XZ tools and libraries compromised with a critical issue

There’s been an urgent security bulletin sent out in a few places today in the Linux sphere that relates to the XZ tools and libraries with liblzma, as certain version have been compromised.

From the OpenWall security list:

After observing a few odd symptoms around liblzma (part of the xz package) on Debian sid installations over the last weeks (logins with ssh taking a lot of CPU, valgrind errors) I figured out the answer:

The upstream xz repository and the xz tarballs have been backdoored.

At first I thought this was a compromise of debian’s package, but it turns out to be upstream.

From what they say the issue is present in version 5.6.0 and 5.6.1 of the libraries.

This has led to Red Hat putting up an urgent blog post on the matter, noting that so far Fedora Linux 40 is okay but you should “immediately stop usage of any Fedora Rawhide instances” as they were updated but they’re going to be reverting to an older version.

For those not clear on what it is, as Red Hat noted: “xz is a general purpose data compression format present in nearly every Linux distribution, both community projects and commercial product distributions. Essentially, it helps compress (and then decompress) large file formats into smaller, more manageable sizes for sharing via file transfers”.

Red Hat also noted the “malicious build interferes with authentication in sshd via systemd” and so “Under the right circumstances this interference could potentially enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely”.

Debian also has a security advisory up on it noting that “no Debian stable versions are known to be affected” but the compromised packages were part of “Debian testing, unstable and experimental distributions” which they have reverted as well.

It has been assigned as CVE-2024-3094 noting it is a critical issue.

So you’ll want to ensure any XZ packages are not at version 5.6.0 or 5.6.1, and check the news directly from your chosen distribution for updates on it.

Article taken from GamingOnLinux.com.