xz Vulnerability

13 views
Skip to first unread message

Roger M. Jenson

unread,
Apr 2, 2024, 11:16:32 AMApr 2
to Milwaukee Linux Users Group
The xz Utils backdoor has hit all the news sites with varying levels of
accuracy. I have read many reports and checked my trusted sources to
bring you the tl;dr.

CVE-2024-3094 Base Score: 10.0 CRITICAL

Malicious code was discovered in the upstream tarballs of xz, starting
with version 5.6.0. Through a series of complex obfuscations, the
liblzma build process extracts a prebuilt object file from a disguised
test file existing in the source code, which is then used to modify
specific functions in the liblzma code. This results in a modified
liblzma library that can be used by any software linked against this
library, intercepting and modifying the data interaction with this library.

Source: https://nvd.nist.gov/vuln/detail/CVE-2024-3094

At the very least check the version on your Linux systems (example from
my desktop computer running Pop!_OS 22.04 LTS).

rmjenson@frodo:~$ xz -V
xz (XZ Utils) 5.4.1
liblzma 5.4.1

The current reporting indicates that XZ Utils version 5.6.0 and 5.6.1
are compromised. The recommended solutio is to downgrade XZ Utils to an
uncompromised version e.g. 5.4.6.

Best Regards,
Roger M. Jenson


Ian Weisser

unread,
Apr 3, 2024, 7:56:05 AMApr 3
to Milwaukee Linux User's Group
No Ubuntu releases (or Ubuntu-based distros) are affected.

The poisoned version was in pre-release (24.04) testing before being withdrawn.
All packages that use the poisoned library were deleted from the testing repos and are being rebuilt using clean xz-utils.
This has caused a lot of chat from testers, as the 24.04 daily images broke. But no panic.


Sean Malloy

unread,
Apr 3, 2024, 6:36:54 PMApr 3
to Milwau...@googlegroups.com
No GA versions of Fedora were affected. But Fedora Rawhide and Fedora 40 Beta are affected. See link below for more details.



--
Sean Malloy

--
Homepage: http://www.milwaukeelug.org/home
This forum online: https://groups.google.com/forum/#!forum/MilwaukeeLUG
---
You received this message because you are subscribed to the Google Groups "Milwaukee Linux User's Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to MilwaukeeLUG...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/MilwaukeeLUG/b9709957-7e15-4327-8055-365a1868df47%40eyedigix.com.

Tom

unread,
Apr 4, 2024, 11:04:34 AMApr 4
to Milwau...@googlegroups.com
I guess I'm ok:
# xz -V
xz (XZ Utils) 5.2.5
liblzma 5.2.5
--

Tom

unread,
Apr 4, 2024, 11:24:28 AMApr 4
to Milwau...@googlegroups.com
What ever happened to the rehash command? Is there some other command to tell bash to refresh its cache?
 
Here's my problem:
Several times in the last year or so, I've been developing a script over time, in bash/python/perl/etc. I use some directory to develop it, so I don't have a cluttered view when I list the files.
 
Eventually I decide it's working well enough to put into the mainstream, and will work on multiple machines. So I move it into a shared NFS-mounted directory so it's accessible by most of my machines, physical and virtual. 
 
Key info: both the original directory I was developing in, and the shared directory, are in the path. Obviously, I've modified my path in /etc/profile and tacked on some stuff to the end of my path.
 
I was cooking up a script- to grab status of a device. As long as it's in the directory I developed it in and where I ran it dozens of times, all was well. Then I moved it:
# mv thecstat /usr/local/shared/
 
# thecstat
-bash: /usr/local/bin/dev/thecstat: No such file or directory
 
Now it won't run, because it's looking in the wrong place. Obviously, it's caching something. Now that it's in the shared directory, I can go to any other machine and run it without a path, since the shared directory is in the path on my of my machines.
 
Also, if I specify the path, it runs:
# /usr/local/shared/thecstat
Also, I can fix it by logging out and back in, or by doing su - <username> which creates another shell for the user.
 
After doing any of those things, I can run the thing without specifying the path.
 
Surely there is some way top tell bash to discard its cache and reload it?
 
-T
 

Tom

unread,
Apr 4, 2024, 3:25:10 PMApr 4
to Milwau...@googlegroups.com
Answering my own question:
 
I created an alias to fix this. The command is hash -r
 
I put this in my profile directory, in custom.sh:
alias rehash='echo Clearing bash command cache.; hash -r'
 
There are other options for the hash command that allow clearing of the cache for a single command, and etc.
 
--

Sean Malloy

unread,
Apr 5, 2024, 9:49:29 AMApr 5
to Milwau...@googlegroups.com
Tom,

On my Fedora 39 desktop using BASH 5.2.26 I see a "hash" shell bultin.

$ type hash 
$ help hash
$ hash -r

--
Sean Malloy

--
Homepage: http://www.milwaukeelug.org/home
This forum online: https://groups.google.com/forum/#!forum/MilwaukeeLUG
---
You received this message because you are subscribed to the Google Groups "Milwaukee Linux User's Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to MilwaukeeLUG...@googlegroups.com.

Michael Zore

unread,
Apr 5, 2024, 9:49:29 AMApr 5
to Milwau...@googlegroups.com
Try "hash -r"

--
Homepage: http://www.milwaukeelug.org/home
This forum online: https://groups.google.com/forum/#!forum/MilwaukeeLUG
---
You received this message because you are subscribed to the Google Groups "Milwaukee Linux User's Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to MilwaukeeLUG...@googlegroups.com.

Tom

unread,
Apr 5, 2024, 9:54:10 AMApr 5
to Milwau...@googlegroups.com
I now have a shiny new alias for this:
alias rehash='echo Clearing bash command cache.; hash -r'
 
Old habits die hard.
 
Thanks all.
Reply all
Reply to author
Forward
0 new messages