Text only | Text with Images

Artix Linux Forum

Artix Linux => Applications & Software => Topic started by: Andy on 30 March 2024, 06:23:02

Title: XZ with backdoor?
Post by: Andy on 30 March 2024, 06:23:02
Hi,
is this version: system/xz                 5.6.1-1  -> 5.6.1-2   the one with the backdoor ?
https://lwn.net/ml/oss-security/[email protected]/
https://blog.holz.nu/2024/03/29/0.html

Title: Re: XZ with backdoor?
Post by: replabrobin on 30 March 2024, 09:23:41
In the other thread on this issue (https://forum.artixlinux.org/index.php/topic,6643.0) I see this

Quote
When using xz version 5.6.0-1 or 5.6.1-1, upgrading is recommended.

and detection is mentioned with
Code: [Select]
ldd $(command -v sshd) | grep liblzma
empty results is good.
Title: Re: XZ with backdoor?
Post by: Andy on 30 March 2024, 12:48:06
Hi,

Thank you.
I downgraded XZ ( https://archive.artixlinux.org/packages/x/xz/xz-5.4.6-1-x86_64.pkg.tar.zst )
and listet it as non-update-able.
Title: Re: XZ with backdoor?
Post by: Andy on 30 March 2024, 13:39:19
Hi,
the person who inserted the backdoor into xz was 2 years contributing to xz before he included the backdoor.
The only way to prevent/make it really hard to do it again is to make a list of Linux core programs and libraries from what is really running in the 10 most popular Linux use cases.
And check and test every update of this core programs and libraries.
IBM and Google would have the resources to trace 250+ Linux core programs and libraries.
Title: Re: XZ with backdoor?
Post by: cr6 on 01 April 2024, 12:35:11
I found this page (https://www.nongnu.org/lzip/xz_inadequate.html) interesting to read...  :(
Title: Re: XZ with backdoor?
Post by: Hitman on 01 April 2024, 12:53:30
True thing in that page is that xz is kind of redundant, there is a promising lzma based one which is much better called lrzip, and also the native 7-zip binary that is for some reason still not packaged, not sure of it's license compared to p7zip.
And even without lzma i can see bzip2 being modified for equivalent compression but much better reliability.
Zstd is just for decompression speed imo.
Title: Re: XZ with backdoor?
Post by: psy0nic on 02 April 2024, 06:53:15
If we don't get a reply from the Dev's I'd recommend downgrading and blocking the upgrade until we get confirmation.
Title: Re: XZ with backdoor?
Post by: l3u on 04 April 2024, 18:20:11
Quote from: https://artixlinux.org/
TL;DR: Upgrade your systems NOW!

Following the related OpenWall post:
The upstream tarballs of xz 5.6.0 and 5.6.1 contain a backdoor which uses liblzma as a means to compromise SSH servers.

Preliminary analysis from the aforementioned post shows that the backdoor is designed to exploit openssh when linked against libsystemd (which depends on lzma) to compromise the SSH services. Artix and Arch don't link openssh to liblzma and thus this attack vector is not possible.

Based on the same analysis, the execution of openssh under systemd is a prerequisite for the backdoor to activate and given the additional distance of Artix to systemd (aren't we glad?), the exploit shouldn't affect any running Artix system.

However, it is strongly advised that all Artix users and administrators out there immediately upgrade their systems and container images (or at least xz to version 5.6.1-2) and restart openssh. Versions of xz up to and including 5.4.1-1 are not affected.
Title: Re: XZ with backdoor?
Post by: LemonPie on 05 April 2024, 10:12:42
Upgrade the package. The latest version of package is not affected by said vulnerability.
Text only | Text with Images