xz 5.6.0 and 5.6.1 contain malicious code which adds a backdoor.

**1fallen** · March 30th, 2024

There are whispers in UF about this as well, but for Arch and Arch/Based

07:26:58 - System update ────────────────────────────────────────────────── ──
2024-03-29 The xz package has been backdoored
TL;DR: Upgrade your systems and container images now!

As many of you may have already read (one), the upstream release tarballs for xz in version 5.6.0 and
5.6.1 contain malicious code which adds a backdoor.

This vulnerability is tracked in the Arch Linux security tracker (two).

The xz packages prior to version 5.6.1-2 (specifically 5.6.0-1 and 5.6.1-1) contain this backdoor.

The following release artifacts contain the compromised xz:

installation medium 2024.03.01
virtual machine images 20240301.218094 and 20240315.221711
container images created between and including 2024-02-24 and 2024-03-28

The affected release artifacts have been removed from our mirrors.

We strongly advise against using affected release artifacts and instead downloading what is currently
available as latest version!

Upgrading the system
It is strongly advised to do a full system upgrade right away if your system currently has xz version
5.6.0-1 or 5.6.1-1 installed:

pacman -Syu

Upgrading container images
To figure out if you are using an affected container image, use either

podman image history archlinux/archlinux

or

docker image history archlinux/archlinux

depending on whether you use podman or docker.

Any Arch Linux container image older than 2024-03-29 and younger than 2024-02-24 is affected.

Run either

podman image pull archlinux/archlinux

or

docker image pull archlinux/archlinux

to upgrade affected container images to the most recent version.

Afterwards make sure to rebuild any container images based on the affected versions and also inspect any
running containers!

Regarding sshd authentication bypass/code execution
From the upstream report (one):

openssh does not directly use liblzma. However debian and several other
distributions patch openssh to support systemd notification, and libsystemd
does depend on lzma.

Arch does not directly link openssh to liblzma, and thus this attack vector is not possible. You can
confirm this by issuing the following command:

ldd "$(command -v sshd)"

However, out of an abundance of caution, we advise users to remove the malicious code from their system by
upgrading either way. This is because other yet-to-be discovered methods to exploit the backdoor could
exist.

[sudo] password for me:

Good Time to update and upgrade right about now.

**MAFoElffen** · March 31st, 2024

But the malicious code was found in xz-utils source 5.6.1, right? That is what I see.

Ubuntu Noble is not on that source. They are still on 5.4.5.

Debian SID is though. Maybe I should file a bug at Launchpad on xz-utils just to prevent them from upgrading to that source... making them aware of the vulnerability... But since that package is not on that source yet, I think it will be closed (immediately) as being "invalid".

**halogen2** · April 2nd, 2024

Thanks 1fallen for posting this.

Unfortunately my Arch Linux server VM picked up the compromised xz 5.6.0 during a big migration. Although this is a local testing server only accessible by the VM host (Xubuntu 22.04, known not to be affected), and in my understanding the known sshd backdoor does not activate on Arch Linux, I am still going to restore from an earlier backup, just to be safe.

My latest pre-migration backup is from early February, with xz 5.4.6-1. Could restore from that, but it seems some are questioning all xz versions above 5.2.5, and I don't have the expertise to sort out what to make of that as an end-user. I actually do have backup of this VM going as far back as it was with xz version 5.2.5-3, but it would be difficult to reconstruct what was done in the years since then and redo it all.

Is it safe to use an Arch Linux server that got xz updates up to 5.4.6-1?
If so, is it safe to leave xz 5.4.6-1 on that system (as opposed to trying to downgrade xz to 5.2.5)?

**1fallen** · April 2nd, 2024

Originally Posted by halogen2

Is it safe to use an Arch Linux server that got xz updates up to 5.4.6-1?
If so, is it safe to leave xz 5.4.6-1 on that system (as opposed to trying to downgrade xz to 5.2.5)?

I'm certainly not a credible know all on the subject at hand but I feel safe enough.

Code:

pgrep -f 'sshd.*listener' | sudo xargs lsof -p | grep -F lzma.so
[sudo] password for me: 
xargs: lsof: No such file or directory

Code:

ldd --version && xz --version
ldd (GNU libc) 2.39
Copyright (C) 2024 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.
xz (XZ Utils) 5.6.1
liblzma 5.6.1

Arch just dose it differently, but again the smoke has not settled just yet, maybe more to come.

If you search or look in the General support forum here in UF you find some interesting reads. https://ubuntuforums.org/showthread....9#post14184319

I've spent many hours just for my own semi peace of mind running security audits and nothing jumps out for this particular malware.
But again that dose not mean it's not there, myself I feel secure enough.

EDIT: More info:

Arch Linux

“The following release artifacts contain the compromised xz:

installation medium 2024.03.01
virtual machine images 20240301.218094 and 20240315.221711
container images created between and including 2024-02-24 and 2024-03-28

The affected release artifacts have been removed from our mirrors. We strongly advise against using affected release artifacts and instead downloading what is currently available as latest version! It is strongly advised to do a full system upgrade right away if your system currently has xz version 5.6.0-1 or 5.6.1-1 installed.”

Source: https://linuxiac.com/the-upstream-xz...en-backdoored/

Code:

Name            : xz
Version         : 5.6.1-3

**halogen2** · April 3rd, 2024

Originally Posted by 1fallen

EDIT: More info:

Source: https://linuxiac.com/the-upstream-xz...en-backdoored/

Nice find, thank you 1fallen

Their summarizing various distros' responses was helpful and led to an answer: Following from there, the distros that resolved this by reverting to an older xz version seem to have almost all chosen 5.4.6. So should be safe to use that version

**Bashing-om** · April 3rd, 2024

Meanwhile - in ubuntu:
Xz/liblzma security update (post #2)
https://discourse.ubuntu.com/t/xz-li...e-post-2/43801

If ya ain't been developing/proposing ya safe

**1fallen** · April 3rd, 2024

Originally Posted by Bashing-om

Meanwhile - in ubuntu:
Xz/liblzma security update (post #2)
https://discourse.ubuntu.com/t/xz-li...e-post-2/43801

If ya ain't been developing/proposing ya safe

Yep I was in that fold....silly me.

Like anyone knew this would happen. LOL