Skip to main content
Topic: XZ with backdoor? (Read 878 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

Re: XZ with backdoor?

Reply #1
In the other thread on this issue I see this

Quote
When using xz version 5.6.0-1 or 5.6.1-1, upgrading is recommended.

and detection is mentioned with
Code: [Select]
ldd $(command -v sshd) | grep liblzma
empty results is good.


Re: XZ with backdoor?

Reply #3
Hi,
the person who inserted the backdoor into xz was 2 years contributing to xz before he included the backdoor.
The only way to prevent/make it really hard to do it again is to make a list of Linux core programs and libraries from what is really running in the 10 most popular Linux use cases.
And check and test every update of this core programs and libraries.
IBM and Google would have the resources to trace 250+ Linux core programs and libraries.

Re: XZ with backdoor?

Reply #4
I found this page interesting to read...  :(

Re: XZ with backdoor?

Reply #5
True thing in that page is that xz is kind of redundant, there is a promising lzma based one which is much better called lrzip, and also the native 7-zip binary that is for some reason still not packaged, not sure of it's license compared to p7zip.
And even without lzma i can see bzip2 being modified for equivalent compression but much better reliability.
Zstd is just for decompression speed imo.

Re: XZ with backdoor?

Reply #6
If we don't get a reply from the Dev's I'd recommend downgrading and blocking the upgrade until we get confirmation.
OS: Artix x86_64
Host: Predator PH517-61 V1.07
CPU: AMD Ryzen 7 2700 (16) @ 3.2GHz [112.4°F]
GPU: AMD ATI Radeon RX Vega 56/64
Memory: 1129MiB / 64390MiB

Re: XZ with backdoor?

Reply #7
TL;DR: Upgrade your systems NOW!

Following the related OpenWall post:
The upstream tarballs of xz 5.6.0 and 5.6.1 contain a backdoor which uses liblzma as a means to compromise SSH servers.

Preliminary analysis from the aforementioned post shows that the backdoor is designed to exploit openssh when linked against libsystemd (which depends on lzma) to compromise the SSH services. Artix and Arch don't link openssh to liblzma and thus this attack vector is not possible.

Based on the same analysis, the execution of openssh under systemd is a prerequisite for the backdoor to activate and given the additional distance of Artix to systemd (aren't we glad?), the exploit shouldn't affect any running Artix system.

However, it is strongly advised that all Artix users and administrators out there immediately upgrade their systems and container images (or at least xz to version 5.6.1-2) and restart openssh. Versions of xz up to and including 5.4.1-1 are not affected.

Re: XZ with backdoor?

Reply #8
Upgrade the package. The latest version of package is not affected by said vulnerability.