Kevin BeaumontMar 29, 2024

HT to @wdormann here - somebody has backdoored the open source project XZ which has downstream impacts.

For example, although OpenSSH doesn’t use XZ, Debian patch OpenSSH and introduced a dependency which translates as the XZ changes introducing a sshd authentication bypass backdoor it appears.

One dude bothered to investigate in his free time about why ssh was running slow, so it was caught fairly early - i.e. hopefully before distros started bundling it.

https://www.openwall.com/lists/oss-security/2024/03/29/4

oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise

Show threadKevin BeaumontMar 29, 2024
Worryingly it looks like the backdoor comes via one of the two main devs and dates back over a month from their GitHub account, with legit commits too - XZ is used in systemd so this one might play out for a while.
Show threadKevin BeaumontMar 29, 2024
I suspect distros probably want to roll XZ back to around January 2024, stop bundling updates until the developer is removed in GitHub or a logical explanation can be given, and somebody needs to fund a code review of it.
Show threadKevin BeaumontMar 29, 2024

Here we go: https://www.bleepingcomputer.com/news/security/red-hat-warns-of-backdoor-in-xz-tools-used-by-most-linux-distros/

As I said, the impact here will be very limited due to how quick it was caught. Everybody owes the finder a beer.

Red Hat warns of backdoor in XZ tools used by most Linux distros

Today, Red Hat warned users to immediately stop using systems running Fedora development and experimental versions because of a backdoor found in the latest XZ Utils data compression tools and libraries.

BleepingComputer
Show threadKevin BeaumontMar 29, 2024
Postgres developer @AndresFreundTec saving Linux security from backdoors as a side of desk activity
Show threadKevin BeaumontMar 29, 2024
CISA advisory: Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library, CVE-2024-3094 https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094
Show threadKevin BeaumontMar 29, 2024
The person/account on XZ repo also altered the security disclosure policy on that and other repos they author in months prior.
Show threadKevin BeaumontMar 29, 2024
Interesting find by @fuomag9 - the XZ repo person tried getting Ubuntu to update yesterday by filing a bug report https://bugs.launchpad.net/bugs/2059417
Bug #2059417 “Sync xz-utils 5.6.1-1 (main) from Debian unstable ...” : Bugs : xz-utils package : Ubuntu

NOTE: THIS IS AN ATTEMPT AT INCLUDING A BACKDOOR. THIS IS LEFT FOR HISTORICAL PURPOSES ONLY AND MUST NOT BE DONE. Please sync xz-utils 5.6.1-1 (main) from Debian unstable (main) Hello! I am one of the upstream maintainers for XZ Utils. Version 5.6.1 was recently released and uploaded to Debian as a bugfix only release. Notably, this fixes a bug that causes Valgrind to issue a warning on any application dynamically linked with liblzma. This includes a lot of important applications. This cou...

Launchpad
Show threadfuomag9
@GossiTheDog

This may be even worse... #xz #supplychain #cybersec

learn.microsoft.com/en-US/cpp/overview/whats-new-cpp-docs?view=msvc-170#community-contributors
What's new for the Microsoft C++ docs

A list of new articles and doc updates for the Microsoft C/C++ compiler, ATL/MFC, C runtime, and standard library docs.

Mar 29, 2024 at 11:08pmWeb
Show threadFL | エフルMar 29, 2024

@fuomag9 @GossiTheDog no, it's actually harmless

The PR he made can be found here: https://github.com/MicrosoftDocs/cpp-docs/pull/4716/files
No code change, just documentation

Update C Runtime Library Compatibility page. by JiaT75 · Pull Request #4716 · MicrosoftDocs/cpp-docs

Fixes #4715

GitHub