-
https://tukaani.org/xz-backdoor/ - Lasse Collin response
-
https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
Information for CVE-2024-3094
Red Hat today issued an "urgent security alert" for Fedora 41 and Fedora Rawhide users over XZ. Yes, the XZ tools and libraries for this compression format. Some malicious code was added to XZ 5.6.0/5.6.1 that could allow unauthorized remote system access.
Red Hat cites CVE-2024-3094 for this XZ security vulnerability due to malicious code making it into the codebase. I haven't seen CVE-2024-3094 made public yet but the Red Hat security alert sums it up as: "The malicious injection present in the xz versions 5.6.0 and 5.6.1 libraries is obfuscated and only included in full in the download package - the Git distribution lacks the M4 macro that triggers the build of the malicious code. The second-stage artifacts are present in the Git repository for the injection during the build time, in case the malicious M4 macro is present.
The resulting malicious build interferes with authentication in sshd via systemd. SSH is a commonly used protocol for connecting remotely to systems, and sshd is the service that allows access. Under the right circumstances this interference could potentially enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely."
-
https://www.mail-archive.com/xz-devel@tukaani.org/msg00571.html
-
https://linuxsecurity.com/advisories/debian/debian-dsa-5649-1-xz-utils-security-update-miwy4lbzklq4
-
https://lists.debian.org/debian-security-announce/2024/msg00057.html
-
https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
-
https://www.reddit.com/r/linux/comments/1bqt999/backdoor_in_upstream_xzliblzma_leading_to_ssh/
-
https://www.reddit.com/r/sysadmin/comments/1bqu3zx/backdoor_in_upstream_xzliblzma_leading_to_ssh/
-
https://linuxsecurity.com/advisories/debian/debian-dsa-5649-1-xz-utils-security-update-miwy4lbzklq4