We do often include affiliate links to earn us some pennies. See more here.

There's been an urgent security bulletin sent out in a few places today in the Linux sphere that relates to the XZ tools and libraries with liblzma, as certain version have been compromised.

From the OpenWall security list:

After observing a few odd symptoms around liblzma (part of the xz package) on Debian sid installations over the last weeks (logins with ssh taking a lot of CPU, valgrind errors) I figured out the answer:

The upstream xz repository and the xz tarballs have been backdoored.

At first I thought this was a compromise of debian's package, but it turns out to be upstream.

From what they say the issue is present in version 5.6.0 and 5.6.1 of the libraries.

This has led to Red Hat putting up an urgent blog post on the matter, noting that so far Fedora Linux 40 is okay but you should "immediately stop usage of any Fedora Rawhide instances" as they were updated but they're going to be reverting to an older version.

For those not clear on what it is, as Red Hat noted: "xz is a general purpose data compression format present in nearly every Linux distribution, both community projects and commercial product distributions. Essentially, it helps compress (and then decompress) large file formats into smaller, more manageable sizes for sharing via file transfers".

Red Hat also noted the "malicious build interferes with authentication in sshd via systemd" and so "Under the right circumstances this interference could potentially enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely".

Debian also has a security advisory up on it noting that "no Debian stable versions are known to be affected" but the compromised packages were part of "Debian testing, unstable and experimental distributions" which they have reverted as well.

On the Ubuntu side they have a Discourse forum post noting the affected package was removed from "Ubuntu 24.04 LTS (Noble Numbat) proposed builds" and they're continuing to investigate.

It has been assigned as CVE-2024-3094 noting it is a critical issue.

So you'll want to ensure any XZ packages are not at version 5.6.0 or 5.6.1, and check the news directly from your chosen distribution for updates on it.


Update 02/04/24: the Binarly Research Team announced a new free tool to scan an ELF binary for XZ backdoor detection.

Article taken from GamingOnLinux.com.
Tags: Security, Misc
24 Likes
About the author -
author picture
I am the owner of GamingOnLinux. After discovering Linux back in the days of Mandrake in 2003, I constantly checked on the progress of Linux until Ubuntu appeared on the scene and it helped me to really love it. You can reach me easily by emailing GamingOnLinux directly.
See more from me
59 comments
Page: «3/3
  Go to:

Quoting: sudoerAlso, how many "home" users use a ssh server...
A lot of people do, it's a great way to backup or transfer files.
Quoting: Purple Library Guy
Quoting: PublicNuisanceAs soon as you make a law you have to be willing to have have people killed to enforce it. If you aren't then you can't have the law.
You're an American, aren't you? Just a wild guess.

Canadian.



Quoting: benstor214
Quoting: Purple Library Guy
Quoting: PublicNuisanceAs soon as you make a law you have to be willing to have have people killed to enforce it. If you aren't then you can't have the law.
You're an American, aren't you? Just a wild guess.
Last week, I stationed my car at a parking spot without paying for a parking ticket. I was therefore shot by a cop five minutes later.
Advisory: Pay for your parking tickets!

Let's apply some logic. You get caught not paying your ticket. They ask you to but you refuse. They call the police. The police tell you to but you refuse. The police issue you a ticket or straight out arrest you and you refuse to comply. They go to take you by force and you resist. They end up killing you in the struggle.

You think that is bogus because you yourself follow the law and comply with law enforcement but not everybody does. When they don't that leads to violence and can end in death. As soon as you have any law at all you involve law enforcement and you have to be willing to accept that some people have the potential to die in the law being enforced. This goes for any law no matter how big or small. It doesn't mean we can't have laws but it does require to have adult conversations and accept that some people are not going to act rationally or peacefully.
Quoting: PublicNuisanceLet's apply some logic. You get caught not paying your ticket. They ask you to but you refuse. They call the police. The police tell you to but you refuse. The police issue you a ticket or straight out arrest you and you refuse to comply. They go to take you by force and you resist. They end up killing you in the struggle.

You think that is bogus because you yourself follow the law and comply with law enforcement but not everybody does.
Not everyone complies with law enforcement, but people not complying with law enforcement really rarely results in anyone dying, especially when it comes to white collar offences, and especially especially civil ones. Even criminal ones--how often have the cops ever killed anyone over embezzlement? Most laws don't result in stereotypical interactions with cops in your car or whatever. And of course, in nearly all developed countries other than the US and to a much lesser extent Canada, the police don't kill people.

But sure, if all the worst possible chances add together, a death could result. So you're saying that if something goes fantastically wrong, any given law could kill someone, therefore you have to never pass a law unless you're willing to imagine it carries the death penalty. No, that's silly. Sure, it's possible, but all kinds of actions could result in death. Saying "As soon as you make a law you have to be willing to have have people killed to enforce it" is roughly equivalent to saying "As soon as you upload a 3d printer design you have to be willing to have people killed to manufacture the plastic it uses." After all, there are factory fatalities, not to mention people working in chemical plants that make the plastics have higher cancer rates. If people start using that design, the additional manufactured plastic could cause death, which by your logic means you have to assume it's going to.
Quoting: Purple Library Guy
Quoting: PublicNuisanceLet's apply some logic. You get caught not paying your ticket. They ask you to but you refuse. They call the police. The police tell you to but you refuse. The police issue you a ticket or straight out arrest you and you refuse to comply. They go to take you by force and you resist. They end up killing you in the struggle.

You think that is bogus because you yourself follow the law and comply with law enforcement but not everybody does.
Not everyone complies with law enforcement, but people not complying with law enforcement really rarely results in anyone dying, especially when it comes to white collar offences, and especially especially civil ones. Even criminal ones--how often have the cops ever killed anyone over embezzlement? Most laws don't result in stereotypical interactions with cops in your car or whatever. And of course, in nearly all developed countries other than the US and to a much lesser extent Canada, the police don't kill people.

But sure, if all the worst possible chances add together, a death could result. So you're saying that if something goes fantastically wrong, any given law could kill someone, therefore you have to never pass a law unless you're willing to imagine it carries the death penalty. No, that's silly. Sure, it's possible, but all kinds of actions could result in death. Saying "As soon as you make a law you have to be willing to have have people killed to enforce it" is roughly equivalent to saying "As soon as you upload a 3d printer design you have to be willing to have people killed to manufacture the plastic it uses." After all, there are factory fatalities, not to mention people working in chemical plants that make the plastics have higher cancer rates. If people start using that design, the additional manufactured plastic could cause death, which by your logic means you have to assume it's going to.

The 3D printer argument isn't really the same thing. I'm talking about having government introducing a law that will bring people into contact with law enforcement. What is more likely to bring you into contact with law enforcement: making a law that people will be expected to abide by or uploading a document that they are not ? The easy way to avoid this line of thought is to not have the knee jerk reaction of making more laws and trying to force your views down other people's throats. We need less laws not more, especially when it concerns soemthing as trivial as whether people use FOSS software or not. Let's not forget it is that which prompted this debate, someone trying to control what software other people use. The hilarity of that is that many if not all people on this site use hardware that is not FOSS and play closed source games with it. If you try to allow the government to control what software you use don't be surprised one day when they use that precedent to try to force you to use Windows. But go ahead and proceed to try to lock people up for using Github or something else like it.
sudoer Mar 31
Quoting: dpanterI don't want to argue about off topic issues in article comments but what the heck have you been smoking and where can I get some? Come on dude. Nobody here likes M$ or Windoze but let's stick with facts.

Maybe you should put down the controller for a moment instead lol. What exactly isn't a fact, that MS-DOS was not single-user, that it wasn't single-tasking or that it wasn't network-aware? Also, it wasn't me using Windows 95 as an invalid argument.
F.Ultra Mar 31
View PC info
  • Supporter
Quoting: nenoroWell back to Gzip or use ZSTD when i compile the kernel then

Does this mean every package ending with tar.xz have risks ?

No, the infection happens when xz itself in installed, not when you open xz files. So the danger is the presence of the compromised version of libxz on your system in combination with the usage of ssh.
benstor214 Mar 31
View PC info
  • Supporter
Quoting: PublicNuisanceLet's apply some logic. You get caught not paying your ticket. They ask you to but you refuse. They call the police. The police tell you to but you refuse. The police issue you a ticket or straight out arrest you and you refuse to comply. They go to take you by force and you resist. They end up killing you in the struggle.
Dude, they will let me go. After some time, I will receive a letter. And after some more time a judge will simply order my employer to send a part of my salary to pay for the initial ticket plus fees. If I’m self-employed, some official will confiscate part of my belongings until the debt is paid in full.
Because we live in a civilization and not in the wild, wild west shouting ‘Yeehah!’ while emptying our mags…


Last edited by benstor214 on 31 March 2024 at 12:49 pm UTC
ShabbyX Mar 31
Quoting: PublicNuisanceLet's apply some logic. You get caught not paying your ticket. They ask you to but you refuse. They call the police. The police tell you to but you refuse. The police issue you a ticket or straight out arrest you and you refuse to comply. They go to take you by force and you resist. They end up killing you in the struggle.

The flaw in this logic is that, the reason this person gets killed in the struggle is not that they didn't follow whatever law started this. The reason is that they attacked another human being and the other acted in self defense. The scenario is changed, and the matter of the original law is no longer relevant.

You can go to supermarket، <some conflict happens like you bump carts>, threaten people with a gun and get taken out by the police.

You can walk on the street، <some conflict happens like you step on someone's toes>, threaten people with a gun and get taken out by the police.

You can chew gum، <some conflict happens like someone says you're chewing too loudly>, threaten people with a gun and get taken out by the police.

We don't consider that we must be able to have people die to have supermarkets, walks outside, or chewing gum. That's also why we don't consider that when making (most) laws.

To your original point, I don't think anyone is arguing with you that the choice of software shouldn't be enforced. There was one comment, yes, but we generally all believe in that choice.
Hamish Mar 31
Quoting: sudoerAlso, it wasn't me using Windows 95 as an invalid argument.
No, your argument was that home users do not and will never need SSH, something which is clearly unsupportable.

The only alternative for my home network would have to be SAMBA I guess, which brings us right back to Network Neighborhood.
Quoting: PublicNuisance
Quoting: Purple Library Guy
Quoting: PublicNuisanceLet's apply some logic. You get caught not paying your ticket. They ask you to but you refuse. They call the police. The police tell you to but you refuse. The police issue you a ticket or straight out arrest you and you refuse to comply. They go to take you by force and you resist. They end up killing you in the struggle.

You think that is bogus because you yourself follow the law and comply with law enforcement but not everybody does.
Not everyone complies with law enforcement, but people not complying with law enforcement really rarely results in anyone dying, especially when it comes to white collar offences, and especially especially civil ones. Even criminal ones--how often have the cops ever killed anyone over embezzlement? Most laws don't result in stereotypical interactions with cops in your car or whatever. And of course, in nearly all developed countries other than the US and to a much lesser extent Canada, the police don't kill people.

But sure, if all the worst possible chances add together, a death could result. So you're saying that if something goes fantastically wrong, any given law could kill someone, therefore you have to never pass a law unless you're willing to imagine it carries the death penalty. No, that's silly. Sure, it's possible, but all kinds of actions could result in death. Saying "As soon as you make a law you have to be willing to have have people killed to enforce it" is roughly equivalent to saying "As soon as you upload a 3d printer design you have to be willing to have people killed to manufacture the plastic it uses." After all, there are factory fatalities, not to mention people working in chemical plants that make the plastics have higher cancer rates. If people start using that design, the additional manufactured plastic could cause death, which by your logic means you have to assume it's going to.

The 3D printer argument isn't really the same thing. I'm talking about having government introducing a law that will bring people into contact with law enforcement. What is more likely to bring you into contact with law enforcement: making a law that people will be expected to abide by or uploading a document that they are not ? The easy way to avoid this line of thought is to not have the knee jerk reaction of making more laws and trying to force your views down other people's throats. We need less laws not more, especially when it concerns soemthing as trivial as whether people use FOSS software or not. Let's not forget it is that which prompted this debate, someone trying to control what software other people use. The hilarity of that is that many if not all people on this site use hardware that is not FOSS and play closed source games with it. If you try to allow the government to control what software you use don't be surprised one day when they use that precedent to try to force you to use Windows. But go ahead and proceed to try to lock people up for using Github or something else like it.
Your entire logic there is a shifted goalpost. You're saying the law proposed is a bad one; I daresay you're right. Really, law is a complicated matter and most laws people propose off the top of their heads, even if the general thrust is OK, would probably be bad. A law for all software to be open source, for instance, would not work well unless you'd changed a bunch of other stuff about our legal and economic regime too (something I think is well worth doing, but that's a whole other very elaborate conversation).

That's an entirely different thing from saying you have to be willing to kill people for a law before you pass it, which is not the case. It's one of those dramatic statements that sounds profound until you actually stop and think about it. Some municipalities in my area are passing laws that new buildings shall not have connection to natural gas--they'll have to use electric heat pumps for heating, electric stoves and so on. The local gas company is very upset, and very willing to spend masses of money on PR, bribes and so on to try to stop it from happening. Nobody is going to die over this.
Bumadar Apr 1
Amazing how a thread about a backdoor in xz ended up posts about windows 95, the law and killing people.

Ooh and enjoy April 1st
Quoting: BumadarAmazing how a thread about a backdoor in xz ended up posts about windows 95, the law and killing people.

This kind of underlines the point the limitations of Linear Conversation Threads like this one.

I think nested is better, but I find the whole upvote/downvote system a little nauseating and limited -- nested with reactionary emojis in place of voting like Misskey or something would be my dream go-to.

That way it would be possible to filter threads by light hearted "Funny Votes", "Technical Votes", etc... and have robust discussions while filtering out unwanted content.

It would be sick if private groups could have emojis exclusive to that group -- so Linuxers could have a penguin that we put on posts when we like that content, that would be sick.
tuubi Apr 2
View PC info
  • Supporter Plus
Quoting: ElectricPrismThis kind of underlines the point the limitations of Linear Conversation Threads like this one.

I think nested is better, but I find the whole upvote/downvote system a little nauseating and limited

I kind of enjoy the meandering and sometimes surprising conversations these traditional forum threads lead to. Off topic is the best topic.


Quoting: ElectricPrismIt would be sick if private groups could have emojis exclusive to that group -- so Linuxers could have a penguin that we put on posts when we like that content, that would be sick.

I'm not sure I like the idea of "private groups", as that implies there are all kinds of negative social mechanisms at play. We're a small enough community without that sort of silliness. And almost everyone participating in conversations on this site is a "Linuxer" anyway.


Last edited by tuubi on 2 April 2024 at 5:47 am UTC
a0kami Apr 2
the comment section... it never gets old
Liam Dawe Apr 2
Added a link to a free scanner tool to the article.
View PC info
  • Supporter
I don’t understand how to use this tool.
nenoro Apr 7
Quoting: F.Ultra
Quoting: nenoroWell back to Gzip or use ZSTD when i compile the kernel then

Does this mean every package ending with tar.xz have risks ?

No, the infection happens when xz itself in installed, not when you open xz files. So the danger is the presence of the compromised version of libxz on your system in combination with the usage of ssh.

oh okay, well i don't use ssh anymore it used to be easy before. Now too many command line to enter before i can finally log in
tuubi Apr 7
View PC info
  • Supporter Plus
Quoting: nenoro
Quoting: F.Ultra
Quoting: nenoroWell back to Gzip or use ZSTD when i compile the kernel then

Does this mean every package ending with tar.xz have risks ?

No, the infection happens when xz itself in installed, not when you open xz files. So the danger is the presence of the compromised version of libxz on your system in combination with the usage of ssh.

oh okay, well i don't use ssh anymore it used to be easy before. Now too many command line to enter before i can finally log in

What do you mean? SSH works the same as ever, and logging in takes a single command. Unless your setup adds extra hurdles I suppose.
F.Ultra Apr 7
View PC info
  • Supporter
Quoting: nenoro
Quoting: F.Ultra
Quoting: nenoroWell back to Gzip or use ZSTD when i compile the kernel then

Does this mean every package ending with tar.xz have risks ?

No, the infection happens when xz itself in installed, not when you open xz files. So the danger is the presence of the compromised version of libxz on your system in combination with the usage of ssh.

oh okay, well i don't use ssh anymore it used to be easy before. Now too many command line to enter before i can finally log in

also it has to be sshd, aka the malicious libxz infects the OpenSSH server, not the client.
While you're here, please consider supporting GamingOnLinux on:

Reward Tiers: Patreon. Plain Donations: PayPal.

This ensures all of our main content remains totally free for everyone! Patreon supporters can also remove all adverts and sponsors! Supporting us helps bring good, fresh content. Without your continued support, we simply could not continue!

You can find even more ways to support us on this dedicated page any time. If you already are, thank you!
Login / Register