Re: xz 5.6.0/5.6.1 backdoored, possibly in src/contrib as well

Reply: Eli Devejian : "Re: xz 5.6.0/5.6.1 backdoored, possibly in src/contrib as well"
Reply: Dag-Erling_Smørgrav : "Re: xz 5.6.0/5.6.1 backdoored, possibly in src/contrib as well"
In reply to: Jonathan Vasquez : "Re: xz 5.6.0/5.6.1 backdoored, possibly in src/contrib as well"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Patrick M. Hausen <hausen_at_punkt.de>
Date: Sat, 30 Mar 2024 22:31:00 UTC

Hi all,

On Fri, Mar 29, 2024 at 21:15, <henrichhartzer@tuta.io> wrote:
> 
> I recently read through this: https://www.openwall.com/lists/oss-security/2024/03/29/4
> 
> It sounds like xz 5.6.0 and 5.6.1 are backdoored. Not sure if FreeBSD is or not, but it looks like 14-stable and main have xz 5.6.0. In my opinion, earlier versions may also be suspect given that this may have been a deliberate backdoor from a maintainer.
> 
> I propose that we go back to a "known safe" version. It would probably be unwise to push 14.1 as-is, as well.
> 
> [...]

1.	The point of this backdoor is - to my knowledge - to get a rogue login via SSH.

2.	The mechanism relies on the compromised liblzma being linked with sshd.

3.	Which is the case for some Linux distributions because they pull in some extra
	functions for better systemd integration which then pulls in liblzma as a dependency.

4.	FreeBSD is - to my knowledge  - not susceptible to this attack because our sshd
	is not linked to the compromised library at all.

5.	Even if you installed a supposedly compromised xz from ports, there are probably
	no ill consequences.

Kind regards,
Patrick