Author Topic: Security Alert: Potential SSH Backdoor Via Liblzma  (Read 794 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Security Alert: Potential SSH Backdoor Via Liblzma
« on: March 30, 2024, 01:37:49 PM »
Are we affected too ?

https://hackaday.com/2024/03/29/security-alert-potential-ssh-backdoor-via-liblzma/
https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

What is xz?

xz is a general purpose data compression format present in nearly every Linux distribution, both community projects and commercial product distributions. Essentially, it helps compress (and then decompress) large file formats into smaller, more manageable sizes for sharing via file transfers.

In breaking news that dropped just after our weekly security column went live, a backdoor has been discovered in the xz package,
that could potentially compromise SSH logins on Linux systems. The most detailed analysis so far seems to be by [Andres Freund] on the oss-security list.

The xz release tarballs from 5.6.0 in late February and 5.6.1 on March 9th both contain malicious code. A pair of compressed files in the repository contain the majority of the malicious patch, disguised as test files. In practice, this means that looking at the repository doesn’t reveal anything amiss, but downloading the release tarballs gives you the compromised code.

This was discovered because SSH logins on a Debian sid were taking longer, with more CPU cycles than expected. And interestingly, Valgrind was throwing unexpected errors when running on the liblzma library. That last bit was first discovered on February 24th, immediately after the 5.6.0 release. The xz-utils package failed its tests on Gentoo builds.

Offline
*****
Re: Security Alert: Potential SSH Backdoor Via Liblzma
« Reply #1 on: March 30, 2024, 09:59:07 PM »
I read about that:
https://www.theregister.com/2024/03/29/malicious_backdoor_xz/
No, the only EL distro affected was an unstable Fedora 40, far upstream and beta to our EL8 server OSes.

Offline
*****
There have been other threads on this subject.

I know with AlmaLinux 8.x this SSH security problem has been fixed awhile ago.