-
Reinhilde
-
danmcd
Hello folks!
-
danmcd
I'm wearing my security@ hat right now. This is now public:
-
danmcd
-
danmcd
It's a very targetted supply-chain attack on the xz/liblzma package. The good news is that it only affects 5.6.0 & 5.6.1, and that it's designed specifically (it seems) to attack sshd that systemd launches, and becuase systemd it links in (the corrupted) liblzma.
-
danmcd
OI ships 5.6.1 AIUI, but from what we can tell it won't affect things.
-
danmcd
Still, there is a bad player in the xz space, and it pays to be cautious.
-
danmcd
I know OmniOS has 5.6.1 in bloody and under-test 151050. Unsure of other non-SmartOS distros; SmartOS's platform ships 5.2.1.
-
danmcd
This vulnerability could affect LX zones for those who use them, as well as any modern LInux that ships xz 5.6.[01].
-
danmcd
I think that's all I can say w/o further guesses or speculation. (That line about "a bad player" is as guess-y/speculattory as I'll get.)
-
otis
frebsd ships 5.6.0, too.
-
otis
freebsd
-
danmcd
A FreeBSD security officer has said they are not vulnerable, for similar reasons why illumos distros are most likely not vulnerable. (The attack code is very Linux-targetted, trying to suck things out of sshd that gets linked with liblzma)
-
danmcd
Please don't panic folks, but do, as you always should be IMHO, be cautious.
-
nomad
thanks danmcd
-
alanc
As noted in the oss-security post, the bit of the build script that links in the extra ELF file with the sshd code checks first to make sure the system is AMD64 (since that's what the ELF object file is compiled for), and that it's Linux & using GNU ld, so non-Linux systems won't have this extra bit of code linked in
-
alanc
but the same github account that introduced this also made several hundred other commits to xz over the past year or two, and no one has had time to scrutinize all of those yet to see if there were any other changes to be concerned about
-
» nomad is once again happy to not be on the bleeding edge (or anywhere near it).
-
danmcd
Yep... would be interesting to get an audit of what xz revs this github account has touched.
-
sommerfeld
Looks like OI updated to 5.6.0 on 2024-02-28 and 5.6.1 on 2024-03-11
-
danmcd
Yep. Sorry I couldn't say anything earlier.
-
duncan
It strikes me as premature to say illumos/freebsd are not affected. The github account which apparently made the malicious commits has been a contributor to the project for ~2 years
-
duncan
The backdoor as-discovered apparently only affected Debian/RHEL, but, there is a lot which we don't know, which we should be mindful of.