New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
xz-5.6.x is trojaned (CVE-2024-3094) #300055
Comments
Hopefully that means we're not directly impacted?
|
FWIW, the openwall email indicates that the Github autogenerated tarball does not have the exploit in it. I would imagine we could just switch to that instead of the tarball artifacts, as an immediate-term fix. |
@jaen Likely we could be impacted still, I thought they tested on Debian which obviously uses the standard FHS and not the Nix one. I don't think what the argv0 dirname part of the path is matters exactly, as long as it is sshd. |
Yes. Being handled in #300028 |
|
i ran it without modifying, and it did output nothing for me. it should say "probably unaffected" or something like that |
|
@NightH4nter: Much to what @Aleksanaa said,
|
From what's been posted online, it sounds like this particular backdoor seems to only try to inject stuff into .rpm and .deb builds of XZ. Biggest worry for nixos is whether previous versions had other backdoors too. |
To facilitate searches: CVE-2024-3094. |
NixOS discourse thread: https://discourse.nixos.org/t/cve-2024-3094-malicious-code-in-xz-5-6-0-and-5-6-1-tarballs/42405 |
Sounds like a good idea. But currently the whole https://github.com/tukaani-project/xz/ is taken down, so we'll need some other source of this code. (this will currently break rebuilding from scratch in interesting ways...) |
sure. but i would assume other binaries linked against infected liblzma might be a subject to discussion |
Source is available here: https://git.tukaani.org/ See the update from the primary author, too: https://tukaani.org/xz-backdoor/ |
Lasse Collin added this commit a few hours ago: https://git.tukaani.org/?p=xz.git;a=commit;h=f9cf4c05edd14dedfe63833f8ccbe41b55823b00 which appears to demonstrate that Tan made at least one subversive commit to the xz git repo, and not just to the release tarballs. However, the subversive commit is recent, made between 5.6.0 and 5.6.1: https://git.tukaani.org/?p=xz.git;a=commit;h=328c52da8a2bbb81307644efdb58db2c422d9ba7. Hence, so far, there is no evidence that versions of xz prior to 5.6.0 are compromised in any way. |
'cause wat the fuck anying eta: - <https://www.reddit.com/r/ProgrammerHumor/comments/1bqwlg6/dontactsusyoujustcompromisedssh/> - <NixOS/nixpkgs#300055> - lanjutin sayanggg
This package cannot be downloaded anymore!!! |
The link has been changed in 6aa50d0, and will be merged as a part of #298548. |
Timeline of the events, with lots of relevant pointers. |
'cause wat the fuck anying eta: - <https://www.reddit.com/r/ProgrammerHumor/comments/1bqwlg6/dontactsusyoujustcompromisedssh/> - <NixOS/nixpkgs#300055> - lanjutin sayanggg
2015 is way before the rollback target, 2020 DoS is kind of «what compression ratio is a zip bomb» flamewar. Hm, 2022 CVE is indeed a patch we'd need to import (and as it was initially reported for zgrep I missed when searching NIST version of CVE database, which I tried doing before asking the quesion). Although it looks that the patch for it was still merged by Lasse Collin before giving any rights to the attacker group. So technically the last pre-Jia-Tin commit in xz does not have any undisputed CVEs (personally, I agree with the disputed status of the DoS one)? |
So we could work with either that or xz-unscathed, then. I don't have any ability to decide which. But as I'm already attempting a rebuild with xz-unscathed, how about someone else tries v5.2.5? We could probably use a later commit, but that's the newest release that is Absolutely 100% Definitely not affected... and is also not an alpha. |
in reply
I put the following in #initially from: https://github.com/NixOS/nixpkgs/issues/300055#issuecomment-2034546410
system.replaceRuntimeDependencies = [({
original = pkgs.xz;
replacement = pkgs.xz.overrideAttrs (finalAttrs: prevAttrs: {
#(rec {
version = "5.4.6";
src = pkgs.fetchurl {
url = with finalAttrs;
# The original URL has been taken down.
# "https://github.com/tukaani-project/xz/releases/download/v${version}/xz-${version}.tar.bz2";
"mirror://sourceforge/lzmautils/xz-5.4.6.tar.bz2";
sha256 = "sha256-kThRsnTo4dMXgeyUnxwj6NvPDs9uc6JDbcIXad0+b0k=";
};
#Can't use this due to no Makefile or something like that:
# src = pkgs.fetchgit {
# url = "https://git.tukaani.org/xz.git";
# rev = "v${finalAttrs.version}";
# hash = "sha256-uMUwR1I42R4hip5bJ1KOBKLZd9bb683z7xKeyB3M1Qg=";
# };
});
})]; (note that I can use It did something for 3 minutes after
Thanks. |
NixOS/nixpkgs#300055 https://nixpk.gs/pr-tracker.html?pr=300028 Signed-off-by: ahuston-0 <aliceghuston@gmail.com>
@correabuscar xz 5.4.6 has landed in unstable, no need to build it manually. |
Since it is already in unstable shouldn't this be closed? |
The discussions about how to handle upstream malicious commits before xz 5.6 is still ongoing. Should this topic be considered in-scope or out-of-scope of this issue? If the former, we should keep it open. |
BTW, the effectiveness of It deserves a new (separated) issue. |
rn I am trying to override the xz version to 5.3.1 but I am failing :(, maybe I could get some help? |
If you need help, Matrix and Discourse are a great place to ask (you can even log in with GitHub) 🦆. |
Sure, I am just wondering how hard it is to change the version of a package here, I searched so many time and can't do it xD, I will follow your suggestion. Thanks you. |
Hey using your config with flake.nix I get: error:
EDIT: Related to #199162 , fixed using --impure |
Does this really need to turn into a bug squashing session? I think this is muddying the water, especially since it's been mentioned that this should stay open for reference for those discussing how to handle supply chain issues moving forward. As others have stated, there is discourse and such for this. |
For me it should be also closed, I'm just using this issue because is open and my problem is partially fixed here |
No. The issue with the backdoor is not yet fixed or cleared. What made it into unstable is just a very temporary workaround, necessary because of the urgency of the issue. |
@npulidomateo: can you elaborate what's missing with the backdoor? |
Well, I'm no expert, but I'm not sure it has been yet proven that 5.4.6 is completely clean. Please correct me if I'm wrong. |
I'd put such related topics into other issues, cross-linking them here. It's also not distro-specific, so I'm not even sure that the best place for that is around NixOS.org |
Well @vcunat I guess you can also see it that way. I kind of feel that it's not wrong to aggregate here information about the backdoor issue in general. Anyway thanks for making the fix / workaround. |
I also feel that «how far to roll back/which fork to use» is a priori exactly the topic here… |
re comment Regarding disclaimerNote that I'm very newbie at nix/nixos, I didn't even read the manual or nixpills yet and I'm only using nixos in a VM, so some things may be (obviously) wrongly done in there, use your common sense :) (eg. use 'pname' instead of 'name')Footnotes
|
I'm going to close this as the revert to 5.4.6 is now available in nixos-unstable and as such CVE-2024-3094 is mitigated (note that anyway the nixpkgs AFAIK no concrete evidence regarding the compromise of the 5.4.6 release have been exposed despite various communities taking a closer at the source code and release tarballs since Friday. Reverting to older releases is not as easy as it may sound due to some ABI changes (and also performance regressions). Progress of follow up actions from this incident can be done in dedicated pull-requests and/or issues. It will make things easier to track for everyone and, of course, we can re-open this if new information comes to light. |
- Removes awscli overlay - Downgrade `xz` to 5.4.6 [CVE-2024-3094](NixOS/nixpkgs#300055)
The fix has been propagated to nixpkgs-unstable. See NixOS/nixpkgs#300055 (comment)
NixOS/nixpkgs#300055 https://nixpk.gs/pr-tracker.html?pr=300028 Signed-off-by: ahuston-0 <aliceghuston@gmail.com>
See https://www.openwall.com/lists/oss-security/2024/03/29/4.
The trojaned source package is not in 23.11 but has been in unstable since 5c7c19c. I'm trying to verify whether NixOS users are impacted by the exploit. I think we may be okay because NixOS doesn't have the openssh patch for systemd notification, and therefore openssh has no hook into liblzma.
The text was updated successfully, but these errors were encountered: