Are we affected too ?
https://hackaday.com/2024/03/29/security-alert-potential-ssh-backdoor-via-liblzma/https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-usersWhat is xz?
xz is a general purpose data compression format present in nearly every Linux distribution, both community projects and commercial product distributions. Essentially, it helps compress (and then decompress) large file formats into smaller, more manageable sizes for sharing via file transfers.
In breaking news that dropped just after our weekly security column went live, a backdoor has been discovered in the xz package,
that could potentially compromise SSH logins on Linux systems. The most detailed analysis so far seems to be by [Andres Freund] on the oss-security list.
The xz release tarballs from 5.6.0 in late February and 5.6.1 on March 9th both contain malicious code. A pair of compressed files in the repository contain the majority of the malicious patch, disguised as test files. In practice, this means that looking at the repository doesn’t reveal anything amiss, but downloading the release tarballs gives you the compromised code.
This was discovered because SSH logins on a Debian sid were taking longer, with more CPU cycles than expected. And interestingly, Valgrind was throwing unexpected errors when running on the liblzma library. That last bit was first discovered on February 24th, immediately after the 5.6.0 release. The xz-utils package failed its tests on Gentoo builds.
Topic: Security Alert: Potential SSH Backdoor Via Liblzma (Read 394 times)
