Jump to content

XZ Utils: Difference between revisions

From Wikipedia, the free encyclopedia
Content deleted Content added
make date more exact
Mintphin (talk | contribs)
Add Alpine Linux edge to the list of affected distributions during the 2024 supply chain attack
Tag: Reverted
Line 125: Line 125:
It is unknown whether this backdoor was intentionally placed by a maintainer or whether a maintainer was compromised.<ref>{{Cite web |last=Goodin |first=Dan |date=2024-03-29 |title=Backdoor found in widely used Linux utility breaks encrypted SSH connections |url=https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/ |access-date=2024-03-29 |website=Ars Technica |language=en-us}}</ref>
It is unknown whether this backdoor was intentionally placed by a maintainer or whether a maintainer was compromised.<ref>{{Cite web |last=Goodin |first=Dan |date=2024-03-29 |title=Backdoor found in widely used Linux utility breaks encrypted SSH connections |url=https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/ |access-date=2024-03-29 |website=Ars Technica |language=en-us}}</ref>


The list of affected Linux distributions includes [[Debian|Debian unstable]]<ref>{{Cite web |title=CVE-2024-3094 |url=https://security-tracker.debian.org/tracker/CVE-2024-3094 |access-date=2024-03-30 |website=security-tracker.debian.org}}</ref>, [[Arch Linux]]<ref>{{Cite web |title=Arch Linux - News: The xz package has been backdoored |url=https://archlinux.org/news/the-xz-package-has-been-backdoored/ |access-date=2024-03-30 |website=archlinux.org}}</ref>, [[Fedora Rawhide]]<ref>{{Cite web |title=Urgent security alert for Fedora 41 and Fedora Rawhide users |url=https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users |access-date=2024-03-30 |website=www.redhat.com |language=en}}</ref>, [[Kali Linux]]<ref>{{Cite web |date=2024-03-29 |title=All about the xz-utils backdoor {{!}} Kali Linux Blog |url=https://www.kali.org/blog/about-the-xz-backdoor/ |access-date=2024-03-30 |website=Kali Linux |language=English}}</ref>, [[OpenSUSE Tumbleweed]]<ref name=":0" />. Confirmed to not be affected are [[Red Hat Enterprise Linux]]<ref>{{Cite web |title=cve-details |url=https://access.redhat.com/security/cve/CVE-2024-3094 |access-date=2024-03-30 |website=access.redhat.com}}</ref>, [[SUSE Linux Enterprise]]<ref name=":0">{{Cite web |date=2024-03-29 |title=openSUSE addresses supply chain attack against xz compression library |url=https://news.opensuse.org/2024/03/29/xz-backdoor/ |access-date=2024-03-30 |website=openSUSE News |language=en}}</ref>, [[Amazon Linux]]<ref>{{Cite web |title=CVE-2024-3094 |url=https://aws.amazon.com/security/security-bulletins/AWS-2024-002/ |access-date=2024-03-30 |website=Amazon Web Services, Inc. |language=en-US}}</ref>.
The list of affected Linux distributions includes [[Debian|Debian unstable]]<ref>{{Cite web |title=CVE-2024-3094 |url=https://security-tracker.debian.org/tracker/CVE-2024-3094 |access-date=2024-03-30 |website=security-tracker.debian.org}}</ref>, [[Arch Linux]]<ref>{{Cite web |title=Arch Linux - News: The xz package has been backdoored |url=https://archlinux.org/news/the-xz-package-has-been-backdoored/ |access-date=2024-03-30 |website=archlinux.org}}</ref>, [[Fedora Rawhide]]<ref>{{Cite web |title=Urgent security alert for Fedora 41 and Fedora Rawhide users |url=https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users |access-date=2024-03-30 |website=www.redhat.com |language=en}}</ref>, [[Kali Linux]]<ref>{{Cite web |date=2024-03-29 |title=All about the xz-utils backdoor {{!}} Kali Linux Blog |url=https://www.kali.org/blog/about-the-xz-backdoor/ |access-date=2024-03-30 |website=Kali Linux |language=English}}</ref>, [[OpenSUSE Tumbleweed]]<ref name=":0" />, [[Alpine Linux|Alpine Linux edge]]<ref>{{Cite web|date=2024-03-11|access-date=2024-03-30|website=Alpine Linux GitLab|author=Natanael Copa|title=main/xz: upgrade to 5.6.1|url=https://gitlab.alpinelinux.org/alpine/aports/-/commit/11bc4fbf6b6fe935f77e45706b1b8a2923b2b203}}</ref>. Confirmed to not be affected are [[Red Hat Enterprise Linux]]<ref>{{Cite web |title=cve-details |url=https://access.redhat.com/security/cve/CVE-2024-3094 |access-date=2024-03-30 |website=access.redhat.com}}</ref>, [[SUSE Linux Enterprise]]<ref name=":0">{{Cite web |date=2024-03-29 |title=openSUSE addresses supply chain attack against xz compression library |url=https://news.opensuse.org/2024/03/29/xz-backdoor/ |access-date=2024-03-30 |website=openSUSE News |language=en}}</ref>, [[Amazon Linux]]<ref>{{Cite web |title=CVE-2024-3094 |url=https://aws.amazon.com/security/security-bulletins/AWS-2024-002/ |access-date=2024-03-30 |website=Amazon Web Services, Inc. |language=en-US}}</ref>.


FreeBSD is not affected by this attack, as all supported FreeBSD releases include versions of xz that predate the affected releases and the attack targets Linux's glibc.<ref>{{Cite web |title=Disclosed backdoor in xz releases - FreeBSD not affected |url=https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html |access-date=2024-03-30}}</ref>
FreeBSD is not affected by this attack, as all supported FreeBSD releases include versions of xz that predate the affected releases and the attack targets Linux's glibc.<ref>{{Cite web |title=Disclosed backdoor in xz releases - FreeBSD not affected |url=https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html |access-date=2024-03-30}}</ref>

Revision as of 16:20, 30 March 2024

XZ Utils
Original author(s)Lasse Collin
Developer(s)The Tukaani Project
Stable release
5.6.3[1] Edit this on Wikidata / 1 October 2024
Repository
Written inC
Operating systemCross-platform
TypeData compression
LicensePublic domain.[2] (but see details in Development and adoption)
WebsiteArchived 2024-03-25 at the Wayback Machine
.xz
Filename extension
.xz
Internet media type
application/x-xz
Magic numberFD 37 7A 58 5A 00
Developed byLasse Collin
Igor Pavlov
Initial releaseJanuary 14, 2009; 15 years ago (2009-01-14)
Latest release
1.1.0
December 11, 2022; 23 months ago (2022-12-11)
Type of formatData compression
Open format?Yes
Free format?Yes
WebsiteArchived 2023-11-23 at the Wayback Machine

XZ Utils (previously LZMA Utils) is a set of free software command-line lossless data compressors, including the programs lzma and xz, for Unix-like operating systems and, from version 5.0 onwards, Microsoft Windows. For compression/decompression the Lempel–Ziv–Markov chain algorithm (LZMA) is used. XZ Utils started as a Unix port of Igor Pavlov's LZMA-SDK that has been adapted to fit seamlessly into Unix environments and their usual structure and behavior.

On March 29, 2024, a backdoor was discovered in the 5.6.0 and 5.6.1 distribution of XZ Utils.[3][4]

Features

In most cases, xz achieves higher compression rates than alternatives like gzip and bzip2. Decompression speed is higher than bzip2, but lower than gzip. Compression can be much slower than gzip, and is slower than bzip2 for high levels of compression, and is most useful when a compressed file will be used many times.[5][6]

XZ Utils consists of two major components:

Various command shortcuts exist, such as lzma (for xz --format=lzma), unxz (for xz --decompress; analogous to gunzip) and xzcat (for unxz --stdout; analogous to zcat)

XZ Utils can compress and decompress both the xz and lzma file formats, but since the LZMA format is now legacy,[7] XZ Utils compresses by default to xz.

Usage

Both the behavior of the software as well as the properties of the file format have been designed to work similarly to those of the popular Unix compressing tools gzip and bzip2.

Just like gzip and bzip, xz and lzma can only compress single files (or data streams) as input. They cannot bundle multiple files into a single archive – to do this an archiving program is used first, such as tar.

Compressing an archive:

xz   my_archive.tar    # results in my_archive.tar.xz
lzma my_archive.tar    # results in my_archive.tar.lzma

Decompressing the archive:

unxz    my_archive.tar.xz      # results in my_archive.tar
unlzma  my_archive.tar.lzma    # results in my_archive.tar

Version 1.22 or greater of the GNU implementation of tar has transparent support for tarballs compressed with lzma and xz, using the switches --xz or -J for xz compression, and --lzma for LZMA compression.

Creating an archive and compressing it:

tar -c --xz   -f my_archive.tar.xz   /some_directory    # results in my_archive.tar.xz
tar -c --lzma -f my_archive.tar.lzma /some_directory    # results in my_archive.tar.lzma

Decompressing the archive and extracting its contents:

tar -x --xz   -f my_archive.tar.xz      # results in /some_directory
tar -x --lzma -f my_archive.tar.lzma    # results in /some_directory

Single-letter tar example for archive with compress and decompress with extract using short suffix:

tar cJf keep.txz keep   # archive then compress the directory ./keep/ into the file ./keep.txz
tar xJf keep.txz        # decompress then extract the file ./keep.txz creating the directory ./keep/

xz has supported multi-threaded compression (with the -T flag)[8] since 2014, version 5.2.0.;[9] since version 5.4.0 threaded decompression has been implemented. Threaded decompression requires multiple compressed blocks within a stream which are created by the threaded compression interface.[8] The number of threads can be less than defined if the file is not big enough for threading with the given settings or if using more threads would exceed the memory usage limit.[8]

The xz format

The xz format improves on lzma by allowing for preprocessing filters. The exact filters used are similar to those used in 7z, as 7z's filters are available in the public domain via the LZMA SDK.

Development and adoption

Development of XZ Utils took place within the Tukaani Project, which was led by Mike Kezner, by a small group of developers who once maintained a Linux distribution based on Slackware.

All of the source code for xz and liblzma has been released into the public domain. The XZ Utils source distribution additionally includes some optional scripts and an example program that are subject to various versions of the GPL.[2]

Specifically, the full list of GPL scripts and sources distributed with the XZ Utils software include:

  • An optional implementation of a common libc function, getopt (GNU LGPL v2.1)
  • An m4 script for pthread detection (GNU GPL v3)
  • Some nonessential wrapper scripts (xzgrep, etc) (GNU GPL v2)
  • And the example program scanlzma, which is not integrated with the build system

The resulting software xz and liblzma binaries are public domain, unless the optional LGPL getopt implementation is incorporated.[10]

Binaries are available for FreeBSD, NetBSD, Linux systems, Microsoft Windows, and FreeDOS. A number of Linux distributions, including Fedora, Slackware, Ubuntu, and Debian use xz for compressing their software packages. Arch Linux previously used xz to compress packages,[11] but as of December 27, 2019, packages are compressed with Zstandard compression.[12] Fedora Linux also switched to compressing its RPM packages with Zstandard with Fedora Linux 31[13]. The GNU FTP archive also uses xz.

Supply chain attack

On 29 March 2024, a thread[3] was published on Openwall's oss-security mailing list showing that the code of liblzma was potentially compromised. The thread author Andres Freund identified compressed test files which have been added to the code for setting up a backdoor via additions to the configure script in the tar files. He started his investigation because sshd was using a high amount of CPU.[14] The issue is tracked under the Common Vulnerabilities and Exposures ID CVE-2024-3094 which was issued by Red Hat following the disclosure of the vulnerability.[15]

The malicious code is known to be in version 5.6.0 and 5.6.1. As stated by the Red Hat advisory,

Under the right circumstances this interference could potentially enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely.[16]

The malicious mechanism consists of:

  1. Two compressed test files that contain the malicious binary code. These files are available in the git repository, but remains dormant unless extracted and injected into the program.[17] The code uses the glibc IFUNC mechanism to replace an existing function in OpenSSH called RSA_public_decrypt with a malicious version. OpenSSH normally does not load liblzma, but a common third-party patch used by several Linux distributions cause it to load libsystemd, which in turn loads lzma.[17]
  2. A modified version of build-to-host.m4, which extracts a script that performs the actual injection. The modified m4 file is not present in the git repository; it is only available from tar files released by the maintainer separate from git.[17]
  3. A script that extracts the malicious code from "test case" files and injects them into liblzma. The file appears to only perform the injection when the system being built on (1) is an x86-64 Linux system (2) uses glibc and GCC (3) is being built via dpkg or rpm.[17]

It is unknown whether this backdoor was intentionally placed by a maintainer or whether a maintainer was compromised.[18]

The list of affected Linux distributions includes Debian unstable[19], Arch Linux[20], Fedora Rawhide[21], Kali Linux[22], OpenSUSE Tumbleweed[23], Alpine Linux edge[24]. Confirmed to not be affected are Red Hat Enterprise Linux[25], SUSE Linux Enterprise[23], Amazon Linux[26].

FreeBSD is not affected by this attack, as all supported FreeBSD releases include versions of xz that predate the affected releases and the attack targets Linux's glibc.[27]

References

  1. ^ Lasse Collin. "[xz-devel] XZ Utils 5.6.3 and Windows-specific security fix". Retrieved 1 October 2024.
  2. ^ a b Licensing on tukaani.org "The most interesting parts of XZ Utils (e.g. liblzma) are in the public domain. You can do whatever you want with the public domain parts. Some parts of XZ Utils (e.g. build system and some utilities) are under different free software licenses such as GNU LGPLv2.1, GNU GPLv2, or GNU GPLv3."
  3. ^ a b Freund, Andres (2024-03-29). "backdoor in upstream xz/liblzma leading to ssh server compromise". oss-security mailing list.
  4. ^ https://archlinux.org/news/the-xz-package-has-been-backdoored/
  5. ^ Henry-Stocker, Sandra (2017-12-12). "How to squeeze the most out of Linux file compression". Network World. Retrieved 2020-02-09.
  6. ^ "Gzip vs Bzip2 vs XZ Performance Comparison". RootUsers. 2015-09-16. Retrieved 2020-02-09.
  7. ^ LZMA Utils, retrieved 2011-01-25
  8. ^ a b c "Linux Manpages Online - man.cx manual pages".
  9. ^ XZ Utils Release Notes
  10. ^ "In what cases is the output of a GPL program covered by the GPL too?". GNU.org. Retrieved 21 August 2019.
  11. ^ Pierre Schmitz (2010-03-23). "News: Switching to xz compression for new packages".
  12. ^ "Arch Linux - News: Now using Zstandard instead of xz for package compression". www.archlinux.org. Retrieved 2020-01-07.
  13. ^ Mach, Daniel. "Changes/Switch RPMs to zstd compression". Fedora Project Wiki. Retrieved 30 March 2024.
  14. ^ "A backdoor in xz". lwn.net. Retrieved 2024-03-30.
  15. ^ "NVD - CVE-2024-3094". nvd.nist.gov. Retrieved 2024-03-30.
  16. ^ "Urgent security alert for Fedora 41 and Rawhide users". www.redhat.com. Retrieved 2024-03-29.
  17. ^ a b c d James, Sam. "xz-utils backdoor situation". Gist.
  18. ^ Goodin, Dan (2024-03-29). "Backdoor found in widely used Linux utility breaks encrypted SSH connections". Ars Technica. Retrieved 2024-03-29.
  19. ^ "CVE-2024-3094". security-tracker.debian.org. Retrieved 2024-03-30.
  20. ^ "Arch Linux - News: The xz package has been backdoored". archlinux.org. Retrieved 2024-03-30.
  21. ^ "Urgent security alert for Fedora 41 and Fedora Rawhide users". www.redhat.com. Retrieved 2024-03-30.
  22. ^ "All about the xz-utils backdoor | Kali Linux Blog". Kali Linux. 2024-03-29. Retrieved 2024-03-30.
  23. ^ a b "openSUSE addresses supply chain attack against xz compression library". openSUSE News. 2024-03-29. Retrieved 2024-03-30.
  24. ^ Natanael Copa (2024-03-11). "main/xz: upgrade to 5.6.1". Alpine Linux GitLab. Retrieved 2024-03-30.
  25. ^ "cve-details". access.redhat.com. Retrieved 2024-03-30.
  26. ^ "CVE-2024-3094". Amazon Web Services, Inc. Retrieved 2024-03-30.
  27. ^ "Disclosed backdoor in xz releases - FreeBSD not affected". Retrieved 2024-03-30.