The Linux data compression tool xz-Utils is available again through GitHub. Last month, a backdoor was discovered, prompting GitHub to temporarily disable the tool’s repositories.
Lasse Collin, the developer of xz-Utils, announced via his personal website that the repositories are available again. He has made several adjustments, including changes to security policies. Collin further urges people not to disclose vulnerabilities immediately when they find these but to report to him first. He promises to release updates for reported security issues soon.
In addition, Collin has issued commits to remove the backdoor in versions 5.6.0 and 5.6.1 and to denounce the maintainer who added the backdoor (and has since vanished without a trace).
‘Repository review has priority’
Collin further states on his website that he plans to write an article about how the backdoor ended up in the releases and what lessons can be learned. He indicates that he is still studying the details but currently prioritizes reviewing the repository over writing the planned article. Thus, according to the xz-creator, such ‘lessons learned’ will undoubtedly take a few more days to produce.
He further reports that he is discussing the need to completely rewrite the master branch to remove the malicious files to avoid triggering antivirus software. A clean, stable release version of xz Utils is likely to be immediately given version number 5.8.0 (skipping 5.7) to distinguish as much as possible between the clean version and the earlier infected 5.6.x versions. The most recent stable version now on GitHub is version 5.4.6.
A timely discovery
The perpetrator or group behind the backdoor (known as ‘Jia Tan’) made changes to the tool, including ‘useful’ ones, over more than two years. In the process, they pressured Linux distributors to include compromised versions of xz because of supposed new features.
On Good Friday this year, a Microsoft researcher discovered that malicious actors could gain unauthorized access to systems via compromised tool components by inserting code during the SSH login process.
Ultimately, the compromised 5.6.0 and 5.6.1 versions of xz ended up in only a few Linux distributions. Most of these are development, test, or experimental versions not in regular use. Their timely discovery has prevented the rogue version from getting into production environments.
Also read: xz backdoor shows how vulnerable open-source is to hackers playing the long game