Xz/liblzma 10/10 CVE scored

abloss · March 30, 2024, 1:46am

There is a 10/10 CVE scored backdoor vulnerability in the xz-utils package, affecting versions 5.6.0+. This is still a developing situation, and further reversions may be necessary as the extent of commits by the offending individual are being reviewed still. Other vulnerabilities may be discovered along the way in other packages.

Libranext 4.0 alpha 3.2 and earlier: unaffected by this backdoor, according to current information (they’re shipped with 5.4.4 if fully updated).

Libranext 4.0 alpha 4: is affected and I’m working on addressing this. If you have access to an alpha 4 chroot image, please discontinue use immediately and wait for further information.

Debian stable systems: Unaffected, according to current information

For more information:

https://www.cve.org/CVERecord?id=CVE-2024-3094

https://www.openwall.com/lists/oss-security/2024/03/29/4

abloss · March 31, 2024, 2:52am

An update on the situation, as it pertains to Libranext:

Libranext 4.0 alpha4 uses the backdoored version of xz in it’s temporary toolchain used to cross-compile from scratch. Having seen newer information, including extracted strings from the backdoor, it seems that the backdoor shouldn’t have been activated on a Libranext system as alpha4 does not have dpkg or rpm, and currently doesn’t have SSH built yet. However, I’m not sure if it being built in the tempchain on the alpha3.2 host could trigger the backdoor, as alpha3.2 has ssh present (and running), as well as dpkg, and both are theoretically present during the tempchain build as we’re not in the cross-compiled environment at that point in the build. To be safe, I’m going to nuke the current alpha4 image I’ve been working off of and rebuild.

That being said, there is discussion about how far back prior to the backdoor’d release that we’d have to go to escape commits known to be done by the malicious actor. Any commits by them are undergoing scrutiny across multiple open-source packages, which brings me to the next point: libarchive. alpha4 uses libarchive’s bsdtar by default, instead of GNU tar. libarchive is currently reverting/rewriting patches submitted by Jia Tan (the presumed bad actor). The release of libarchive used in alpha4 is likely impacted.

In short:

Need to figure out how far back we have to go in xz releases to get to a likely safe version, and then backport security fixes that we know will be needed if we go back as far as some are suggesting
Need to pick up the new libarchive commits to remove potential flaws
Unfortunately, need to completely rebuild alpha4 because the tempchain also includes a potentially backdoored xz, that may have been triggered by the host system

Mostly for my reference, but also valuable information:

github.com/libarchive/libarchive

re-review commits

opened 05:43PM - 30 Mar 24 UTC

emaste

In light of the xz backdoor (https://www.cve.org/CVERecord?id=CVE-2024-3094) it …seems prudent to (at least) review again commits by the same author. I believe these are the associated commits: - [ ] 0f744f4e13721edf202f55bee73c73b267418d34 (#1589) - [x] fc4aa72c9bda58931a03ece04841ef4064be8a45 (#1591) - [x] d9acf3977948dbb3bf27b0f70b0ac476fc7ca448 (#1589) - [ ] 54d2b66049cd25d60f84047c454b920702918cae (#1593) - [ ] de366679572305bfa6c470c74af46c63f437192e (#1598) - [ ] 3ae7fb0ebdba8bcc3f36ca62b13526edc347f2d4 (#1598) - [ ] dd98b0ba6ac7fdd9b961f51a0f74bd15d4d97669 (#1598) - [ ] 379769d04ea4abbb9cce50a16a4f2eec407170e3 (#1598) - [ ] 1cfb5eaa5378878c132646b8654643ea7d05d0f0 (#1598) - [ ] eecf295089c344a5003980acfc9330ca4240a2cb (#1598) - [ ] 02cfa8ae67fa60e6d0415b75babf64864f0d8e72 (#1598) - [ ] fe81fefafec9ea22085f6a70f43054672cd272f9 (#1598) - [x] 3fec581c98ced21cdaaec681af0a35c9b2ddbd97 (#1591) - [ ] 0eee3c685bc66cda436f2c3b68f03b7ae34d6cb1 (#1606) - [x] f27c173d17dc807733b3a4f8c11207c3f04ff34f (#1609)

gist.github.com

https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27

xz-backdoor.md

# FAQ on the xz-utils backdoor

## Background

On March 29th, 2024, a backdoor was discovered in
[xz-utils](https://xz.tukaani.org/xz-utils/), a suite of software that
gives developers lossless compression. This package is commonly used
for compressing release tarballs, software packages, kernel images,
and initramfs images. It is very widely distributed, statistically
your average Linux or macOS system will have it installed for

This file has been truncated. show original

https://bugs.gentoo.org/928134

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024