| Description: | Summary:
The XZ Utils of the Tukaani Project have been backdoored by an
unknown threat actor in February and March 2024.
Vulnerability Insight:
Malicious code was discovered in the upstream tarballs of xz,
starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process
extracts a prebuilt object file from a disguised test file existing in the source code, which is
then used to modify specific functions in the liblzma code. This results in a modified liblzma
library that can be used by any software linked against this library, intercepting and modifying
the data interaction with this library.
Please see the references for more (technical) details / analysis.
Affected Software/OS:
As of 04/2024 the following Linux distributions are know to
have shipped packages including the backdoor from the 5.6.0 and 5.6.1 tarball releases for a short
amount of time:
- Debian testing/trixie and unstable/sid
- Kali Linux (Only kali-rolling between March 26th to March 29th)
- openSUSE Tumbleweed and openSUSE MicroOS (between March 07th to March 28th)
- Fedora 40 beta, Fedora 41 pre-release and Fedora Rawhide (current development version)
- Alpine Linux Edge (active development)
Note: Arch Linux and Gentoo had also shipped the known backdoored package but are not assumed to
be prone to the known attack vector.
Solution:
Affected Linux distributions have rolled back the published
packages to an older state. Please run an update via the used package manager.
CVSS Score:
10.0
CVSS Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C
|
