2 min read

Backdoor Discovered in xz/liblzma Compression Library

Backdoor Discovered in xz/liblzma Compression Library
Photo by Yancy Min / Unsplash

A sophisticated backdoor was uncovered in recent versions of the widely-used xz/liblzma compression library, potentially compromising any Linux system using certain distributions' OpenSSH builds. The malicious code was introduced through a subtle build system compromise by a trusted contributor.

[2024-04-27] Check back for more updates as this situation evolves

Impacted systems

  • Linux systems running OpenSSH server built with backdoored xz/liblzma library
  • Primarily affects distributions that patch OpenSSH to link against libsystemd, which pulls inliblzma
  • Known affected distros: certain Debian, Fedora, OpenSUSE builds; full impact still being assessed
  • Specific affected versions: xz 5.6.0, 5.6.1; older versions also being audited
  • macOS systems that installed xz via Homebrew may be using affected versions, but the backdoor appears to have specifically targeted Linux on x86-64; upgrading will now downgrade to a "safe" version

How it happened

  • Jia Tan, an xz project maintainer since 2022, made malicious changes disguised as fixes
  • Jia hid backdoor code in build system files and binary test data
  • The backdoor injected code into an OpenSSH auth process, potentially enabling remote code execution
  • It was discovered after the changes impacted SSH performance, sparking an audit

Current state

  • Linux distros reverted to pre-compromise xz versions
  • Full audit of xz codebase and contributor's other work underway
  • OpenSSH servers built with affected libs should be considered compromised
  • GitHub suspended Jia Tan's account
  • XZ Utils code moved back to tukaani.org
  • Lasse Collin has provided a brief update on the situation

Open questions

  • Whether older xz versions also contain hidden vulnerabilities
  • If contributor compromised other projects they worked on (e.g. libarchive)
  • Identity and motivations of threat actor(s)
  • Potential involvement or victimhood of the original xz maintainer, Lasse Collin