Xz package contains a vulnerability

nutzer_j · 31 March 2024 14:51

Thank you for the advice!

After entering

pamac search --installed xz

I get

lib32-xz  5.6.1-2                                                       multilib
    Library and command line tools for XZ and LZMA compressed files (32-bit)
xz  5.6.1-2                                                                 core
    Library and command line tools for XZ and LZMA compressed files

which is what I wished for, I guess. Is there any way to find out whether the unpatched version 5.6.1-1 has ever been installed in the first place?

Thanks. It worked.

grep xz /var/log/pacman.log                                      ✔ 
[2024-01-29T09:37:51+0100] [ALPM] installed lib32-xz (5.4.5-1)
[2024-02-23T16:28:20+0100] [ALPM] upgraded xz (5.4.5-1 -> 5.4.6-1)
[2024-02-23T16:28:29+0100] [ALPM] upgraded lib32-xz (5.4.5-1 -> 5.4.6-1)
[2024-03-18T16:17:29+0100] [ALPM] upgraded xz (5.4.6-1 -> 5.6.0-1)
[2024-03-18T16:17:33+0100] [ALPM] upgraded lib32-xz (5.4.6-1 -> 5.6.0-1)
[2024-03-30T08:22:19+0100] [ALPM] upgraded xz (5.6.0-1 -> 5.6.1-2)
[2024-03-30T08:22:19+0100] [ALPM] upgraded lib32-xz (5.6.0-1 -> 5.6.1-2)

What do I make of that? From what I can tell I would say the malicious code had been installed for 12 days. Is that correct?

Mirdarthos · 31 March 2024 14:58

Try:

grep xz /var/log/pacman.log

Nachlese · 31 March 2024 16:06

No.

…stupid cms told me that my answer of “no” did not contain enough letters to answer a very simple question … so: I had to write this sentence …

andreas85 · 31 March 2024 16:43

No, this is not correct

At this point, the general consensus among experts is that arch and manjaro were not affected.

Question without wanting an answer: Is sshd turned on at all on your system ?

oldjaderust · 31 March 2024 17:53

I’ve seen a lot of internet panics in my life and it’s very easy to get caught up in it and act irrationally, and I often feel like a bad person for not worrying or getting as angry as everyone else.
We need cool heads. Being able to sort out the facts from the speculation is important. There’s plenty of both this time around.

cscs · 31 March 2024 19:16

4 posts were split to a new topic: Not possible to connect to all mirrors

servimo · 31 March 2024 19:17

That’s what I thought

Jaypee · 31 March 2024 20:30

GitLab search doesn’t seem to want to give results if a search is done with just two letters.

Yochanan · 31 March 2024 20:47

Ah, maybe I was thinking of that.

majik · 1 April 2024 11:24

just wanted to note that the script was fixed to use the package manager to get the version

Teo · 1 April 2024 13:45

yes that was buggy before, but the important bit is the hex string checking…and based on that manjaro was never affected even in the 5.6.0. version.

majik · 1 April 2024 14:08

agreed … so far

however i would suggest employing a small degree of suspicion since it seems that there is still a lot that isn’t known (other attack vectors, etc.) - as of yesterday it appears analysis of the binary is in its early stages - i’ve been trying to watch the 2 IRC chats dedicated to conversation and reversing the code but there’s so much going on that it’s difficult for me to follow

1efaf7d71a8637c6800a · 1 April 2024 14:40

Teo:

Then i run against a timeshifted 5.6.0 or a downloaded from an unsynced mirror…and it did not find the hex. Hmmm?!?
hexdump -ve '1/1 "%.2x"' /home/teo/Downloads/xz-5.6.0-1-x86_64.pkg/usr/lib/liblzma.so.5.6.0 | grep -q 'f30f1efa554889f54c89ce5389fb81e7000000804883ec28488954241848894c2410'

Not sure if helpful, this vid says the code was in the version March 26 to March 29

dgdg · 1 April 2024 21:01

For those interested, Ars Technica has a pretty good technical writeup, which is worth a look if you want to know how the backdoor worked.

However, the summary relevant to Arch/Manjaro is that the backdoor was injected at build time via code in the Makefile. The rules of the Makefile only included the backdoor if an rpm or deb package was built on amd64 platforms. As Arch/Manjaro does not build rpm or deb packages, so they are not affected by this specific backdoor. This is in addition to Arch/Manjaro not having the sshd/systemd integration that the backdoor leveraged.

This of course, does not rule out the possibility that there are other backdoors in the code, as it seems the the malicious actors had control for some time. This seems unlikely at present, although can’t be ruled out. If you’re using Arch/Manjaro in an actual security critical context, then uninstalling xz and related packages would be prudent until the code is audited. However, for most people xz should be just fine to use.

MrLavender · 1 April 2024 23:14

Exactly. The binary exploit code itself was never present on Arch or Manjaro at any time, so while analysis of it is certainly very interesting and educational it’s more of a pressing concern for those distros where it was present.

FWIW the exploit allows execution of remote commands via sshd (but only if they are correctly signed with the attackers private key - it’s a very security-conscious backdoor ). There are also a number of kill switches and other tricks in it which are further attempts to evade inspection and detection. For example, it disables itself if the TERM environment variable is set (because the sshd service environment wouldn’t normally have that set, so probably someone is trying to analyze it).

All very clever and interesting but some of the long-term lessons to be learned are much more basic;

There is no good reason these days for release tarballs to contain pre-generated artifacts, script or otherwise, that aren’t in the repository. This practice is a legacy hangover from olden times when installing a complete build environment might be expensive in terms of bandwidth or disk space. But this incident has shown just how easy it is to hide things in pre-generated autoconf scripts and the like, so it’s time to start insisting that release tarballs exactly match the repository code at the time they were created. If not then it would be safer to clone the repository and build from that instead (which Arch package tools can already do).
The famous xkcd #2347 comic just gets more relevant every year. The evidence so far suggests that “Jia Tan” obtained maintainer status on this project by using sockpuppet acounts to put pressure on the original lone maintainer (since 2009), who had started taking long breaks to deal with mental health issues.

Edward78 · 2 April 2024 15:05

BG405 · 2 April 2024 15:47

I’d say it reveals the absolute opposite. If this were closed source like something in e.g. Windows, would it have been caught and dealt with so quickly?

majik · 2 April 2024 16:04

that’s how i’d prefer think about it too, however – and with the understanding that i hate winblows and M$ – the other question might be, would it have happened at all given that there’d probably have been more eyes on the project

Kobold · 2 April 2024 17:17

I was aware what mask and unmask do, but thanks for the explanation

michaldybczak · 2 April 2024 20:37

Yes and no.

The core thing that happened here was a way to exploit a very common open source situation - one maintainer, doing everything for free in spare time in a toxic, demanding environment. This is a highly exploitable situation.

This specific scenario wouldn’t happen in a commercial environment. However, the whole attack was a social engineering attack and those in general can happen and happen everywhere, especially with high-profile government projects. In that regard, open source project is no better or worse.