Pink Hat right this moment issued an “pressing safety alert” for Fedora 41 and Fedora Rawhide customers over XZ. Sure, the XZ instruments and libraries for this compression format. Some malicious code was added to XZ 5.6.0/5.6.1 that would permit unauthorized distant system entry.
Pink Hat cites CVE-2024-3094 for this XZ safety vulnerability resulting from malicious code making it into the codebase. I have not seen CVE-2024-3094 made public but however the Pink Hat safety alert sums it up as:
“The malicious injection current within the xz variations 5.6.0 and 5.6.1 libraries is obfuscated and solely included in full within the obtain bundle – the Git distribution lacks the M4 macro that triggers the construct of the malicious code. The second-stage artifacts are current within the Git repository for the injection in the course of the construct time, in case the malicious M4 macro is current.
The ensuing malicious construct interferes with authentication in sshd by way of systemd. SSH is a generally used protocol for connecting remotely to programs, and sshd is the service that permits entry. Underneath the best circumstances this interference may doubtlessly allow a malicious actor to interrupt sshd authentication and achieve unauthorized entry to all the system remotely.”
Ouch! XZ 5.6 debuted one month in the past and XZ 5.6.1 got here out three weeks in the past. As of writing, no XZ 5.6.2 or related launched model is but accessible with the malicious code eliminated.
The pressing Pink Hat warning might be discovered by way of the Pink Hat weblog. Debian has additionally launched an identical safety message over the malicious code inside XZ utils.
Lengthy story brief, be sure to do not have XZ 5.6.0/5.6.1 in your programs now.
Replace: Extra info now accessible on the oss-security checklist with the uncover by Andres Freund.