Backdoor in the xz library (a dependency via some OS/package managers)

Chat / Discussions
1

Cross-posting this from EF:

Also note:

2

Also mentioned by bot on devtalk:

1 Like
4

@AstonJ is there an β€˜offtopic’ tag you can use and I can filter on?

5

As someone already posted somewhere, a version check which involves executing the possibly infected binary is not advisable.
Better use the package manager of your Linux distribution, like
dpkg -l β€˜*xz*’
or rpm -qa | grep xz

1 Like
6

Hi @jimdigriz, usually anything off-topic is posted in our members-only section, however since this has been listed as an Erlang/Elixir dependency it has been posted in Erlang Chat (and pinned on request of @eiji7). I’m away from my computer atm so haven’t checked but if it is not an Erlang dependency in any way then we can move the thread to the Elixir or BEAM Chat section.

1 Like
7 
$ equery belongs /usr/bin/xz
 * Searching for /usr/bin/xz ... 
app-arch/xz-utils-5.4.2 (/usr/bin/xz)

In Gentoo the package responsible for xz library is xz-utils. It’s not a direct dependency of erlang, but … :thinking:

  • it’s required by sys-libs/gpm (Console-based mouse driver)
  • which is required by sys-libs/ncurses - with gpm USE FLAG enabled, so I guess most if not all binary releases in other distributions have mouse support enabled
  • sys-libs/ncurses is a direct dependency of dev-lang/erlang

There is a terrible (1065) amount of packages that requires sys-libs/ncurses :exploding_head:

If you are not familiar with web page then on Gentoo you can check it using:

# adjust depth of dependency tree to be returned (default is 1 i.e. it lists only direct dependencies)
equery depgraph erlang --depth=3 | grep xz-utils

While on Gentoo more or less you can control what parts of apps and libraries you want to install on binary distributions there is no way that a typical Erlang developer never uses ncurses-based apps like htop, nano, links and many, many more … Since as far as I know it’s still unclear what are all exact cases in which malicious code is called I would say that’s more than enough to keep it in this category at least from a Gentoo user perspective. :+1:

That’s said xz-utils is only part of the BDEPEND inside sys-libs/gpm, so it may be not related in binary distributions:

Build dependencies are used to specify any dependencies that are required to unpack, patch, compile, test or install the package (but see Implicit System Dependency for exemptions).

Source: Build Dependencies

Even so the binary releases have to be compiled by someone anyway and then there is a chance that pre-compiled binary releases are also affected which is especially important in Gentoo-based distributions. :bug:

1 Like
8

I’ve updated the title slightly to make it more specific :smiley:

Checking homebrew:

$ brew deps --tree --installed erlang
erlang
β”œβ”€β”€ openssl@3
β”‚   └── ca-certificates
β”œβ”€β”€ unixodbc
β”‚   └── libtool
β”‚       └── m4
└── wxwidgets
    β”œβ”€β”€ jpeg-turbo
    β”œβ”€β”€ libpng
    β”œβ”€β”€ libtiff
    β”‚   β”œβ”€β”€ jpeg-turbo
    β”‚   β”œβ”€β”€ xz
    β”‚   └── zstd
    β”‚       β”œβ”€β”€ lz4
    β”‚       └── xz
    └── pcre2

$ brew deps --tree --installed elixir
elixir
└── erlang
    β”œβ”€β”€ openssl@3
    β”‚   └── ca-certificates
    β”œβ”€β”€ unixodbc
    β”‚   └── libtool
    β”‚       └── m4
    └── wxwidgets
        β”œβ”€β”€ jpeg-turbo
        β”œβ”€β”€ libpng
        β”œβ”€β”€ libtiff
        β”‚   β”œβ”€β”€ jpeg-turbo
        β”‚   β”œβ”€β”€ xz
        β”‚   └── zstd
        β”‚       β”œβ”€β”€ lz4
        β”‚       └── xz
        └── pcre2

Also added your comment to the first post @dischoen :023:

9

Here is a Package Management Cheatsheet on DistroWatch site with 23 package managers grouped by categories. :smiling_imp:

btw. cheers for Slackware users :joy:

# List installed packages
ls /var/log/packages/
1 Like