Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
backdoor in app-arch/xz-utils
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
wildhorse
Apprentice
Apprentice


Joined: 16 Mar 2006
Posts: 150
Location: Estados Unidos De América

PostPosted: Sat Mar 30, 2024 12:59 pm    Post subject: backdoor in app-arch/xz-utils Reply with quote

A backdoor has been found in app-arch/xz-utils. It was introduced with version 5.6.0. Records indicate that a co-maintainer of the project (upstream) who goes by the name "Jia Tan" introduced the malicious code. There is a slim chance that somebody took over the account of Jia Tan.

Gentoo provides an ebuild file for version 5.6.1. That file has already been masked by Sam James (thanks).
https://bugs.gentoo.org/928134

The backdoor only works on systems with:
  • a processor of the amd64 architecture (AMD, Intel),
  • systemd,
  • sshd running and exposed to the Internet, and
  • a patch from a Linux distribution to couple systemd with sshd.


I am not sure if Gentoo provides the patch.

If all these conditions are fulfilled on one of your systems or you are unsure, then scream :P and downgrade xz-utils to version 5.4.2, verify that all files of newer versions have been removed, and restart systemd and sshd (or reboot your system).

Code:
emerge --sync && emerge -1tv =app-arch/xz-utils-5.4.2 && ls -l /usr/lib64/liblzma.so.5.{4.[3-9]*,[56].*}


A lot of packages do depend on app-arch/xz-utils. Some caution is indicated.

Andres Freund performed an analysis of the backdoor and its injection.
https://lwn.net/ml/oss-security/20240329155126.kjjfduxw2yrlxgzm@awork3.anarazel.de/

Based on that analysis, a simple patch will remove the backdoor from xz-utils 5.6.1:
Code:
--- xz-utils-5.6.1.ebuild       2024-03-24 12:40:49.000000000 +0000
+++ xz-utils-5.6.1-r1.ebuild    2024-03-30 10:03:42.000000000 +0000
@@ -53,6 +53,18 @@
        BDEPEND+=" verify-sig? ( sec-keys/openpgp-keys-jiatan )"
 fi
 
+src_unpack() {
+       default
+
+       #remove backdoor
+       rm -fv "${S}/m4/build-to-host.m4" || die
+       if [ -e "${S}/tests/files/good-large_compressed.lzma" ] || [ -e "${S}/tests/files/bad-3-corrupt_lzma2.xz" ]; then
+               rm -v "${S}/tests/files/good-large_compressed.lzma" || die
+               rm -v "${S}/tests/files/bad-3-corrupt_lzma2.xz" || die
+               einfo 'Backdoor removed. ;-)'
+       fi
+}
+
 src_prepare() {
        default
 
and
You may also need to change SRC_URI as well.

I provide this patch only for those folks with strong nerves and an interest in all the fine work that went into the current version of xz-utils.

Whether people will trust xz in the future or not is another story. Personally, I trust neither Apple, Google nor Microsoft for that matter.

In the meantime, Github disabled the repository of xz-utils on their servers. The xz project itself maintains its own replica of the Github repository. The logs may be helpful to those interested in a detailed analysis.
https://tukaani.org/

I have noticed problems with altered contents and check sums of archives (such as tarballs) on Github and other repositories like sourceforge in the past. Jonathan Corbet wrote an article about this issue at Github a year ago.
https://lwn.net/Articles/921787/

Occasionally Gentoo Portage files are being modified and released again without an increment of the files' release number.
Back to top
View user's profile Send private message
eeckwrk99
Apprentice
Apprentice


Joined: 14 Mar 2021
Posts: 225
Location: Gentoo forums

PostPosted: Sat Mar 30, 2024 2:10 pm    Post subject: Reply with quote

Already discussed here: The xz package has been backdoored
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum