Compression tool xz appears to contain malware, Linux distros warn


The developers of several Linux distributions warn of a serious vulnerability in the widely used compression tool xz and associated libraries. Versions 5.6.0 and 5.6.1 appear to contain a backdoor that allows an attacker to gain access to systems. Fedora, Debian and SUSE, among others, warn users not to use the latest versions of the distros.

Researchers have discovered a serious vulnerability in the upstream of xz, a compression tool that is standard in many different Linux distributions. In the tool's tarballs, versions 5.6.0 and the more recent 5.6.1 include an .m4 file containing instructions for creating an automake that should not be in the original repo. These instructions are used, among other things, when the package liblzma is created. That package is used by various tools, including SSD, and can therefore cause a supply chain attack. The bug has been tracked as CVE-2024-3094 since Thursday, but that has only been confirmed by Red Hat.

Red Hat warns of the vulnerability and specifically recommends that Fedora Rawhide users immediately stop using those installations. Fedora 40 installations would not be affected by the vulnerability, but Red Hat warns that users should still downgrade to a 5.4 build or lower of xz. In Rawhide, Red Hat adds an update that does this.

OpenSUSE also warns about the bug. The discoverer of the bug reports that Debian is also vulnerable; Andres Freund noticed the bug when he discovered that ssh login on Debian was very slow, which seemed to be due to the extra payload. Debian is now also warning about the bug, although the stable distros themselves do not appear to be vulnerable.

The vulnerability appears to have arisen a month ago in 5.5.1alpha-0.1 of xz and would work until 5.6.1. -1. The xz package has now been rolled back to the upstream of version 5.4.5, so the bug does not simply end up on systems that contain xz or xz-utils. Debian, Fedora, SUSE and other Linux users should update the xz or xz-utils package to roll back the tool to the older, non-vulnerable version.