Skip to main content
Topic solved
This topic has been marked as solved and requires no further attention.
Topic: xz/liblzma is compromised upstream (backdoor) (Read 2462 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

xz/liblzma is compromised upstream (backdoor)

Subject: https://openwall.com/lists/oss-security/2024/03/29/4

I guess it has something to do with sshd linking, though I'm not sure (not an expert). Today xz got updated and now I'm concerned a bit.

Any thoughts, guys?

Re: xz/liblzma is compromised upstream (backdoor)

Reply #1
shouldn't be an issue, as sshd is not linked against lzma

When using xz version 5.6.0-1 or 5.6.1-1, upgrading is recommended.

artist
Linux is simple; use Artix, or Submit Your System To Evil Malicious D(a)emons

Re: xz/liblzma is compromised upstream (backdoor)

Reply #2
That does sound worrying, if malevolent code has been inserted into the upstream package, from that link the affected versions are 5.6.0 and 5.6.1, the update today is just a minor version from 5.6.1-1 to 5.6.1-2 so unless it has been modified to fix this it is also suspect.
You can get the last known good version from here:
https://archive.artixlinux.org/packages/x/xz/
xz-5.4.6-1-x86_64.pkg.tar.zst                      26-Jan-2024 21:02    613K
and install it with:
Code: [Select]
# pacman -U xz-5.4.6-1-x86_64.pkg.tar.zst
then add the line:
IgnorePkg = xz
to /etc/pacman.conf to stop it being upgraded for now.
That's what I've done anyway until further instructions appear! Can't be too careful with live malware exploits - thanks for the warning!  :D
(From the description the code is obfuscated and the reporter was unsure exactly what it did so it might affect other aspects besides ssh operations.)

Re: xz/liblzma is compromised upstream (backdoor)

Reply #3
https://news.ycombinator.com/item?id=39865810
Quote
He has been part of the xz project for 2 years, adding all sorts of binary test files, and to be honest with this level of sophistication I would be suspicious of even older versions of xz until proven otherwise.

Do we need to change SSH keys?

Quote
If you really want to be sure you can run the `env sshd -h` test in the original email
compare the time taken by time env -i LANG=C /usr/sbin/sshd -h and time env -i LANG=C TERM=foo /usr/sbin/sshd -h. If the first one consistently takes longer than the second one (500ms for the original author, 100ms for me on an affected system), then your sshd is affected

Re: xz/liblzma is compromised upstream (backdoor)

Reply #4
From what I can tell, the backdoor is injected into the distributed tarballs but not the repo itself. Arch recently started pulling from the repos instead of downloading the tarball: https://gitlab.archlinux.org/archlinux/packaging/packages/xz/-/commit/881385757abdc39d3cfea1c3e34ec09f637424ad

Artix too on system-gremlins: https://gitea.artixlinux.org/packages/xz/commit/7cde4de09a6f768d3ee58c5bdf02581af2f06ef8

I would suggest people install the latest system-gremlins/xz, as this doesn't yet seem to have rolled out to system.

Also, if the packagers are reading this, I suggest switching to #commit= instead of #tag= as tags can be changed

Re: xz/liblzma is compromised upstream (backdoor)

Reply #5
Bit ironic that the last commit , by the xz dev who it's being reported was the one who got their account compromised (assuming that's what has happened), had the message "Docs: Simplify SECURITY.md."

Edit:
The whole thing smells a bit off.
The backdoor may have only been injected into the tarballs but there's supposedly 'artifacts', as this Ars article calls them, in the main repo which run the backdoor.
Tests: Add a few test files.

How do you not notice commits made in your name to master ?

Re: xz/liblzma is compromised upstream (backdoor)

Reply #6
on arch linux: https://archlinux.org/news/the-xz-package-has-been-backdoored/

in artix, sshd is indeed not linked against lzma, so no problem :)

you can check it with the following command:
Code: [Select]
ldd $(command -v sshd) | grep liblzma
if the check above returns empty then you're good.
 

Re: xz/liblzma is compromised upstream (backdoor)

Reply #7
When using xz version 5.6.0-1 or 5.6.1-1, upgrading is recommended.

artist
Linux is simple; use Artix, or Submit Your System To Evil Malicious D(a)emons

Re: xz/liblzma is compromised upstream (backdoor)

Reply #8
Quote from: Artist – on
When using xz version 5.6.0-1 or 5.6.1-1, upgrading is recommended.

artist
I've decided I don't trust xz at all atm, since JiaT75's first commit. (Jan 7 2023)
So I've downgraded xz to 5.4.0-1 (Build Date : Thu 15 Dec 2022)

Is this paranioa ?
https://boehs.org/node/everything-i-know-about-the-xz-backdoor
I've no clue ? But sounds dodgy.

I'll wait for the dust to settle....

Edit: And github have just suspended the xz repo

Re: xz/liblzma is compromised upstream (backdoor)

Reply #9
It's not paranoia, I also don't believe that existing fixed package has 100% safe code, because that Jia Tan plant was smuggling all kind of nasty shit to several projects, not just to xz/liblzma.

https://github.com/libarchive/libarchive/pull/1609
https://github.com/google/oss-fuzz/pull/10667/

We have to wait for more of this story to unfold.

Quote from: Dju – on
you can check it with the following command:
Code: [Select]
ldd $(command -v sshd) | grep liblzma
if the check above returns empty then you're good.

Also, keep in mind that running ldd is unsafe in some instances.
https://jmmv.dev/2023/07/ldd-untrusted-binaries.html


EDIT: Unrelated, but seems like I can't access archive.artixlinux.org without VPN? What's going on?

Re: xz/liblzma is compromised upstream (backdoor)

Reply #12
Quote from: Shoun2137 – on
EDIT: Unrelated, but seems like I can't access archive.artixlinux.org without VPN? What's going on?

Ha... that's what I was talking about, but was sent to the website hosting ppl first and no one took the responsibility here, with someone even stating that the war in Ukraine was the answer... Have a read here: https://forum.artixlinux.org/index.php/topic,6252.30.html

Gitea migrated to another provider and now it works. Archive only via VPN.