[CVE-2024-3094] Backdoor in xz 5.6.0 and 5.6.1

[chenxiaolong]

The discovery of a backdoor in versions 5.6.0 and 5.6.1 of xz was disclosed today:

• Original report: https://www.openwall.com/lists/oss-security/2024/03/29/4
• Red Hat's summary: https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

xz is a very popular library for compressing data. avbroot uses xz to compress and decompress ramdisks and parts of an OTA's payload.bin.

If you use the prebuilt avbroot binaries distributed at https://github.com/chenxiaolong/avbroot/releases

NOT AFFECTED

The prebuilt binaries statically link the xz library. The Rust bindings for the xz library compile xz by directly running the C compiler on the *.c files. The backdoor involves a malicious build-to-host.m4 autotools build script as well as malicious .xz sample test files. Neither of these files are read by the Rust bindings' build process.

Additionally, the prebuilt avbroot binaries do not use an affected version of xz.

avbroot	Rust bindings	Bundled xz version
>= 3.1.0	liblzma-sys 0.2.5	5.4.6
>= 2.0.3	lzma-sys (my fork)	5.4.4
>= 2.0.0	lzma-sys 0.1.20	5.2.5

If you build avbroot yourself or are using the old Python version of avbroot

POTENTIALLY AFFECTED - I write "potentially" because the backdoor primarily targets sshd. I have not done a thorough analysis, but at first glance, it does not seem to exploit things in a way that would affect avbroot. Nevertheless, if the conditions below apply, make sure your system is patched!

In this scenario, avbroot is using the system xz libraries. The system xz library may contain the backdoor if:

• You're running Linux on an x86_64 machine
• Your distro uses deb or rpm packages
• Your system xz version is 5.6.0 or 5.6.1

Check with your Linux distribution to determine how they are addressing this issue.

[pascallj]

This has been a really interesting read this evening. Thanks for bringing it to my attention.