Opened 5 weeks ago
Last modified 3 weeks ago
#69619 assigned defect
xz @5.6.1 reportedly backdoored
| Reported by: | jmroot (Joshua Root) | Owned by: | ryandesign (Ryan Carsten Schmidt) |
|---|---|---|---|
| Priority: | High | Milestone: | |
| Component: | ports | Version: | |
| Keywords: | security | Cc: | larryv (Lawrence Velázquez), woolsweater (Josh Caswell) |
| Port: | xz |
Description
See https://www.openwall.com/lists/oss-security/2024/03/29/4
It looks like it only affects certain configurations and I haven't been able to confirm if our binaries are affected, but it seems it would be best to revert to a pre-5.6 version immediately and keep an eye out for more information as it emerges.
Change History (10)
comment:1 Changed 5 weeks ago by jmroot (Joshua Root)
comment:2 Changed 5 weeks ago by ryandesign (Ryan Carsten Schmidt)
Thanks, you were quicker than I was!
Added a comment in [0533449245b662c906466e61bcdb958a22ad74c3/macports-ports] to ward off potential re-updates.
comment:3 Changed 5 weeks ago by larryv (Lawrence Velázquez)
| Cc: | larryv added |
|---|
comment:4 Changed 5 weeks ago by woolsweater (Josh Caswell)
If possible -- I have no idea what breakages would result -- it seems most prudent to roll even further back. The account responsible for the backdoor has been involved in the xz project for quite some time and has many, many commits. See this discussion on the Debian bug list: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024
comment:5 Changed 5 weeks ago by ryandesign (Ryan Carsten Schmidt)
| Cc: | woolsweater added |
|---|
I've just written about this incident on the mailing list:
https://lists.macports.org/pipermail/macports-users/2024-March/052607.html
I am aware that some distributions are considering downgrading even further and am not yet sure what we should do.
comment:6 Changed 5 weeks ago by ryandesign (Ryan Carsten Schmidt)
comment:7 Changed 5 weeks ago by ryandesign (Ryan Carsten Schmidt)
comment:8 Changed 5 weeks ago by woolsweater (Josh Caswell)
Great summary. Thank you both for your prompt action on this! Fingers crossed that Macs turn out to be completely unaffected.
comment:9 Changed 5 weeks ago by ryandesign (Ryan Carsten Schmidt)
The main breakage that would result from downgrading further is that older versions of the library, of course, have older version numbers, so we would need to rebuild (i.e. increase the revision of) every port that links with the library. To do that, we would first have to identify which ports those are. There are 81 ports having xz in their depends_lib. If we don't want to manually check each one to see whether it actually links with the library, revbumping all 81 would be safest. For the 5.6.1->5.4.6 downgrade it was easy since 5.6.1 was only in MacPorts for a couple days and based on the timestamps of the Portfiles that have xz in depends_lib I think I've identified and rebuilt all two of the ports that were modified during that time. Downgrading to earlier than 5.4.x would require rebuilding every port that links with liblzma.
comment:10 Changed 3 weeks ago by aeiouaeiouaeiouaeiouaeiouaeiou
https://research.swtch.com/xz-script
Version 5.6.1 contains a malicious script that runs on Linux machines via a uname check, so macOS systems are definitely not affected.
In a1388aee09c9e921e3a9d47cf9d37e5d3f3c10ad/macports-ports (master):