Void Linux is not affected too, they reversed to 5.4.X series the time this was published and it doesn't use systemd neither patch openssh to use liblzma. https://github.com/void-linux/void-packages/discussions/49614
Free and Open Source Software
If it's free and open source and it's also software, it can be discussed here. Subcommunity of Technology.
This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.
This analysis has some technical information on how it injects itself, conditionally, into deb and rpm from src tar.
Holy c... that's quite a writeup, and what a rat's nest of an exploit. A long time ago, I used to know some reverse engineering, then I got an eval $zrKcTy
to the got.plt.
Wonder what it turns out to have been doing.
The story about this backdoor is really wild if it's true https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor
That’s what all of the analysis is pointing to.
Since the analysis is not complete, the other thing people need to remember is that nobody knows if ssh was the only target or just the only one that was noticed. A ton of stuff uses lzma, including web browsers and password safes.
WSL2 2.1.5:
- (system) CBL-Mariner / Azure Linux: xz-libs 5.2.5-1.cm2
- Ubuntu 22.04.4 LTS: xz-utils 5.2.5-2ubuntu1
- Kali (rolling): Same fix as for Debian Testing (update to xz-utils version 5.6.1+really5.4.5-1)
Im new to Linux does this include linux mint since it is based on Debian?
Likely not since most of these are dev or experimental of the latest version.
Check xz --version
If you're not on the two listed above you're fine.
awesome thanks I did (xz --version) to check and it is using an unaffected version.
As far as I can tell running xz directly should be fine, but for the extra paranoid check the version of the xz-utils
package. If it is safe, it will be either less than 5.6.0
, or it should be 5.6.1+really5.4.5-1
(xz 5.4.5
with a spoof version number to ensure compromised systems get the update).
Why ssh? Does ssh use xz?
Yes. ssh's RSA encryption uses liblzm.
Not directly, but it's often integrated with systemd which does.
What may not be clear is the connection to SSH. And it’s a trip. Many Linux distros patch sshd to add systemd features, and libsystemd pulls the liblzma library. That means the liblzma initialization code gets run when sshd starts.
https://hackaday.com/2024/03/29/security-alert-potential-ssh-backdoor-via-liblzma/
Ssh uses systemd and systemd uses lzma (xz)
FYI: if you run freebsd you are not affected: https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html
Took me a while to find out so I thought I’d share.
Thanks, edited this into the post (along with the distros listed by LWN)