Xz format issue
- Backdoor in upstream xz/liblzma leading to SSH server compromise - The upstream xz repository and the xz tarballs have been backdoored.
- found using valgrind - backdoor not present in version control - but in the binary files used to “test” the xz binary
- xz used in openssh cli
- the apparent author of the backdoor… has been part of the xz project for 2 years… and to be honest with this level of sophistication I would be suspicious of even older versions of xz until proven otherwise.
- (1) safe interoperability among xz implementations is not guaranteed;
- (2) xz’s extensibility is unreasonable and problematic;
- (3) xz is vulnerable to unprotected flags and length fields;
- (4) LZMA2 is unsafe and less efficient than the original LZMA;
- (5) xz includes useless features that increase the number of false positives for corruption;
- (6) xz shows inconsistent behavior with respect to trailing data;
- (7) error detection in xz is several times less accurate than in bzip2, gzip and lzip.
Written on April 24, 2018, Last update on April 3, 2024
zip
archive
security
backdoor