[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-relays] User advisory to check for xz-utils backdoor

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-relays] User advisory to check for xz-utils backdoor
From: pasture_clubbed242--- via tor-relays <tor-relays@xxxxxxxxxxxxxxxxxxxx>
Date: Fri, 29 Mar 2024 18:39:05 +0000
Arc-authentication-results: i=1; mail.protonmail.ch
Arc-message-signature: i=1; a=rsa-sha256; d=simplelogin.co; s=arc-20230626; t=1711737554; c=relaxed/simple; bh=OwDjhSwgTcovOaks7FasNO/oliJuouZxgmpqfpZFLDQ=; h=Date:Subject:From:To; b=ZoRLDOgsGe8ZgQNEYFYOElLLS+kvYL6xgQxu3j+80+bG5Xq55vDuJVHTsH6z8aTwlgt2yAIgIH4PLrNhs7sTE5yDu3LcEcNHo8YHSs9woFOMaH+oG/mwPnMgyzqQ6vr5kTK0oe0FJoVtRgObkxNDYgwWYFR7e4ylwRBloIBFAbLfVMbV80275Zyes7OGtRv/9T9Oc2wYSmjnu1QXOQJbhZ5Ku3yMHvb6EJHRAsJXlcVWVNE24QEyhMsG6lOLwzuJtiixyKwID+Km5eq4f+ZrlvDo6O5Em3+lfaWeNLBNwumR81OR4R35tlJ3kpuaaPbnTx5a3Y2IU6bKvivk1/RL5Q==
Arc-seal: i=1; a=rsa-sha256; d=simplelogin.co; s=arc-20230626; t=1711737554; cv=none; b=mtCU6eSu42ovaIDWk/oDgdesa2cjsCmW0Wb6whAFayZNYdDamioy2wDBti4oR+NZcJhzxHHgUksaxdQPTqaLQF3lR30vlgNExWHZpjlY1NKQPA9lcUAeSmGUTgTufFCXs4P1LXUktCinbW6gFiOjYxj4T8X9+JYJz30r+QvdqrPSJmn8EKEklFfVrPb3RcFp2eisLZLxVOC/arS1/onnCuQzp9CdxnpdkGyk21Gsp4nQEGR3gvg2nJhItSU1hEIGpP9RSxH7WoQX7+WAItSWBJaqsZ79a6ivYpC5TafKj/TnuTRjf3nMZG2LdDk1E+saK24nKm0uPgCcks+zWAnlSw==
Cc: pasture_clubbed242@xxxxxxxxxxxxxxx
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 02 Apr 2024 06:16:47 -0400
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=lists.torproject.org; s=2022-eugeni; t=1712052859; bh=9BMZfC09CICZQTUHOrNVbdWGY0lNt16U3ykEeOf8XA8=; h=Date:To:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:Cc:From; b=u8VPE5CVR9ijhqMOuOlR9ZNF2j8giMt5iXEBYjVi9SRI04dMVw9yGaoy1hgTknjQO REmg7CSyIsLza+IPhTgisYd0g48CefKUSES03NyKhnHBFmcZiTjp7Gl5jSqCvsT2bx C6CFZZK+T5OaFrfYAAbOY6OOSwGeFm83m3s5Kndrg+mbK1V7pYGhCLQZ6D6gFJ1LQd So5Ar5qTF9Par0dB7WvOyAyuONfLlQ3i5ecYYJzVEojotJtnahUhB8ZhtAAJF70f5R cTAUZKSYUGyR31JYnAWYLbt1JghHpSzFSsqBZRKg7lFNsIelzY2UGlEO+6L98MBbCe Hrx42mdpxlVGA==
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

Greetings,

I do not normally use mailing lists such as this one to inform subscribers of security notices, but this issue is extreme enough where it may benefit the anonymity of Tor users if relay operators are aware of it sooner. 


The near-universally used 'xz' compression library has been found to contain a backdoor in certain code branches. This backdoor has made it into some systems such as Debian Sid. 

Details regarding this backdoor are available here.
https://www.openwall.com/lists/oss-security/2024/03/29/4

It is suspected that if your OpenSSH server links to the xz library, which Debian appears to do so, then this backdoor is remotely exploitable. If your OpenSSH server does not link to this library, then your system still contains many processes that run xz actions as the root user, some input of which may be less than trusted.

For those needing a patch, I recommend you research your distribution's security advisory page for further information. 

References:
Debian Sid Advisory: https://security-tracker.debian.org/tracker/CVE-2024-3094

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] User advisory to check for xz-utils backdoor
  - From: boldsuck via tor-relays

Prev by Author: Re: [tor-relays] issues with tor rpm : anyone sees what I am doing wrong ?
Next by Author: Re: [tor-relays] issues with tor-nightly-main repo
Previous by thread: Re: [tor-relays] Backdoor in upstream xz/liblzma leading to ssh server compromise
Next by thread: Re: [tor-relays] User advisory to check for xz-utils backdoor
Index(es):
- Author
- Thread