top | item 39984512

The xz-utils backdoor has been removed

56 points| EveryPizza | 2 years ago |github.com | reply

21 comments

[+] rgovostes|2 years ago|reply

This commit message is gold: https://github.com/tukaani-project/xz/commit/e93e13c8b3bec92...

    While the backdoor was inactive (and thus harmless) without inserting
    a small trigger code into the build system when the source package was
    created, it's good to remove this anyway:

      - The executable payloads were embedded as binary blobs in
        the test files. This was a blatant violation of the
        Debian Free Software Guidelines.

      - On machines that see lots bots poking at the SSH port, the backdoor
        noticeably increased CPU load, resulting in degraded user experience
        and thus overwhelmingly negative user feedback.

      - The maintainer who added the backdoor has disappeared.

      - Backdoors are bad for security.

[+] syntheticcdo|2 years ago|reply

https://github.com/tukaani-project/xz/commit/780cbf29d5a88db... to update the NEWS file is equally honest:

    5.6.1 (2024-03-09)

    IMPORTANT: This fixed bugs in the backdoor (CVE-2024-3094) (someone
    had forgot to run Valgrind).

[+] glandium|2 years ago|reply

https://github.com/tukaani-project/xz/commit/77a294d98a9d2d4...

    Special author: Jia Tan was a co-maintainer in 2022-2024. He and
    the team behind him inserted a backdoor (CVE-2024-3094) into
    XZ Utils 5.6.0 and 5.6.1 releases. He suddenly disappeared when
    this was discovered.

[+] nextaccountic|2 years ago|reply

I would really really really like to see all commits by Jia Tan reverted, not only those currently found to be malicious.

Debian and NixOS (and other distros) are already downgrading or discussing to downgrade to versions without those commits.

I think that making a 5.4 or 5.6 release without any of those commits (with stuff reimplemented as needed) would assuage most concerns

[+] red_admiral|2 years ago|reply

This has to go on the list of "best understatements ever", along with that famous captain's announcement when an ash cloud knocked out all four engines.

[+] TacticalCoder|2 years ago|reply

> This commit message is gold

It's really sad to see commit messages like this, downplaying the issue. It's also concerning to see libsystemd get a free pass.

[+] usr1106|2 years ago|reply

Violation of the Debian Free Software guidelines? Is that a problem?

The owner of github became a money making machine using a business model violating the same guidelines.

[+] TillE|2 years ago|reply

I'm relieved that the GitHub repo has finally been restored. I was just about to make a commit to fix our liblzma dependency, which would have required a vcpkg overlay to use a different upstream repo.

[+] EveryPizza|2 years ago|reply

The security policy was also updated: https://github.com/tukaani-project/xz/commit/780d2c236de0e47...

[+] throwiforgtnlzy|2 years ago|reply

Maybe we need an international NGO/co-op to provide essential services for small, essential FOSS projects such as security comms, security audits, build infrastructure, testing, best practices, background investigations, and so forth.

The "one guy's little piece of code holding up the world" is a SPOF and much easier to attack than if they had some help and automation.