Re: Heads up: Backdoor in upstream xz tarball, stable version of IPFire likely unaffected, testing version somewhat affected

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 3257 bytes --]

Hello Matthias,

I think there is very little point in removing those as they will be mirrored all over the internet.

We are also mirroring the Git repository which contains some bad eggs, too.

Let’s keep this for history :)

-Michael

> On 5 Apr 2024, at 17:51, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
> 
> Hi,
> 
> Jm2c:
> 
> I'm working on an update (httpd 2.5.59) and just saw that the "backdoor
> versions" of 'xz 5.6.0/5.6.1' are still available on ipfire.org
> (/pub/sources/source-2.x).
> 
> Would it not be advisable to delete these versions so that no mischief
> can be done with them?
> 
> Just m2c...
> 
> Best
> Matthias
> 
> On 29.03.2024 22:53, Peter Müller wrote:
>> Hello *,
>> 
>> a quick heads-up on reports on the oss-security mailing list that indicate the upstream
>> tarball of xz containing a backdoor since version 5.6.0, with the target objective appearing
>> to constitute in backdooring SSH: https://openwall.com/lists/oss-security/2024/03/29/4
>> 
>> Please note that this is a developing situation, so take the assessments below with a
>> pinch of salt.
>> 
>> - The latest stable version of IPFire, IPFire 2.29 - Core Update 184, is NOT affected by
>>  the backdoor discussed in the oss-security post linked above. This is because it includes
>>  xz 5.4.6 (as mentioned in https://www.ipfire.org/blog/ipfire-2-29-core-update-184-released).
>>  Further, since IPFire does NOT patch OpenSSH in order to include lzma compression (which
>>  is a requirement for the unveiled backdoor to work), my understanding at this time is that
>>  OpenSSH on stable IPFire installations is not affected.
>> 
>>  This is further corroborated by the backdoor known so far only becoming active under
>>  certain build environment conditions that are not met by IPFire 2.x's build environment.
>> 
>>  However, it currently appears as if the xz developer has actively worked towards including
>>  a backdoor, rather than their account having been compromised. Therefore, it may be that
>>  there are other backdoors in the xz upstream tarball, and that they have been included in
>>  earlier versions.
>> 
>> - Forthcoming Core Update 185 includes two patches that update xz to 5.6.0 and 5.6.1,
>>  respectively. These versions are known to include the aforementioned OpenSSH backdoor.
>>  The IPFire development team will discuss reversion of xz to a version not known to be
>>  affected thus far in the next few days. Currently, both Debian and Fedora opted to
>>  revert back to version 5.4.5, rather than 5.4.6 (which is what IPFire currently ships
>>  in stable Core Update 184, but is not known to include any malicious code, which only
>>  commenced in version 5.6.0).
>> 
>>  Again, since no custom patching of OpenSSH is in place, the unveiled SSH backdoor would
>>  not have been functional on IPFire installations.
>> 
>> IPFire is currently unaware of the unveiled backdoor impacting any other service that is
>> usually directly exposed on IPFire installations to the internet, such as OpenVPN or IPsec.
>> 
>> For reference, CVE-2024-3094 has been assigned by Red Hat for this issue.
>> 
>> Thanks, and best regards,
>> Peter Müller
>