Malware in xz

ron.alan

Member
Joined
Dec 24, 2023
Messages
90
Reaction score
75
Credits
658


Since this affects more than just Debian and its derivatives, can this thread be moved to a more appropriate section of the forum?

I was going to contact somebody on the forum staff concerning this, a moderator or a member of the admin, but didn't see a way how. Is there a way on this forum to send messages to admin/moderators?
 
Red hat Dev's have announced the discovery of backdoor threats to commonly used compression utils.
So according to this link, a non-systemd OS would not be affected by this malware?

Specifically, the nefarious code baked into the code is designed to interfere with the sshd daemon process for SSH (Secure Shell) via the systemd software suite,
 
Is there a way on this forum to send messages to admin/moderators?
Click the little "envelope" icon beside your username in the upper right corner to start private conversations with anyone.

Or you can simply get their attention right here in this thread by pinging their username with the @ character, like @KGIII, @wizardfromoz, and @JasKinasis. They will now be notified since I mentioned them.

Yet another way is at the bottom of each page with the Contact Us link.

Still another way (not for all use cases) is the Report link in the lower left corner of every post. This gets everyone's attention too, but it's usually more for reporting bad language or other bad behaviors.
 
Is XZ preinstalled with Debian or you have to install it manually?
 
I run it:

Code:
xz (XZ Utils) 5.2.5
liblzma 5.2.5
Is it the bad one?
 
You're (presumably) good. The compromised ones are versions 5.5.1alpha-0.1 (uploaded on 2024-02-01), up to and including 5.6.1-1.
 
If he was near I would abduct and torture that developer

For the sake of the community
 
So a developer of XZ for Debian has put malware in it. From what I understand it only affects those who are using testing or the unstable branch. Look to see if you are using versions 5.5.1alpha-0.1 (uploaded on 2024-02-01), up to and including 5.6.1-1. I'm on version 5.4.1, so I'm good.

Links about this:

https://lists.debian.org/debian-security-announce/2024/msg00057.html
https://www.openwall.com/lists/oss-security/2024/03/29/4
https://forums.linuxmint.com/viewtopic.php?t=416756
You have slightly misinterpreted the story. The Debian developer discovered that the upstream sources had been backdoored.

The upstream sources are what the Debian devs use to build the packages for Debian.
So the problem came from upstream - the original developers of xz.

So in other words, somebody who works on the original xz library inserted some malicious code.

One of the eagle eyed Debian devs/package maintainers noticed the problem.

So the malware wasn’t inserted by a Debian developer. It was one of the xz project developers. Perhaps xz has been infiltrated by a ne’er do well.

Maybe the xz devs don’t have enough people reviewing the changes?!

Edit: from reading a few more articles, it seems that the malicious code was inserted by one of the two main devs of xz. Someone who has worked on xz for a long time. Which is really out of character.

I’m assuming they didn’t actually make those changes themselves. I’d guess that a malicious 3rd party has managed to get their login credentials or something and made the commits, whilst masquerading as the developer.
 
Last edited:
Yet another way is at the bottom of each page with the Contact Us link.

I would not use that if you are in a hurry. The Boss can take some time to respond.

Suggest use
Or you can simply get their attention right here in this thread by pinging their username with the @ character, like @KGIII, @wizardfromoz, and @JasKinasis. They will now be notified since I mentioned them.

... instead.

Wiz
 

Members online


Top