From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Heads up: Backdoor in upstream xz tarball, stable version of IPFire likely unaffected, testing version somewhat affected Date: Sat, 30 Mar 2024 12:37:41 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0837101183024487392==" List-Id: --===============0837101183024487392== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello, > On 29 Mar 2024, at 21:53, Peter M=C3=BCller wr= ote: >=20 > Hello *, >=20 > a quick heads-up on reports on the oss-security mailing list that indicate = the upstream > tarball of xz containing a backdoor since version 5.6.0, with the target ob= jective appearing > to constitute in backdooring SSH: https://openwall.com/lists/oss-security/2= 024/03/29/4 >=20 > Please note that this is a developing situation, so take the assessments be= low with a > pinch of salt. >=20 > - The latest stable version of IPFire, IPFire 2.29 - Core Update 184, is NO= T affected by > the backdoor discussed in the oss-security post linked above. This is beca= use it includes > xz 5.4.6 (as mentioned in https://www.ipfire.org/blog/ipfire-2-29-core-upd= ate-184-released). > Further, since IPFire does NOT patch OpenSSH in order to include lzma comp= ression (which > is a requirement for the unveiled backdoor to work), my understanding at t= his time is that > OpenSSH on stable IPFire installations is not affected. I agree with this assessment. I believe that IPFire does not meat a number of criteria that are required fo= r this backdoor to be usage: * The build is checking whether a Debian/RPM package is being built and only = then injects the backdoor code. This should not be the case on IPFire and the= refore I believe that we don=E2=80=99t even include the malicious code paths. * OpenSSH is not directly linked against liblzma and we do not have anything = else (e.g. that pulls it in). So the library is not loaded into sshd at runti= me, so even if liblzma was affected on IPFire, we should not have a compromis= ed SSH service. > This is further corroborated by the backdoor known so far only becoming ac= tive under > certain build environment conditions that are not met by IPFire 2.x's buil= d environment. >=20 > However, it currently appears as if the xz developer has actively worked t= owards including > a backdoor, rather than their account having been compromised. Therefore, = it may be that > there are other backdoors in the xz upstream tarball, and that they have b= een included in > earlier versions. >=20 > - Forthcoming Core Update 185 includes two patches that update xz to 5.6.0 = and 5.6.1, > respectively. These versions are known to include the aforementioned OpenS= SH backdoor. > The IPFire development team will discuss reversion of xz to a version not = known to be > affected thus far in the next few days. Currently, both Debian and Fedora = opted to > revert back to version 5.4.5, rather than 5.4.6 (which is what IPFire curr= ently ships > in stable Core Update 184, but is not known to include any malicious code,= which only > commenced in version 5.6.0). Adolf has been really quick in providing a patch to downgrade back to 5.4.5. = As far as I can see this is what Debian is doing and believing that they have= some more information about everything I would like to follow their decision= s. I have currently no reason to believe that 5.4.6 is compromised. The patch has been merged and I have included everything that is linked again= st XZ in the updater as a precaution. > Again, since no custom patching of OpenSSH is in place, the unveiled SSH b= ackdoor would > not have been functional on IPFire installations. >=20 > IPFire is currently unaware of the unveiled backdoor impacting any other se= rvice that is > usually directly exposed on IPFire installations to the internet, such as O= penVPN or IPsec. >=20 > For reference, CVE-2024-3094 has been assigned by Red Hat for this issue. >=20 > Thanks, and best regards, > Peter M=C3=BCller -Michael --===============0837101183024487392==--