You can sign up to get a daily email of our articles, see the Mailing List page.
We do often include affiliate links to earn us some pennies. See more here.

XZ tools and libraries compromised with a critical issue

By - | Views: 63,750

There's been an urgent security bulletin sent out in a few places today in the Linux sphere that relates to the XZ tools and libraries with liblzma, as certain version have been compromised.

From the OpenWall security list:

After observing a few odd symptoms around liblzma (part of the xz package) on Debian sid installations over the last weeks (logins with ssh taking a lot of CPU, valgrind errors) I figured out the answer:

The upstream xz repository and the xz tarballs have been backdoored.

At first I thought this was a compromise of debian's package, but it turns out to be upstream.

From what they say the issue is present in version 5.6.0 and 5.6.1 of the libraries.

This has led to Red Hat putting up an urgent blog post on the matter, noting that so far Fedora Linux 40 is okay but you should "immediately stop usage of any Fedora Rawhide instances" as they were updated but they're going to be reverting to an older version.

For those not clear on what it is, as Red Hat noted: "xz is a general purpose data compression format present in nearly every Linux distribution, both community projects and commercial product distributions. Essentially, it helps compress (and then decompress) large file formats into smaller, more manageable sizes for sharing via file transfers".

Red Hat also noted the "malicious build interferes with authentication in sshd via systemd" and so "Under the right circumstances this interference could potentially enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely".

Debian also has a security advisory up on it noting that "no Debian stable versions are known to be affected" but the compromised packages were part of "Debian testing, unstable and experimental distributions" which they have reverted as well.

On the Ubuntu side they have a Discourse forum post noting the affected package was removed from "Ubuntu 24.04 LTS (Noble Numbat) proposed builds" and they're continuing to investigate.

It has been assigned as CVE-2024-3094 noting it is a critical issue.

So you'll want to ensure any XZ packages are not at version 5.6.0 or 5.6.1, and check the news directly from your chosen distribution for updates on it.


Update 02/04/24: the Binarly Research Team announced a new free tool to scan an ELF binary for XZ backdoor detection.

Article taken from GamingOnLinux.com.
Tags: Security, Misc
24 Likes
About the author -
author picture
I am the owner of GamingOnLinux. After discovering Linux back in the days of Mandrake in 2003, I constantly came back to check on the progress of Linux until Ubuntu appeared on the scene and it helped me to really love it. You can reach me easily by emailing GamingOnLinux directly.
See more from me
59 comments
Page: «6/6
  Go to:

Bumadar Apr 1
Amazing how a thread about a backdoor in xz ended up posts about windows 95, the law and killing people.

Ooh and enjoy April 1st
Quoting: BumadarAmazing how a thread about a backdoor in xz ended up posts about windows 95, the law and killing people.

This kind of underlines the point the limitations of Linear Conversation Threads like this one.

I think nested is better, but I find the whole upvote/downvote system a little nauseating and limited -- nested with reactionary emojis in place of voting like Misskey or something would be my dream go-to.

That way it would be possible to filter threads by light hearted "Funny Votes", "Technical Votes", etc... and have robust discussions while filtering out unwanted content.

It would be sick if private groups could have emojis exclusive to that group -- so Linuxers could have a penguin that we put on posts when we like that content, that would be sick.
tuubi Apr 2
View PC info
  • Supporter
Quoting: ElectricPrismThis kind of underlines the point the limitations of Linear Conversation Threads like this one.

I think nested is better, but I find the whole upvote/downvote system a little nauseating and limited

I kind of enjoy the meandering and sometimes surprising conversations these traditional forum threads lead to. Off topic is the best topic.


Quoting: ElectricPrismIt would be sick if private groups could have emojis exclusive to that group -- so Linuxers could have a penguin that we put on posts when we like that content, that would be sick.

I'm not sure I like the idea of "private groups", as that implies there are all kinds of negative social mechanisms at play. We're a small enough community without that sort of silliness. And almost everyone participating in conversations on this site is a "Linuxer" anyway.


Last edited by tuubi on 2 April 2024 at 5:47 am UTC
a0kami Apr 2
the comment section... it never gets old
Liam Dawe Apr 2
Added a link to a free scanner tool to the article.
View PC info
  • Supporter
I don’t understand how to use this tool.
nenoro Apr 7
Quoting: F.Ultra
Quoting: nenoroWell back to Gzip or use ZSTD when i compile the kernel then

Does this mean every package ending with tar.xz have risks ?

No, the infection happens when xz itself in installed, not when you open xz files. So the danger is the presence of the compromised version of libxz on your system in combination with the usage of ssh.

oh okay, well i don't use ssh anymore it used to be easy before. Now too many command line to enter before i can finally log in
tuubi Apr 7
View PC info
  • Supporter
Quoting: nenoro
Quoting: F.Ultra
Quoting: nenoroWell back to Gzip or use ZSTD when i compile the kernel then

Does this mean every package ending with tar.xz have risks ?

No, the infection happens when xz itself in installed, not when you open xz files. So the danger is the presence of the compromised version of libxz on your system in combination with the usage of ssh.

oh okay, well i don't use ssh anymore it used to be easy before. Now too many command line to enter before i can finally log in

What do you mean? SSH works the same as ever, and logging in takes a single command. Unless your setup adds extra hurdles I suppose.
F.Ultra Apr 7
View PC info
  • Supporter
Quoting: nenoro
Quoting: F.Ultra
Quoting: nenoroWell back to Gzip or use ZSTD when i compile the kernel then

Does this mean every package ending with tar.xz have risks ?

No, the infection happens when xz itself in installed, not when you open xz files. So the danger is the presence of the compromised version of libxz on your system in combination with the usage of ssh.

oh okay, well i don't use ssh anymore it used to be easy before. Now too many command line to enter before i can finally log in

also it has to be sshd, aka the malicious libxz infects the OpenSSH server, not the client.
While you're here, please consider supporting GamingOnLinux on:

Reward Tiers: Patreon. Plain Donations: PayPal.

This ensures all of our main content remains totally free for everyone! Patreon supporters can also remove all adverts and sponsors! Supporting us helps bring good, fresh content. Without your continued support, we simply could not continue!

You can find even more ways to support us on this dedicated page any time. If you already are, thank you!
Login / Register


Or login with...
Sign in with Steam Sign in with Google
Social logins require cookies to stay logged in.