Updates on xz supply chain attack

We recently noted that a backdoor had been inserted in xz, a widely-used compression program (and associated library). Over several weeks or months, a user inserted code that eventually led to the Severity 10 SSH vulnerability.

It’s critical to check your systems to ensure you don’t have a vulnerable version (5.6.0 or 5.6.1), but the damage may not yet be fully realized.

The malicious code was apparently written as a series of commits by someone (JiaT75) who appeared out of nowhere in 2021. They provided several significant commits and became an active contributor. Later, a series of posts encouraged the maintainer to step down, leaving JiaT75 as the maintainer for the project.

This calls into question all of these prior commits, which have lots of eyes on them now, but this is one to keep an eye on, as versions older than 5.4.6 might be compromised with a different vulnerability.

Detection

To check if you have xz installed:

$ which xz /usr/local/bin/xz $ xz –version xz (XZ Utils) 5.4.6 liblzma 5.4.6

Note that there are two versions: one for xz (the program) and one for liblzma, the accompanying library.

If either says 5.6.0 or 5.6.1, you’ll want to downgrade. The exact commands to run depend on your system.

It appears that Mac users who installed xz with brew or port should be okay, but we’ve discovered 5.6.1 on MacBooks, so it’s worth checking.

This is a great time to point out that our automated systems can do this for you - detect and, if desired, patch vulnerable versions of software.

Mac Users

Since the brew folks are aware of this issue and fixed it at the repository level by reverting to 5.4.6, running brew install xz should automatically downgrade it to 5.4.6.

Linux Users

Run apt-get remove xz-utils or yum remove xz, then reinstall from the appropriate package.

RHEL users should avoid Fedora Rawhide and Fedora 40, per RedHat. [RedHat Status]

Sharing is caring!