- Joined
- Jul 12, 2022
- Messages
- 3,222
Last edited:
Yeah, as of now it appears to be so.Looks like it was a malicious user shoving a PR into the code under the radar of the other developers?
I count a minimum of 750 commits or contributions to xz by Jia Tan, who backdoored it.
This includes all 700 commits made after they merged a pull request in Jan 7 2023, at which point they appear to have already had direct push access, which would have also let them push commits with forged authors.
The malicious changes were submitted by JiaT75, one of the two main xz Utils developers with years of contributions to the project. [...]
On Thursday, someone using the developer's name took to a developer site for Ubuntu to ask that the backdoored version 5.6.1 be incorporated into production versions because it fixed bugs that caused a tool known as Valgrind to malfunction. “This could break build scripts and test pipelines that expect specific output from Valgrind in order to pass,” the person warned, from an account that was created the same day. One of maintainers for Fedora said Friday that the same developer approached them in recent weeks to ask that Fedora 40, a beta release, incorporate one of the backdoored utility versions. “We even worked with him to fix the valgrind issue (which it turns out now was caused by the backdoor he had added),” the Ubuntu maintainer said. "He has been part of the xz project for two years, adding all sorts of binary test files, and with this level of sophistication, we would be suspicious of even older versions of xz until proven otherwise."
Perfectly understandable.Yeah wow I had read about this elsewhere. Seems like a lot of people are in a panic to know where this is and isn't a problem.
1. The point of this backdoor is - to my knowledge - to get a rogue login via SSH.
2. The mechanism relies on the compromised liblzma being linked with sshd.
3. Which is the case for some Linux distributions because they pull in some extra
functions for better systemd integration which then pulls in liblzma as a dependency.
4. FreeBSD is - to my knowledge - not susceptible to this attack because our sshd
is not linked to the compromised library at all.
5. Even if you installed a supposedly compromised xz from ports, there are probably
no ill consequences.
… FreeBSD is not affected …
The malicious code has been found in the XZ project's source packages beginning with release 5.6.0. TrueNAS Scale 24.04 & TrueNAS Scale 23.10 are both running version 5.4.1
Check script included. And just for the fun of it ...
XZ Backdoor: Times, damned times, and scams
Some timezone observations on the recently discovered backdoor hidden in an xz tarball.rheaeve.substack.com