We do often include affiliate links to earn us some pennies. See more here.

XZ tools and libraries compromised with a critical issue

By - | Views: 65,277

There's been an urgent security bulletin sent out in a few places today in the Linux sphere that relates to the XZ tools and libraries with liblzma, as certain version have been compromised.

From the OpenWall security list:

After observing a few odd symptoms around liblzma (part of the xz package) on Debian sid installations over the last weeks (logins with ssh taking a lot of CPU, valgrind errors) I figured out the answer:

The upstream xz repository and the xz tarballs have been backdoored.

At first I thought this was a compromise of debian's package, but it turns out to be upstream.

From what they say the issue is present in version 5.6.0 and 5.6.1 of the libraries.

This has led to Red Hat putting up an urgent blog post on the matter, noting that so far Fedora Linux 40 is okay but you should "immediately stop usage of any Fedora Rawhide instances" as they were updated but they're going to be reverting to an older version.

For those not clear on what it is, as Red Hat noted: "xz is a general purpose data compression format present in nearly every Linux distribution, both community projects and commercial product distributions. Essentially, it helps compress (and then decompress) large file formats into smaller, more manageable sizes for sharing via file transfers".

Red Hat also noted the "malicious build interferes with authentication in sshd via systemd" and so "Under the right circumstances this interference could potentially enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely".

Debian also has a security advisory up on it noting that "no Debian stable versions are known to be affected" but the compromised packages were part of "Debian testing, unstable and experimental distributions" which they have reverted as well.

On the Ubuntu side they have a Discourse forum post noting the affected package was removed from "Ubuntu 24.04 LTS (Noble Numbat) proposed builds" and they're continuing to investigate.

It has been assigned as CVE-2024-3094 noting it is a critical issue.

So you'll want to ensure any XZ packages are not at version 5.6.0 or 5.6.1, and check the news directly from your chosen distribution for updates on it.


Update 02/04/24: the Binarly Research Team announced a new free tool to scan an ELF binary for XZ backdoor detection.

Article taken from GamingOnLinux.com.
Tags: Security, Misc
24 Likes
About the author -
author picture
I am the owner of GamingOnLinux. After discovering Linux back in the days of Mandrake in 2003, I constantly came back to check on the progress of Linux until Ubuntu appeared on the scene and it helped me to really love it. You can reach me easily by emailing GamingOnLinux directly.
See more from me
59 comments
Page: 1/6»
  Go to:

serebit Mar 29
QuoteSo you'll want to ensure any XZ packages are not at version 5.6.0 or 5.6.1, and check the news directly from your chosen distribution for updates on it.

We're going to be putting out a news bulletin for this, but as an addendum, Arch Linux has addressed this vulnerability with xz package version 5.6.1-2. 5.6.0-1 and 5.6.1-1 are both vulnerable.
Szkodnix Mar 29
As I checked, openSUSE Tumbleweed already released an update which downgrades the package for now.

We're safe for now
williamjcm Mar 29
QuoteSo you'll want to ensure any XZ packages are not at version 5.6.0 or 5.6.1, and check the news directly from your chosen distribution for updates on it.

Arch has repackaged 5.6.1, using a repo clone instead of the compromised tarballs: https://security.archlinux.org/ASA-202403-1
https://gitlab.archlinux.org/archlinux/packaging/packages/xz/-/commit/881385757abdc39d3cfea1c3e34ec09f637424ad
pb Mar 29
Thanks, updated xz and lib32-xz to 5.6.1-2
mattaraxia Mar 29
I conveniently, just this morning, decided to hit the button and upgrade my main PC to Fedora 40's beta. It seems I got in late enough that I got 5.4.6-1 initially and then 5.4.6.-3 on upgrade, completely bypassing the "probably OK" builds that were up there.

This is a good reminder of how often, boring old versions of software are pretty nice things.
dibz Mar 29
Might be fighting words for some, but this makes me glad I'm a bit old hat and generally not a fan of rolling distributions, which is who this mainly applies to. This attack entered the effected package only a couple months ago for pete's sake.
Quoting: SzkodnixAs I checked, openSUSE Tumbleweed already released an update which downgrades the package for now.

We're safe for now

Can confirm (Aeon) it's quite a funny version number they've chosen so zypper wouldn't mistakenly update to the latest version though

Information for package xz:
---------------------------
Repository     : repo-oss
Name           : xz
Version        : 5.6.1.revertto5.4-3.1
Arch           : x86_64
Vendor         : openSUSE
sudoer Mar 29
Quoting: dibzMight be fighting words for some, but this makes me glad I'm a bit old hat and generally not a fan of rolling distributions, which is who this mainly applies to. This attack entered the effected package only a couple months ago for pete's sake.

One month ago and according to https://security.archlinux.org/ASA-202403-1

QuoteThe malicious code path does not exist in the arch version of sshd, as it does not link to liblzma.[...]

But you 've got a point nonetheless.


Last edited by sudoer on 30 March 2024 at 12:08 am UTC
Samsai Mar 29
I guess a potential new practice ought to be checking the hash of the tag pull against that of the release tarball to see if those release tarballs contain anything not part of the source repository. Or just building off of tags in the first place, so at least any hostile code needs to be in the source repository and thus publicly visible.
Manjaro just pushed out an update.
While you're here, please consider supporting GamingOnLinux on:

Reward Tiers: Patreon. Plain Donations: PayPal.

This ensures all of our main content remains totally free for everyone! Patreon supporters can also remove all adverts and sponsors! Supporting us helps bring good, fresh content. Without your continued support, we simply could not continue!

You can find even more ways to support us on this dedicated page any time. If you already are, thank you!
Login / Register


Or login with...
Sign in with Steam Sign in with Google
Social logins require cookies to stay logged in.