Yes, I'm on Arch, and xz did get affected. They let the 5.6.0 and 5.6.1 slip with this issue. It was quickly fixed though. So xz-5.6.0 is affected, xz-5.6.1-1 is affected, xz-5.6.1-2 is fixed. Check if you're concerned and if so, just update your system.
[2024-03-29T08:10:22+0100] [ALPM] upgraded xz (5.6.1-1 -> 5.6.1-2)
And a hint: compare the update time with when Phoronix announced the bug. Thing is, this kind of event may trigger the requirement to share one's identity in full for contributing to any open-source software, at some point. Which is something I'm not sure I like either.
Thing is, this kind of event may trigger the requirement to share one's identity in full for contributing to any open-source software, at some point. Which is something I'm not sure I like either.
Why would verifying one's identity help at all?
Thing is, this kind of event may trigger the requirement to share one's identity in full for contributing to any open-source software, at some point. Which is something I'm not sure I like either.Why would verifying one's identity help at all?
If you want to, and until then not figure it out yourself, in a few days I will tell the details.(1) It’s not a secret, but I don’t want to make somebody not follow the recommendation or argue with it based on what I wrote. This would be very unfortunate.
It's like almost every Linux distro has been using xz without even knowing exactly what it did
If only we gave control to some large company, they would provide us with security. Not some filthy amateurs not able to maintain their own projects.
Thing is, this kind of event may trigger the requirement to share one's identity in full for contributing to any open-source software, at some point. Which is something I'm not sure I like either.
So, I don't know how to tackle this other than by strict review processes, which are very time-consuming.
A good reminder that the human in the security chain is always the weakest link. And that when you collaborate with someone on a widely-used project, make sure you know the actual human, including real-world traceability and contact when this kind of crap occurs. A single e-mail address and connections via VPN is definitely not that.
... True, but this case is also an example open source as a concept to develop software in a large scale collaboration works due to the many eyes looking at the software ...
I was doing some micro-benchmarking at the time, needed to quiesce the system to reduce noise. Saw sshd processes were using a surprising amount of CPU, despite immediately failing because of wrong usernames etc. Profiled sshd, showing lots of cpu time in liblzma, with perf unable to attribute it to a symbol. Got suspicious. Recalled that I had seen an odd valgrind complaint in automated testing of postgres, a few weeks earlier, after package updates.
After observing a few odd symptoms around liblzma (part of the xz package) on
Debian sid installations over the last weeks (logins with ssh taking a lot of
CPU, valgrind errors) I figured out the answer:
The upstream xz repository and the xz tarballs have been backdoored.
This story does not pass a BS sniff test. Do you "state actor" theory proponents really think a state actor would leave such stupidly obvious indicators behind?
This story does not pass a BS sniff test. Do you "state actor" theory proponents really think a state actor would leave such stupidly obvious indicators behind?
Thing is, this kind of event may trigger the requirement to share one's identity in full for contributing to any open-source software, at some point. Which is something I'm not sure I like either.
So, I don't know how to tackle this other than by strict review processes, which are very time-consuming.
I think another key take away is that any discussion that becomes emotional can become a security hijack by design.
Things like: "Please hurry up, we need this fixed" or "doing things XYZ like you did is absolutely stupid" or "this project deserves more"
Ironically this would make some other key figures in OSS a major security hazard as well.
When it comes to review processes.. the use of binary blobs appears to be another puzzle piece: I've seen elsewhere people saying that blobs should never appear in [open source] code. But I disagree.. for compression libraries, its necessary to test malformed streams. You could generate or manipulate malformed streams, but such tests can quickly escalate into integration tests instead. It can become a real mess to manage..
...systemd esse delendam.
Another similar point is the entire security scheme used to implement interactive websites (including this one) under Apache or Nginx. The idea of running scripts under the same user account that owns the scripts or the directories they lie in is exactly opposite to everything we know about multi-user security from the last fifty years or more.
$ printf 'sshd in arch does not use liblzma. 5.6.1-2 is bit-to-bit identical to 5.6.1-1 except two dozen non-code bytes.\n\n' | sha256sum
c8e7d38a7257c23d1b035f8012c265d87ab12479ddbde60761f1e4c221851271 -
$ find . -name 'xz-*.pkg.tar.zst' -exec pacman-key --verify {}.sig {} \;
==> Checking ./xz-5.6.1-2-x86_64.pkg.tar.zst.sig... (detached)
gpg: Signature made Thu 28 Mar 2024 22:08:25 CET
gpg: using EDDSA key 05C7775A9E8B977407FE08E69D4C5AA15426DA0A
gpg: Note: trustdb not writable
gpg: Good signature from "Frederik Schwan <frederik.schwan@linux.com>" [unknown]
gpg: aka "Frederik Schwan <frederik@schwan.it>" [unknown]
gpg: aka "Frederik Schwan <frederik@tty42.de>" [unknown]
gpg: aka "Frederik Schwan <freswa@archlinux.org>" [full]
gpg: aka "Frederik Schwan <frederik@schw4n.de>" [unknown]
gpg: aka "Frederik Schwan <frederik.schwan@mailbox.org>" [unknown]
==> Checking ./xz-5.6.1-1-x86_64.pkg.tar.zst.sig... (detached)
gpg: Signature made Sat 09 Mar 2024 21:00:37 CET
gpg: using EDDSA key 0429897DE5F3BDAC537A30696D42BDD116E0068F
gpg: Note: trustdb not writable
gpg: Good signature from "Christian Hesse <eworm@archlinux.org>" [full]
==> Checking ./xz-5.6.1-3-x86_64.pkg.tar.zst.sig... (detached)
gpg: Signature made Mon 01 Apr 2024 22:41:01 CEST
gpg: using EDDSA key 0429897DE5F3BDAC537A30696D42BDD116E0068F
gpg: Note: trustdb not writable
gpg: Good signature from "Christian Hesse <eworm@archlinux.org>" [full]
$ sha256sum xz-*.pkg.tar.zst
63b219db0b2f0b6215cc4e4ca64f3fa59b914e7b15bde17c36bf2b21e459c13e xz-5.6.1-1-x86_64.pkg.tar.zst
17e95679c62d901fc7fe27879ec241d3566603a4eaa6a7a38ccc0e6c28ef60a6 xz-5.6.1-2-x86_64.pkg.tar.zst
609db91285658f0ba12fa472407f0b583fceb6741654fcf0cf0e26312dc46cd0 xz-5.6.1-3-x86_64.pkg.tar.zst
$ for n in 1 2 3; do tar -xOf xz-5.6.1-$n-x86_64.pkg.tar.zst usr/lib/liblzma.so.5.6.1 >liblzma.so.5.6.1-"$n"; done
$ sha256sum liblzma.so.5.6.1-*
e47d67ec12cb43715d5ce42ded202f4acea6a1d0172edf58523a3e6d444a5c45 liblzma.so.5.6.1-1
c1a58591631a5bdeff4bd9ac1eae16b6ae392f9c96f17aedae3664448c290f0b liblzma.so.5.6.1-2
c1a58591631a5bdeff4bd9ac1eae16b6ae392f9c96f17aedae3664448c290f0b liblzma.so.5.6.1-3
$ diff <(xxd liblzma.so.5.6.1-1) <(xxd liblzma.so.5.6.1-2)
48,49c48,49
< 000002f0: 0300 0000 474e 5500 71f9 a255 f686 4e44 ....GNU.q..U..ND
< 00000300: c325 3a10 dc37 9c25 c8bf b302 0000 0000 .%:..7.%........
---
> 000002f0: 0300 0000 474e 5500 69df 3c77 1c62 8668 ....GNU.i.<w.b.h
> 00000300: 86ef f245 d5b1 5834 540d f808 0000 0000 ...E..X4T.......
12804c12804
< 00032030: 2e36 2e31 2e64 6562 7567 0000 82fd 6f66 .6.1.debug....of
---
> 00032030: 2e36 2e31 2e64 6562 7567 0000 4ad1 cc28 .6.1.debug..J..(
$ objdump -h liblzma.so.5.6.1-{1,2}
liblzma.so.5.6.1-1: file format elf64-x86-64
Sections:
Idx Name Size VMA LMA File off Algn
0 .note.gnu.property 00000040 00000000000002a8 00000000000002a8 000002a8 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
1 .note.gnu.build-id 00000024 00000000000002e8 00000000000002e8 000002e8 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
2 .gnu.hash 00000624 0000000000000310 0000000000000310 00000310 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
3 .dynsym 00000ea0 0000000000000938 0000000000000938 00000938 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
4 .dynstr 00000bc4 00000000000017d8 00000000000017d8 000017d8 2**0
CONTENTS, ALLOC, LOAD, READONLY, DATA
5 .gnu.version 00000138 000000000000239c 000000000000239c 0000239c 2**1
CONTENTS, ALLOC, LOAD, READONLY, DATA
6 .gnu.version_d 000000ec 00000000000024d8 00000000000024d8 000024d8 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
7 .gnu.version_r 000000b0 00000000000025c8 00000000000025c8 000025c8 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
8 .rela.dyn 00000870 0000000000002678 0000000000002678 00002678 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
9 .relr.dyn 00000030 0000000000002ee8 0000000000002ee8 00002ee8 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
10 .init 0000001b 0000000000003000 0000000000003000 00003000 2**2
CONTENTS, ALLOC, LOAD, READONLY, CODE
11 .text 00021049 0000000000003020 0000000000003020 00003020 2**4
CONTENTS, ALLOC, LOAD, READONLY, CODE
12 .fini 0000000d 000000000002406c 000000000002406c 0002406c 2**2
CONTENTS, ALLOC, LOAD, READONLY, CODE
13 .rodata 00006c28 0000000000025000 0000000000025000 00025000 2**5
CONTENTS, ALLOC, LOAD, READONLY, DATA
14 .eh_frame_hdr 00000a34 000000000002bc28 000000000002bc28 0002bc28 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
15 .eh_frame 00004540 000000000002c660 000000000002c660 0002c660 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
16 .init_array 00000008 00000000000313f0 00000000000313f0 000313f0 2**3
CONTENTS, ALLOC, LOAD, DATA
17 .fini_array 00000008 00000000000313f8 00000000000313f8 000313f8 2**3
CONTENTS, ALLOC, LOAD, DATA
18 .data.rel.ro 00000718 0000000000031400 0000000000031400 00031400 2**5
CONTENTS, ALLOC, LOAD, DATA
19 .dynamic 00000200 0000000000031b18 0000000000031b18 00031b18 2**3
CONTENTS, ALLOC, LOAD, DATA
20 .got 000002e8 0000000000031d18 0000000000031d18 00031d18 2**3
CONTENTS, ALLOC, LOAD, DATA
21 .data 00000008 0000000000032000 0000000000032000 00032000 2**3
CONTENTS, ALLOC, LOAD, DATA
22 .bss 00000008 0000000000032008 0000000000032008 00032008 2**0
ALLOC
23 .comment 0000001b 0000000000000000 0000000000000000 00032008 2**0
CONTENTS, READONLY
24 .gnu_debuglink 0000001c 0000000000000000 0000000000000000 00032024 2**2
CONTENTS, READONLY
liblzma.so.5.6.1-2: file format elf64-x86-64
Sections:
Idx Name Size VMA LMA File off Algn
0 .note.gnu.property 00000040 00000000000002a8 00000000000002a8 000002a8 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
1 .note.gnu.build-id 00000024 00000000000002e8 00000000000002e8 000002e8 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
2 .gnu.hash 00000624 0000000000000310 0000000000000310 00000310 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
3 .dynsym 00000ea0 0000000000000938 0000000000000938 00000938 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
4 .dynstr 00000bc4 00000000000017d8 00000000000017d8 000017d8 2**0
CONTENTS, ALLOC, LOAD, READONLY, DATA
5 .gnu.version 00000138 000000000000239c 000000000000239c 0000239c 2**1
CONTENTS, ALLOC, LOAD, READONLY, DATA
6 .gnu.version_d 000000ec 00000000000024d8 00000000000024d8 000024d8 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
7 .gnu.version_r 000000b0 00000000000025c8 00000000000025c8 000025c8 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
8 .rela.dyn 00000870 0000000000002678 0000000000002678 00002678 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
9 .relr.dyn 00000030 0000000000002ee8 0000000000002ee8 00002ee8 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
10 .init 0000001b 0000000000003000 0000000000003000 00003000 2**2
CONTENTS, ALLOC, LOAD, READONLY, CODE
11 .text 00021049 0000000000003020 0000000000003020 00003020 2**4
CONTENTS, ALLOC, LOAD, READONLY, CODE
12 .fini 0000000d 000000000002406c 000000000002406c 0002406c 2**2
CONTENTS, ALLOC, LOAD, READONLY, CODE
13 .rodata 00006c28 0000000000025000 0000000000025000 00025000 2**5
CONTENTS, ALLOC, LOAD, READONLY, DATA
14 .eh_frame_hdr 00000a34 000000000002bc28 000000000002bc28 0002bc28 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
15 .eh_frame 00004540 000000000002c660 000000000002c660 0002c660 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
16 .init_array 00000008 00000000000313f0 00000000000313f0 000313f0 2**3
CONTENTS, ALLOC, LOAD, DATA
17 .fini_array 00000008 00000000000313f8 00000000000313f8 000313f8 2**3
CONTENTS, ALLOC, LOAD, DATA
18 .data.rel.ro 00000718 0000000000031400 0000000000031400 00031400 2**5
CONTENTS, ALLOC, LOAD, DATA
19 .dynamic 00000200 0000000000031b18 0000000000031b18 00031b18 2**3
CONTENTS, ALLOC, LOAD, DATA
20 .got 000002e8 0000000000031d18 0000000000031d18 00031d18 2**3
CONTENTS, ALLOC, LOAD, DATA
21 .data 00000008 0000000000032000 0000000000032000 00032000 2**3
CONTENTS, ALLOC, LOAD, DATA
22 .bss 00000008 0000000000032008 0000000000032008 00032008 2**0
ALLOC
23 .comment 0000001b 0000000000000000 0000000000000000 00032008 2**0
CONTENTS, READONLY
24 .gnu_debuglink 0000001c 0000000000000000 0000000000000000 00032024 2**2
CONTENTS, READONLY
# Neither of the sections with differences contain executable code, but
# just to make it clear it would be garbage: disassembled contents of each.
$ objdump -Sj .note.gnu.build-id liblzma.so.5.6.1-{1,2}
liblzma.so.5.6.1-1: file format elf64-x86-64
Disassembly of section .note.gnu.build-id:
00000000000002e8 <.note.gnu.build-id>:
2e8: 04 00 add $0x0,%al
2ea: 00 00 add %al,(%rax)
2ec: 14 00 adc $0x0,%al
2ee: 00 00 add %al,(%rax)
2f0: 03 00 add (%rax),%eax
2f2: 00 00 add %al,(%rax)
2f4: 47 rex.RXB
2f5: 4e 55 rex.WRX push %rbp
2f7: 00 71 f9 add %dh,-0x7(%rcx)
2fa: a2 55 f6 86 4e 44 c3 movabs %al,0x3a25c3444e86f655
301: 25 3a
303: 10 dc adc %bl,%ah
305: 37 (bad)
306: 9c pushf
307: 25 c8 bf b3 02 and $0x2b3bfc8,%eax
liblzma.so.5.6.1-2: file format elf64-x86-64
Disassembly of section .note.gnu.build-id:
00000000000002e8 <.note.gnu.build-id>:
2e8: 04 00 add $0x0,%al
2ea: 00 00 add %al,(%rax)
2ec: 14 00 adc $0x0,%al
2ee: 00 00 add %al,(%rax)
2f0: 03 00 add (%rax),%eax
2f2: 00 00 add %al,(%rax)
2f4: 47 rex.RXB
2f5: 4e 55 rex.WRX push %rbp
2f7: 00 69 df add %ch,-0x21(%rcx)
2fa: 3c 77 cmp $0x77,%al
2fc: 1c 62 sbb $0x62,%al
2fe: 86 68 86 xchg %ch,-0x7a(%rax)
301: ef out %eax,(%dx)
302: f2 45 repnz rex.RB
304: d5 b1 58 34 54 addps (%r28,%r18,2),%xmm6
309: 0d .byte 0xd
30a: f8 clc
30b: 08 .byte 0x8
$ objdump -Sj .gnu_debuglink liblzma.so.5.6.1-{1,2}
liblzma.so.5.6.1-1: file format elf64-x86-64
Disassembly of section .gnu_debuglink:
0000000000000000 <.gnu_debuglink>:
0: 6c insb (%dx),%es:(%rdi)
1: 69 62 6c 7a 6d 61 2e imul $0x2e616d7a,0x6c(%rdx),%esp
8: 73 6f jae 79 <XZ_5.0@@XZ_5.0+0x79>
a: 2e 35 2e 36 2e 31 cs xor $0x312e362e,%eax
10: 2e 64 65 62 75 67 00 (bad)
17: 00
18: 82 (bad)
19: fd std
1a: 6f outsl %ds:(%rsi),(%dx)
1b: 66 data16
liblzma.so.5.6.1-2: file format elf64-x86-64
Disassembly of section .gnu_debuglink:
0000000000000000 <.gnu_debuglink>:
0: 6c insb (%dx),%es:(%rdi)
1: 69 62 6c 7a 6d 61 2e imul $0x2e616d7a,0x6c(%rdx),%esp
8: 73 6f jae 79 <XZ_5.0@@XZ_5.0+0x79>
a: 2e 35 2e 36 2e 31 cs xor $0x312e362e,%eax
10: 2e 64 65 62 75 67 00 (bad)
17: 00
18: 4a d1 cc rex.WX ror $1,%rsp
1b: 28 .byte 0x28