xz 5.6.1 vulnerability; downgrade to 5.4.6

[Ryan Schmidt]

Today a security issue was disclosed [1] in the xz package, which contains the 
xz program (used for example by MacPorts to decompress xz-compressed source 
code archives) and the liblzma library (used by many other programs). Versions 
5.6.0 and 5.6.1 (to which the MacPorts port was updated a couple days ago) are 
affected. Josh downgraded the port to 5.4.6 which we believe is not affected, 
but as we learn more over the coming days we may downgrade even further. Please 
use the normal MacPorts commands to receive this update and do not be surprised 
that you are being "upgraded" to an older version of xz:

sudo port selfupdate
sudo port upgrade outdated

I've spent some time reading the various discussions about this incident and 
this was not a typical security issue caused by buggy code. Instead, malicious 
code was deliberately added to the xz project in small pieces over a period of 
months or years, culminating in the release of xz 5.6.0 containing an exploit 
targeting x86_64 Debian Linux users by injecting code into sshd processes. xz 
5.6.1 "improved" the code by making the exploit harder to detect. This 
particular exploit does not affect macOS but we don't yet know if there are 
other yet-undiscovered vulnerabilities that could affect macOS. 

What seems to have happened is: Two years ago, the developer of xz found his 
time for continuing to develop xz to be limited [2] and he was pressured on the 
xz mailing list to add a second official developer. That second developer was 
later promoted to release manager. The GitHub account of that second developer 
committed the malicious code. It is not yet clear whether the GitHub accounts 
of one or both of the developers were taken over by malicious actors, or 
whether one or both of the developers have been malicious actors all along. At 
this time, GitHub has suspended the accounts of both of xz's developers and 
disabled their GitHub organization's repositories so it's not yet clear if or 
when or how they will respond to this.

Undoubtedly security researchers will be scrutinizing every commit made to the 
xz project over the past two years and we'll take further action (further 
downgrades or patches) as needed. As always, although I'm listed as the 
maintainer of the MacPorts xz port, anybody may commit changes that resolve 
security issues without waiting for the maintainer's approval.

Thank you to Frank Dean for bring this issue to our attention on the 
macports-dev mailing list and to Josh for downgrading the port so quickly.


[1] https://www.openwall.com/lists/oss-security/2024/03/29/4
[2] https://www.mail-archive.com/xz-devel@tukaani.org/msg00563.html

Re: XZ Utils Compromised Releases

[Rainer Müller]

On 29/03/2024 18.52, Blair Zajac wrote:
> In https://www.openwall.com/lists/oss-security/2024/03/29/4
>  it says
> 
> == Bug reports ==
> 
> Given the apparent upstream involvement I have not reported an upstream
> bug….
> 
> 
> I suggest not waiting for an upstream release and instead revert our
> commit and add an epoch line.

You are right. That is the best way as we cannot be sure what else just
has not been discovered in the backdoor-ed releases.

Joshua already pushed the downgrade to xz @5.4.6 with the epoch bumped.
Thank you!

https://trac.macports.org/ticket/69619
https://github.com/macports/macports-ports/commit/a1388aee09c9e921e3a9d47cf9d37e5d3f3c10ad

Rainer

Re: XZ Utils Compromised Releases

[Rainer Müller]

On 29/03/2024 18.40, Fred Wright wrote:
> 
> On Fri, 29 Mar 2024, Frank Dean wrote:
> 
>> I received a security announcement on the Debian mailing list [1].  It
>> appears versions 5.6.0 of XY Utils and later may be compromised.  I
>> also found a discussion on Openwall [2].
>>
>>
>> [1]:
>> https://lists.debian.org/debian-security-announce/2024/msg00057.html
>> 
>>
>> [2]: https://www.openwall.com/lists/oss-security/2024/03/29/4
>> 
>>
>>
>> I'm afraid that's all I know.  Just a heads-up.

Wow. That's an awful story.

The exploit seems to specifically target Linux systems only ("[...] it
is likely the backdoor can only work on glibc based systems.").

> In [1] they mention reverting to 5.4.5 to fix it.  It's not 100% clear
> from that whether 5.4.6 is affected, but it sounds like it's not.  Since
> MacPorts is currently at 5.4.6, the port is probably OK as long as it
> doesn't do any overzealous upgrading.

The xz port was updated to 5.6.1 just two days ago:
https://github.com/macports/macports-ports/commit/784e59f99e51adbadc663b1b689d66363adf193a

Based on the current information, the risk seems low for macOS system.
Should we still be cautious and revert to version 5.4.6 and bump the
epoch to force a downgrade for everyone? Or do we expect a new upstream
release soon to sort this out?

Rainer