Discussion:
xz 5.6.0/5.6.1 backdoored, possibly in src/contrib as well
(too old to reply)
h***@tuta.io
2024-03-30 01:15:53 UTC
Permalink
Hi everyone,

I recently read through this: https://www.openwall.com/lists/oss-security/2024/03/29/4

It sounds like xz 5.6.0 and 5.6.1 are backdoored. Not sure if FreeBSD is or not, but it looks like 14-stable and main have xz 5.6.0. In my opinion, earlier versions may also be suspect given that this may have been a deliberate backdoor from a maintainer.

I propose that we go back to a "known safe" version. It would probably be unwise to push 14.1 as-is, as well.

The Github repository has currently been locked out.

Hoping that someone more aware of what's going on can offer more insight.

Thanks!

-Henrich


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Tomoaki AOKI
2024-03-30 01:22:05 UTC
Permalink
On Sat, 30 Mar 2024 02:15:53 +0100 (CET)
Post by h***@tuta.io
Hi everyone,
I recently read through this: https://www.openwall.com/lists/oss-security/2024/03/29/4
It sounds like xz 5.6.0 and 5.6.1 are backdoored. Not sure if FreeBSD is or not, but it looks like 14-stable and main have xz 5.6.0. In my opinion, earlier versions may also be suspect given that this may have been a deliberate backdoor from a maintainer.
I propose that we go back to a "known safe" version. It would probably be unwise to push 14.1 as-is, as well.
The Github repository has currently been locked out.
Hoping that someone more aware of what's going on can offer more insight.
Thanks!
-Henrich
At least base is not affected. See [1] and [2].

[1]
https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html

[2]
https://forums.freebsd.org/threads/backdoor-in-upstream-xz-liblzma-leading-to-ssh-server-compromise.92922/
--
Tomoaki AOKI <***@dec.sakura.ne.jp>


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
h***@tuta.io
2024-03-30 01:46:53 UTC
Permalink
Good to know, thank you!

I do think in this case it may be worth going to an older version because the maintainer was actively malicious. Even if *this* vulnerability looks safe. Just feels like playing with fire at the moment.

Also, it sounds like libarchive had a suspicious commit by the author as well.

Good synopsis:
https://boehs.org/node/everything-i-know-about-the-xz-backdoor

I should probably join freebsd-security while I'm at it...

-Henrich
Post by Tomoaki AOKI
On Sat, 30 Mar 2024 02:15:53 +0100 (CET)
Post by h***@tuta.io
Hi everyone,
I recently read through this: https://www.openwall.com/lists/oss-security/2024/03/29/4
It sounds like xz 5.6.0 and 5.6.1 are backdoored. Not sure if FreeBSD is or not, but it looks like 14-stable and main have xz 5.6.0. In my opinion, earlier versions may also be suspect given that this may have been a deliberate backdoor from a maintainer.
I propose that we go back to a "known safe" version. It would probably be unwise to push 14.1 as-is, as well.
The Github repository has currently been locked out.
Hoping that someone more aware of what's going on can offer more insight.
Thanks!
-Henrich
At least base is not affected. See [1] and [2].
[1]
https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html
[2]
https://forums.freebsd.org/threads/backdoor-in-upstream-xz-liblzma-leading-to-ssh-server-compromise.92922/
--
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Jonathan Vasquez
2024-03-30 21:53:48 UTC
Permalink
Post by h***@tuta.io
Hi everyone,
I recently read through this: https://www.openwall.com/lists/oss-security/2024/03/29/4
It sounds like xz 5.6.0 and 5.6.1 are backdoored. Not sure if FreeBSD is or not, but it looks like 14-stable and main have xz 5.6.0. In my opinion, earlier versions may also be suspect given that this may have been a deliberate backdoor from a maintainer.
I propose that we go back to a "known safe" version. It would probably be unwise to push 14.1 as-is, as well.
The Github repository has currently been locked out.
Hoping that someone more aware of what's going on can offer more insight.
Thanks!
-Henrich
Dag-Erling Smørgrav
2024-04-01 11:04:27 UTC
Permalink
4. FreeBSD is - to my knowledge - not susceptible to this attack because our sshd
is not linked to the compromised library at all.
That's not sufficient. The attack payload is a binary blob and has not
been fully analyzed; it could have other effects which haven't yet been
discovered. However, FreeBSD is not vulnerable because the version of
xz included in FreeBSD includes neither the attack payload nor the
trojaned build script which injects the payload into the library.
5. Even if you installed a supposedly compromised xz from ports, there are probably
no ill consequences.
We don't have an xz or liblzma port.

DES
--
Dag-Erling Smørgrav - ***@FreeBSD.org


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Eli Devejian
2024-03-31 00:28:41 UTC
Permalink
This is my understanding too: this vulnerability only affects versions
openssh compiled against compromised versions of xz with extra support for
systemd integration so freebsd is unaffected. Also, this only affects
release tarballs, with malicious binary blobs. Like arch Linux, as long as
we pull from the repo and compile in-house this should mitigate other
vulnerabilities possibly created by this rogue maintainer. I have not seen
any evidence that more action than this is needed.

Cheers,
-Eli
Hi all,
https://www.openwall.com/lists/oss-security/2024/03/29/4
Post by h***@tuta.io
It sounds like xz 5.6.0 and 5.6.1 are backdoored. Not sure if FreeBSD is
or not, but it looks like 14-stable and main have xz 5.6.0. In my opinion,
earlier versions may also be suspect given that this may have been a
deliberate backdoor from a maintainer.
Post by h***@tuta.io
I propose that we go back to a "known safe" version. It would probably
be unwise to push 14.1 as-is, as well.
Post by h***@tuta.io
[...]
1. The point of this backdoor is - to my knowledge - to get a rogue
login via SSH.
2. The mechanism relies on the compromised liblzma being linked with
sshd.
3. Which is the case for some Linux distributions because they pull
in some extra
functions for better systemd integration which then pulls in
liblzma as a dependency.
4. FreeBSD is - to my knowledge - not susceptible to this attack
because our sshd
is not linked to the compromised library at all.
5. Even if you installed a supposedly compromised xz from ports,
there are probably
no ill consequences.
Kind regards,
Patrick
Loading...