Results 1 to 7 of 7

Thread: xz 5.6.0 and 5.6.1 contain malicious code which adds a backdoor.

  1. #1
    Join Date
    Aug 2016
    Location
    Wandering
    Beans
    Hidden!
    Distro
    Xubuntu Development Release

    xz 5.6.0 and 5.6.1 contain malicious code which adds a backdoor.

    There are whispers in UF about this as well, but for Arch and Arch/Based
    07:26:58 - System update ────────────────────────────────────────────────── ──
    2024-03-29 The xz package has been backdoored
    TL;DR: Upgrade your systems and container images now!

    As many of you may have already read (one), the upstream release tarballs for xz in version 5.6.0 and
    5.6.1 contain malicious code which adds a backdoor.

    This vulnerability is tracked in the Arch Linux security tracker (two).

    The xz packages prior to version 5.6.1-2 (specifically 5.6.0-1 and 5.6.1-1) contain this backdoor.

    The following release artifacts contain the compromised xz:


    installation medium 2024.03.01
    virtual machine images 20240301.218094 and 20240315.221711
    container images created between and including 2024-02-24 and 2024-03-28

    The affected release artifacts have been removed from our mirrors.

    We strongly advise against using affected release artifacts and instead downloading what is currently
    available as latest version!

    Upgrading the system
    It is strongly advised to do a full system upgrade right away if your system currently has xz version
    5.6.0-1 or 5.6.1-1 installed:

    pacman -Syu

    Upgrading container images
    To figure out if you are using an affected container image, use either

    podman image history archlinux/archlinux

    or

    docker image history archlinux/archlinux

    depending on whether you use podman or docker.

    Any Arch Linux container image older than 2024-03-29 and younger than 2024-02-24 is affected.

    Run either

    podman image pull archlinux/archlinux

    or

    docker image pull archlinux/archlinux

    to upgrade affected container images to the most recent version.

    Afterwards make sure to rebuild any container images based on the affected versions and also inspect any
    running containers!

    Regarding sshd authentication bypass/code execution
    From the upstream report (one):


    openssh does not directly use liblzma. However debian and several other
    distributions patch openssh to support systemd notification, and libsystemd
    does depend on lzma.


    Arch does not directly link openssh to liblzma, and thus this attack vector is not possible. You can
    confirm this by issuing the following command:

    ldd "$(command -v sshd)"

    However, out of an abundance of caution, we advise users to remove the malicious code from their system by
    upgrading either way. This is because other yet-to-be discovered methods to exploit the backdoor could
    exist.

    [sudo] password for me:
    Good Time to update and upgrade right about now.
    With realization of one's own potential and self-confidence in one's ability, one can build a better world.
    Dalai Lama>>
    Code Tags | System-info | Forum Guide lines | Arch Linux, Debian Unstable, FreeBSD

  2. #2
    Join Date
    Mar 2010
    Location
    USA
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: xz 5.6.0 and 5.6.1 contain malicious code which adds a backdoor.

    But the malicious code was found in xz-utils source 5.6.1, right? That is what I see.

    Ubuntu Noble is not on that source. They are still on 5.4.5.

    Debian SID is though. Maybe I should file a bug at Launchpad on xz-utils just to prevent them from upgrading to that source... making them aware of the vulnerability... But since that package is not on that source yet, I think it will be closed (immediately) as being "invalid".

    "Concurrent coexistence of Windows, Linux and UNIX..." || Ubuntu user # 33563, Linux user # 533637
    Sticky: Graphics Resolution | UbuntuForums 'system-info' Script | Posting Guidelines | Code Tags

  3. #3
    Join Date
    Jun 2016
    Beans
    2,864
    Distro
    Xubuntu 22.04 Jammy Jellyfish

    Re: xz 5.6.0 and 5.6.1 contain malicious code which adds a backdoor.

    Thanks 1fallen for posting this.

    Unfortunately my Arch Linux server VM picked up the compromised xz 5.6.0 during a big migration. Although this is a local testing server only accessible by the VM host (Xubuntu 22.04, known not to be affected), and in my understanding the known sshd backdoor does not activate on Arch Linux, I am still going to restore from an earlier backup, just to be safe.

    My latest pre-migration backup is from early February, with xz 5.4.6-1. Could restore from that, but it seems some are questioning all xz versions above 5.2.5, and I don't have the expertise to sort out what to make of that as an end-user. I actually do have backup of this VM going as far back as it was with xz version 5.2.5-3, but it would be difficult to reconstruct what was done in the years since then and redo it all.

    Is it safe to use an Arch Linux server that got xz updates up to 5.4.6-1?
    If so, is it safe to leave xz 5.4.6-1 on that system (as opposed to trying to downgrade xz to 5.2.5)?
    Xubuntu 22.04, ArchLinux ♦ System76 hardware, virt-manager/KVM, VirtualBox
    If your questions are resolved to your satisfaction, please use Thread Tools > "Mark this thread as solved..."

  4. #4
    Join Date
    Aug 2016
    Location
    Wandering
    Beans
    Hidden!
    Distro
    Xubuntu Development Release

    Re: xz 5.6.0 and 5.6.1 contain malicious code which adds a backdoor.

    Quote Originally Posted by halogen2 View Post

    Is it safe to use an Arch Linux server that got xz updates up to 5.4.6-1?
    If so, is it safe to leave xz 5.4.6-1 on that system (as opposed to trying to downgrade xz to 5.2.5)?
    I'm certainly not a credible know all on the subject at hand but I feel safe enough.
    Code:
    pgrep -f 'sshd.*listener' | sudo xargs lsof -p | grep -F lzma.so
    [sudo] password for me: 
    xargs: lsof: No such file or directory
    Code:
    ldd --version && xz --version
    ldd (GNU libc) 2.39
    Copyright (C) 2024 Free Software Foundation, Inc.
    This is free software; see the source for copying conditions.  There is NO
    warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
    Written by Roland McGrath and Ulrich Drepper.
    xz (XZ Utils) 5.6.1
    liblzma 5.6.1
    Arch just dose it differently, but again the smoke has not settled just yet, maybe more to come.

    If you search or look in the General support forum here in UF you find some interesting reads. https://ubuntuforums.org/showthread....9#post14184319

    I've spent many hours just for my own semi peace of mind running security audits and nothing jumps out for this particular malware.
    But again that dose not mean it's not there, myself I feel secure enough.

    EDIT: More info:
    Arch Linux

    “The following release artifacts contain the compromised xz:

    installation medium 2024.03.01
    virtual machine images 20240301.218094 and 20240315.221711
    container images created between and including 2024-02-24 and 2024-03-28

    The affected release artifacts have been removed from our mirrors. We strongly advise against using affected release artifacts and instead downloading what is currently available as latest version! It is strongly advised to do a full system upgrade right away if your system currently has xz version 5.6.0-1 or 5.6.1-1 installed.”
    Source: https://linuxiac.com/the-upstream-xz...en-backdoored/
    Code:
    Name            : xz
    Version         : 5.6.1-3
    Last edited by 1fallen; April 3rd, 2024 at 12:10 AM. Reason: add more info to keep updated.
    With realization of one's own potential and self-confidence in one's ability, one can build a better world.
    Dalai Lama>>
    Code Tags | System-info | Forum Guide lines | Arch Linux, Debian Unstable, FreeBSD

  5. #5
    Join Date
    Jun 2016
    Beans
    2,864
    Distro
    Xubuntu 22.04 Jammy Jellyfish

    Re: xz 5.6.0 and 5.6.1 contain malicious code which adds a backdoor.

    Quote Originally Posted by 1fallen View Post
    Nice find, thank you 1fallen Their summarizing various distros' responses was helpful and led to an answer: Following from there, the distros that resolved this by reverting to an older xz version seem to have almost all chosen 5.4.6. So should be safe to use that version
    Xubuntu 22.04, ArchLinux ♦ System76 hardware, virt-manager/KVM, VirtualBox
    If your questions are resolved to your satisfaction, please use Thread Tools > "Mark this thread as solved..."

  6. #6
    Join Date
    Jul 2010
    Location
    ozarks, Arkansas, USA
    Beans
    14,219
    Distro
    Xubuntu 22.04 Jammy Jellyfish

    Re: xz 5.6.0 and 5.6.1 contain malicious code which adds a backdoor.

    Meanwhile - in ubuntu:
    Xz/liblzma security update (post #2)
    https://discourse.ubuntu.com/t/xz-li...e-post-2/43801

    If ya ain't been developing/proposing ya safe
    THE current(cy) in Documentation:
    https://help.ubuntu.com/community/PopularPages

    Happy ubuntu'n !

  7. #7
    Join Date
    Aug 2016
    Location
    Wandering
    Beans
    Hidden!
    Distro
    Xubuntu Development Release

    Re: xz 5.6.0 and 5.6.1 contain malicious code which adds a backdoor.

    Quote Originally Posted by Bashing-om View Post
    Meanwhile - in ubuntu:
    Xz/liblzma security update (post #2)
    https://discourse.ubuntu.com/t/xz-li...e-post-2/43801

    If ya ain't been developing/proposing ya safe
    Yep I was in that fold....silly me. Like anyone knew this would happen. LOL
    With realization of one's own potential and self-confidence in one's ability, one can build a better world.
    Dalai Lama>>
    Code Tags | System-info | Forum Guide lines | Arch Linux, Debian Unstable, FreeBSD

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •