chris , (edited )
@chris@mstdn.games avatar

How to quickly check if your system may be affected by the recent XZ utils backdoor.

Update: (thx @scy) I've been advised not to run "xz --version" because the full extend of this backdoor is still being researched. Instead use your package manager to check the version, i.e. for apt that would be:

apt list liblzma5

very bad: versions 5.6.0 or 5.6.1

5.4.6. or earlier - probably ok, no one knows for sure right now, keep an eye out for updates

colin ,
@colin@colincogle.name avatar

@chris Good news, Ubuntu LTS is still on the 5.2 branch.

scy ,
@scy@chaos.social avatar

@chris Note that by doing this, you're actually running xz, a binary which the attacker has had under their control for years, and which may include more malware than we currently know about.

It has not yet been analyzed fully. Versions older than 5.6 might have been manipulated, too. We don't know yet.

This is bad advice.

The correct way to check would be to ask your package manager which version is installed.

andreclaassen ,
@andreclaassen@ruhr.social avatar

@chris puh, bin noch bei 5.2.5 auf

MsDropbear425 ,
@MsDropbear425@infosec.exchange avatar

@chris Hi. Fwiw, whist using the xz --version string will suffice for many distros, it's inadequate for based ones, as here the important detail is revealed by the 4th significant figure, whereas version only reports the first 3.

Eg:

$> xz --version<br></br>xz (XZ Utils) 5.6.1<br></br>liblzma 5.6.1<br></br>

vs

$> pacman -Qi xz<br></br>Name            : xz<br></br>Version         : 5.6.1-2<br></br>Description     : Library and command line tools for XZ and LZMA compressed files<br></br>Architecture    : x86_64<br></br>URL             : https://xz.tukaani.org/xz-utils/<br></br>Licenses        : GPL  LGPL  custom<br></br>Groups          : None<br></br>Provides        : liblzma.so=5-64<br></br>Depends On      : sh<br></br>Optional Deps   : None<br></br>Required By     : base  bind  botan  botan2  clonezilla  ffmpeg  ffmpeg4.4  file  gdb  gimp<br></br>                  graphicsmagick  grub  imagemagick  imlib2  karchive  kmod  libakonadi  libarchive<br></br>                  libelf  libtiff  libunwind  libxml2  libxmlb  libxslt  ostree  raptor  systemd<br></br>                  systemd-libs  ventoy-bin  wxwidgets-common  yelp  zstd<br></br>Optional For    : mkinitcpio  python<br></br>Conflicts With  : None<br></br>Replaces        : None<br></br>Installed Size  : 2.46 MiB<br></br>Packager        : Frederik Schwan <freswa@archlinux.org><br></br>Build Date      : Fri 29 Mar 2024 08:06:56 AEDT<br></br>Install Date    : Sat 30 Mar 2024 08:39:22 AEDT<br></br>Install Reason  : Installed as a dependency for another package<br></br>Install Script  : No<br></br>Validated By    : SHA-256 Sum  Signature<br></br>

Per the latest Arch News, the newly pushed out -2 is the safe one, after updating from -1.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • test
  • worldmews
  • mews
  • All magazines
    •