XZ with backdoor? 30 March 2024, 06:23:02 Hi,is this version: system/xz 5.6.1-1 -> 5.6.1-2 the one with the backdoor ?https://lwn.net/ml/oss-security/[email protected]/https://blog.holz.nu/2024/03/29/0.html
Re: XZ with backdoor? Reply #1 – 30 March 2024, 09:23:41 In the other thread on this issue I see thisQuoteWhen using xz version 5.6.0-1 or 5.6.1-1, upgrading is recommended.and detection is mentioned with Code: [Select]ldd $(command -v sshd) | grep liblzma empty results is good. 1 Likes
Re: XZ with backdoor? Reply #2 – 30 March 2024, 12:48:06 Hi,Thank you.I downgraded XZ ( https://archive.artixlinux.org/packages/x/xz/xz-5.4.6-1-x86_64.pkg.tar.zst )and listet it as non-update-able.
Re: XZ with backdoor? Reply #3 – 30 March 2024, 13:39:19 Hi,the person who inserted the backdoor into xz was 2 years contributing to xz before he included the backdoor.The only way to prevent/make it really hard to do it again is to make a list of Linux core programs and libraries from what is really running in the 10 most popular Linux use cases.And check and test every update of this core programs and libraries.IBM and Google would have the resources to trace 250+ Linux core programs and libraries. 1 Likes
Re: XZ with backdoor? Reply #4 – 01 April 2024, 12:35:11 I found this page interesting to read... 1 Likes
Re: XZ with backdoor? Reply #5 – 01 April 2024, 12:53:30 True thing in that page is that xz is kind of redundant, there is a promising lzma based one which is much better called lrzip, and also the native 7-zip binary that is for some reason still not packaged, not sure of it's license compared to p7zip.And even without lzma i can see bzip2 being modified for equivalent compression but much better reliability.Zstd is just for decompression speed imo.
Re: XZ with backdoor? Reply #6 – 02 April 2024, 06:53:15 If we don't get a reply from the Dev's I'd recommend downgrading and blocking the upgrade until we get confirmation.
Re: XZ with backdoor? Reply #7 – 04 April 2024, 18:20:11 Quote from: https://artixlinux.org/ TL;DR: Upgrade your systems NOW!Following the related OpenWall post:The upstream tarballs of xz 5.6.0 and 5.6.1 contain a backdoor which uses liblzma as a means to compromise SSH servers.Preliminary analysis from the aforementioned post shows that the backdoor is designed to exploit openssh when linked against libsystemd (which depends on lzma) to compromise the SSH services. Artix and Arch don't link openssh to liblzma and thus this attack vector is not possible.Based on the same analysis, the execution of openssh under systemd is a prerequisite for the backdoor to activate and given the additional distance of Artix to systemd (aren't we glad?), the exploit shouldn't affect any running Artix system.However, it is strongly advised that all Artix users and administrators out there immediately upgrade their systems and container images (or at least xz to version 5.6.1-2) and restart openssh. Versions of xz up to and including 5.4.1-1 are not affected.
Re: XZ with backdoor? Reply #8 – 05 April 2024, 10:12:42 Upgrade the package. The latest version of package is not affected by said vulnerability. 1 Likes
Topic: XZ with backdoor? (Read 864 times)
previous topic - next topic
Topic: XZ with backdoor? (Read 864 times)
previous topic - next topic