Описание
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
Отчет
Current investigation indicates that the packages are only present in Fedora 41 and Fedora Rawhide within the Red Hat community ecosystem. No versions of Red Hat Enterprise Linux (RHEL) are affected. The malicious injection present in the xz versions 5.6.0 and 5.6.1 libraries is only included in the tarball download package. The Git distribution lacks the M4 macro that triggers the build of the malicious code. The second-stage artifacts are present in the Git repository for the injection during the build time, in case the malicious M4 macro is present. Without the merge into the build, the 2nd-stage file is innocuous. In the finder’s demonstration, it was found that it interfered with the OpenSSH daemon. While OpenSSH is not directly linked to the liblzma library, it does communicate with systemd in such a way that exposes it to the malware due to systemd linking to liblzma.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | xz | Not affected | ||
| Red Hat Enterprise Linux 6 | xz | Not affected | ||
| Red Hat Enterprise Linux 7 | xz | Not affected | ||
| Red Hat Enterprise Linux 8 | xz | Not affected | ||
| Red Hat Enterprise Linux 9 | xz | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 8 | xz | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
10 Critical
CVSS3
Связанные уязвимости
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
Malicious code was discovered in the upstream tarballs of xz, starting ...
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. The tarballs included extra .m4 files, which contained instructions for building with automake that did not exist in the repository. These instructions, through a series of complex obfuscations, extract a prebuilt object file from one of the test archives, which is then used to modify specific functions in the code while building the liblzma package. This issue results in liblzma being used by additional software, like sshd, to provide functionality that will be interpreted by the modified functions.
Уязвимость библиотеки liblzma пакета для сжатия данных XZ Utils, позволяющая нарушителю выполнить произвольный код
EPSS
10 Critical
CVSS3