There's been an urgent security bulletin sent out in a few places today in the Linux sphere that relates to the XZ tools and libraries with liblzma, as certain version have been compromised.
From the OpenWall security list:
After observing a few odd symptoms around liblzma (part of the xz package) on Debian sid installations over the last weeks (logins with ssh taking a lot of CPU, valgrind errors) I figured out the answer:
The upstream xz repository and the xz tarballs have been backdoored.
At first I thought this was a compromise of debian's package, but it turns out to be upstream.
From what they say the issue is present in version 5.6.0 and 5.6.1 of the libraries.
This has led to Red Hat putting up an urgent blog post on the matter, noting that so far Fedora Linux 40 is okay but you should "immediately stop usage of any Fedora Rawhide instances" as they were updated but they're going to be reverting to an older version.
For those not clear on what it is, as Red Hat noted: "xz is a general purpose data compression format present in nearly every Linux distribution, both community projects and commercial product distributions. Essentially, it helps compress (and then decompress) large file formats into smaller, more manageable sizes for sharing via file transfers".
Red Hat also noted the "malicious build interferes with authentication in sshd via systemd" and so "Under the right circumstances this interference could potentially enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely".
Debian also has a security advisory up on it noting that "no Debian stable versions are known to be affected" but the compromised packages were part of "Debian testing, unstable and experimental distributions" which they have reverted as well.
On the Ubuntu side they have a Discourse forum post noting the affected package was removed from "Ubuntu 24.04 LTS (Noble Numbat) proposed builds" and they're continuing to investigate.
It has been assigned as CVE-2024-3094 noting it is a critical issue.
So you'll want to ensure any XZ packages are not at version 5.6.0 or 5.6.1, and check the news directly from your chosen distribution for updates on it.
Update 02/04/24: the Binarly Research Team announced a new free tool to scan an ELF binary for XZ backdoor detection.
Article taken from GamingOnLinux.com.
ElectricPrism Apr 1
Quoting: BumadarAmazing how a thread about a backdoor in xz ended up posts about windows 95, the law and killing people.
This kind of underlines the point the limitations of Linear Conversation Threads like this one.
I think nested is better, but I find the whole upvote/downvote system a little nauseating and limited -- nested with reactionary emojis in place of voting like Misskey or something would be my dream go-to.
That way it would be possible to filter threads by light hearted "Funny Votes", "Technical Votes", etc... and have robust discussions while filtering out unwanted content.
It would be sick if private groups could have emojis exclusive to that group -- so Linuxers could have a penguin that we put on posts when we like that content, that would be sick.
Quoting: ElectricPrismThis kind of underlines the point the limitations of Linear Conversation Threads like this one.
I think nested is better, but I find the whole upvote/downvote system a little nauseating and limited
I kind of enjoy the meandering and sometimes surprising conversations these traditional forum threads lead to. Off topic is the best topic.
Quoting: ElectricPrismIt would be sick if private groups could have emojis exclusive to that group -- so Linuxers could have a penguin that we put on posts when we like that content, that would be sick.
I'm not sure I like the idea of "private groups", as that implies there are all kinds of negative social mechanisms at play. We're a small enough community without that sort of silliness. And almost everyone participating in conversations on this site is a "Linuxer" anyway.
Last edited by tuubi on 2 April 2024 at 5:47 am UTC
benstor214 Apr 3
Quoting: F.UltraQuoting: nenoroWell back to Gzip or use ZSTD when i compile the kernel then
Does this mean every package ending with tar.xz have risks ?
No, the infection happens when xz itself in installed, not when you open xz files. So the danger is the presence of the compromised version of libxz on your system in combination with the usage of ssh.
oh okay, well i don't use ssh anymore it used to be easy before. Now too many command line to enter before i can finally log in
Quoting: nenoroQuoting: F.UltraQuoting: nenoroWell back to Gzip or use ZSTD when i compile the kernel then
Does this mean every package ending with tar.xz have risks ?
No, the infection happens when xz itself in installed, not when you open xz files. So the danger is the presence of the compromised version of libxz on your system in combination with the usage of ssh.
oh okay, well i don't use ssh anymore it used to be easy before. Now too many command line to enter before i can finally log in
What do you mean? SSH works the same as ever, and logging in takes a single command. Unless your setup adds extra hurdles I suppose.
Quoting: nenoroQuoting: F.UltraQuoting: nenoroWell back to Gzip or use ZSTD when i compile the kernel then
Does this mean every package ending with tar.xz have risks ?
No, the infection happens when xz itself in installed, not when you open xz files. So the danger is the presence of the compromised version of libxz on your system in combination with the usage of ssh.
oh okay, well i don't use ssh anymore it used to be easy before. Now too many command line to enter before i can finally log in
also it has to be sshd, aka the malicious libxz infects the OpenSSH server, not the client.
Patreon
PayPal
See more from me