Debian Bug report logs - #1068024
revert to version that does not contain changes by bad actor

version graph

Package: xz-utils; Maintainer for xz-utils is Jonathan Nieder <jrnieder@gmail.com>; Source for xz-utils is src:xz-utils (PTS, buildd, popcon).

Reported by: Joey Hess <id@joeyh.name>

Date: Fri, 29 Mar 2024 20:36:01 UTC

Severity: important

Tags: security

Found in version xz-utils/5.6.1+really5.4.5-1

Forwarded to https://tukaani.org/xz-backdoor/

Full log

Message #62 received at 1068024@bugs.debian.org (full text, mbox, reply):

Received: (at 1068024) by bugs.debian.org; 30 Mar 2024 18:17:00 +0000
From joey@kitenet.net Sat Mar 30 18:17:00 2024
X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02
	(2021-04-09) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-11.8 required=4.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FOURLA,HAS_BUG_NUMBER,
	HEADER_FROM_DIFFERENT_DOMAINS,PGPSIGNATURE,SPF_HELO_PASS,SPF_PASS
	autolearn=ham autolearn_force=no
	version=3.4.6-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 125; hammy, 150; neutral, 284; spammy,
	0. spammytokens: hammytokens:0.000-+--H*ct:application,
	0.000-+--H*ct:protocol, 0.000-+--H*ct:micalg, 0.000-+--H*ct:signed,
	0.000-+--H*ct:pgp-signature
Return-path: <joey@kitenet.net>
Received: from kitenet.net ([66.228.36.95]:58160)
	by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
	(Exim 4.94.2)
	(envelope-from <joey@kitenet.net>)
	id 1rqdGE-005DZ1-5s
	for 1068024@bugs.debian.org; Sat, 30 Mar 2024 18:17:00 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=joeyh.name; s=mail;
	t=1711822612; bh=PWzYpjaNvygpekktFk/rFLWMVdnbgnHZLIFwWc0Jyxw=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=dng0vKTAgB2QjrPewhGOoHaWmcGDR9F0RxjyYnhNbyB5Mt2u5w1w+KOr8zDEVFcVz
	 3E01annCQYY1xcLb0hYdlLipmK8Lj+oY7Ay2wXKU5QQ/dHXs/LMnM3gOif73WUO5x0
	 afusNggE7K7QQcHVxoUtzpG5ROsdyN85KhY52Ap0=
X-Question: 42
Date: Sat, 30 Mar 2024 14:16:52 -0400
From: Joey Hess <id@joeyh.name>
To: Aurelien Jarno <aurelien@aurel32.net>
Cc: 1068024@bugs.debian.org
Subject: Re: Bug#1068024: revert to version that does not contain changes by
 bad actor
Message-ID: <ZghXFP5JiJgCMyiY@kitenet.net>
References: <ZgcjtvSjQM59nX_w@kitenet.net>
 <ZgczZzqFSq450Nlh@aurel32.net>
 <ZggHu6gxzO6nwMa5@kitenet.net>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="70LVbQ39NLNUHp1l"
Content-Disposition: inline
In-Reply-To: <ZggHu6gxzO6nwMa5@kitenet.net>

[Message part 1 (text/plain, inline)]
I have prepared a git repository that is a fork of xz from the point I
identified before the attacker(s) did anything to it. In my fork, I have
renamed liblzma to liblzmaunscathed. That allows it to be installed
alongside current dpkg without breaking dpkg with an old version of
liblzma. 

My git repository is here (note all my commits are gpg signed):
https://git.joeyh.name/index.cgi/xz-unscathed/

It also has a debian branch which contains a debian directory. I've
built packages of that, as well as building dpkg-1.22.6 against it.
I've attached the patch I used to build dpkg.

My build of dpkg ended up not being linked to a lzma library at all,
because liblzmaunscathed is too old to support concurrent decompression,
which the configure script detects. So dpkg-deb instead uses xz-utils
to decompress debs. I replaced xz-utils.deb with the one built from my
fork, and dpkg seems to work fine using it.

If Debian decided to go this route, you could add xz-utils-unscathed
to unstable, and at the same time update xz-utils to not build
xz-utils.deb. Then build dpkg against it. Then look into forward porting
or re-implementing concurrent decompression if that is really important
to have.

I only plan to maintain this fork minimally, eg backporting security
fixes. The goal is not to take over from xz upstream, but to get the
possibly backdoored code off of production systems ASAP. Presumably xz
upstream will come up with their own solution long-term.

-- 
see shy jo

[dpkg.patch (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 3 22:04:47 2024; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.