Re: Heads up: Backdoor in upstream xz tarball, stable version of IPFire likely unaffected, testing version somewhat affected

[Matthias Fischer <matthias.fischer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 2858 bytes --]

Hi,

Jm2c:

I'm working on an update (httpd 2.5.59) and just saw that the "backdoor
versions" of 'xz 5.6.0/5.6.1' are still available on ipfire.org
(/pub/sources/source-2.x).

Would it not be advisable to delete these versions so that no mischief
can be done with them?

Just m2c...

Best
Matthias

On 29.03.2024 22:53, Peter Müller wrote:
> Hello *,
> 
> a quick heads-up on reports on the oss-security mailing list that indicate the upstream
> tarball of xz containing a backdoor since version 5.6.0, with the target objective appearing
> to constitute in backdooring SSH: https://openwall.com/lists/oss-security/2024/03/29/4
> 
> Please note that this is a developing situation, so take the assessments below with a
> pinch of salt.
> 
> - The latest stable version of IPFire, IPFire 2.29 - Core Update 184, is NOT affected by
>   the backdoor discussed in the oss-security post linked above. This is because it includes
>   xz 5.4.6 (as mentioned in https://www.ipfire.org/blog/ipfire-2-29-core-update-184-released).
>   Further, since IPFire does NOT patch OpenSSH in order to include lzma compression (which
>   is a requirement for the unveiled backdoor to work), my understanding at this time is that
>   OpenSSH on stable IPFire installations is not affected.
> 
>   This is further corroborated by the backdoor known so far only becoming active under
>   certain build environment conditions that are not met by IPFire 2.x's build environment.
> 
>   However, it currently appears as if the xz developer has actively worked towards including
>   a backdoor, rather than their account having been compromised. Therefore, it may be that
>   there are other backdoors in the xz upstream tarball, and that they have been included in
>   earlier versions.
> 
> - Forthcoming Core Update 185 includes two patches that update xz to 5.6.0 and 5.6.1,
>   respectively. These versions are known to include the aforementioned OpenSSH backdoor.
>   The IPFire development team will discuss reversion of xz to a version not known to be
>   affected thus far in the next few days. Currently, both Debian and Fedora opted to
>   revert back to version 5.4.5, rather than 5.4.6 (which is what IPFire currently ships
>   in stable Core Update 184, but is not known to include any malicious code, which only
>   commenced in version 5.6.0).
> 
>   Again, since no custom patching of OpenSSH is in place, the unveiled SSH backdoor would
>   not have been functional on IPFire installations.
> 
> IPFire is currently unaware of the unveiled backdoor impacting any other service that is
> usually directly exposed on IPFire installations to the internet, such as OpenVPN or IPsec.
> 
> For reference, CVE-2024-3094 has been assigned by Red Hat for this issue.
> 
> Thanks, and best regards,
> Peter Müller