xz Backdoor CVE-2024-3094 – Open Source Security Foundation

CRANK

Authors:Bennett Pursell, Ecosystem Strategist, OpenSSFHarry Toor, Chief of Staff, OpenSSFOmkhar Arasaratnam, General Manager, OpenSSFCVE-2024-3094documents a backdoor in the xz package. This backdoor was inserted by either xz maintainer or someone who had compromised the maintainer’s machine. While the motivation behind this backdoor remains unknown, the intent was to compromise specific distributions, as the backdoors were only applied to DEB or RPM packages for the x86-64 architecture built with gcc and the gnu linker.The Vulnerability in XZ UtilsAbackdoor in upstream xz/liblzmawas announced on theoss-security mailing listregarding the xz compression tools and libraries. Specifically, the issue with the xz libraries are with version 5.6.0 and 5.6.1, and users are urged to immediately stop usage and downgrade to xz-5.4.x.This vulnerability in XZ Utils – the XZ format compression utilities included in most Linux distributions – may “enable a malicious actor to break sshd authentic…