wildhorse Apprentice
Joined: 16 Mar 2006 Posts: 150 Location: Estados Unidos De América
|
Posted: Sat Mar 30, 2024 12:59 pm Post subject: backdoor in app-arch/xz-utils |
|
|
A backdoor has been found in app-arch/xz-utils. It was introduced with version 5.6.0. Records indicate that a co-maintainer of the project (upstream) who goes by the name "Jia Tan" introduced the malicious code. There is a slim chance that somebody took over the account of Jia Tan.
Gentoo provides an ebuild file for version 5.6.1. That file has already been masked by Sam James (thanks).
https://bugs.gentoo.org/928134
The backdoor only works on systems with:
- a processor of the amd64 architecture (AMD, Intel),
- systemd,
- sshd running and exposed to the Internet, and
- a patch from a Linux distribution to couple systemd with sshd.
I am not sure if Gentoo provides the patch.
If all these conditions are fulfilled on one of your systems or you are unsure, then scream and downgrade xz-utils to version 5.4.2, verify that all files of newer versions have been removed, and restart systemd and sshd (or reboot your system).
Code: | emerge --sync && emerge -1tv =app-arch/xz-utils-5.4.2 && ls -l /usr/lib64/liblzma.so.5.{4.[3-9]*,[56].*} |
A lot of packages do depend on app-arch/xz-utils. Some caution is indicated.
Andres Freund performed an analysis of the backdoor and its injection.
https://lwn.net/ml/oss-security/20240329155126.kjjfduxw2yrlxgzm@awork3.anarazel.de/
Based on that analysis, a simple patch will remove the backdoor from xz-utils 5.6.1:
Code: | --- xz-utils-5.6.1.ebuild 2024-03-24 12:40:49.000000000 +0000
+++ xz-utils-5.6.1-r1.ebuild 2024-03-30 10:03:42.000000000 +0000
@@ -53,6 +53,18 @@
BDEPEND+=" verify-sig? ( sec-keys/openpgp-keys-jiatan )"
fi
+src_unpack() {
+ default
+
+ #remove backdoor
+ rm -fv "${S}/m4/build-to-host.m4" || die
+ if [ -e "${S}/tests/files/good-large_compressed.lzma" ] || [ -e "${S}/tests/files/bad-3-corrupt_lzma2.xz" ]; then
+ rm -v "${S}/tests/files/good-large_compressed.lzma" || die
+ rm -v "${S}/tests/files/bad-3-corrupt_lzma2.xz" || die
+ einfo 'Backdoor removed. ;-)'
+ fi
+}
+
src_prepare() {
default
| and
You may also need to change SRC_URI as well.
I provide this patch only for those folks with strong nerves and an interest in all the fine work that went into the current version of xz-utils.
Whether people will trust xz in the future or not is another story. Personally, I trust neither Apple, Google nor Microsoft for that matter.
In the meantime, Github disabled the repository of xz-utils on their servers. The xz project itself maintains its own replica of the Github repository. The logs may be helpful to those interested in a detailed analysis.
https://tukaani.org/
I have noticed problems with altered contents and check sums of archives (such as tarballs) on Github and other repositories like sourceforge in the past. Jonathan Corbet wrote an article about this issue at Github a year ago.
https://lwn.net/Articles/921787/
Occasionally Gentoo Portage files are being modified and released again without an increment of the files' release number. |
|