not run sshd. Users might start it, it is included, but you'd have to be very advanced to even know about it and how to start it. I highly doubt that anyone except me ever did that, and I stopped that practice years ago.

So... All-clear, Git for Windows v2.45.0 is distinctly not affected by CVE-2024-3094.