Andres Freund has discovered that the upstream XZ repository and the XZ tarballs have been backdoored. The majority of Linux distributions that are affected by this issue are either very new or rolling release distributions. A brief summary of all the most recent updates is as follows:
XZ-Utils Security Update for Debian Testing
XZ Utils Security Advisory for Gentoo
XZ Security Update for Arch Linux
XZ-Utils Update for Kali Linux
XZ Security Issue in Fedora Linux 40 and Rawhide
backdoor in upstream xz/liblzma leading to ssh server compromise
After observing a few odd symptoms around liblzma (part of the xz package) on Debian sid installations over the last weeks (logins with ssh taking a lot of CPU, valgrind errors) I figured out the answer:
The upstream xz repository and the xz tarballs have been backdoored.
At first I thought this was a compromise of debian's package, but it turns out to be upstream.
== Compromised Release Tarball ==
One portion of the backdoor is *solely in the distributed tarballs*. For easier reference, here's a link to debian's import of the tarball, but it is also present in the tarballs for 5.6.0 and 5.6.1:
https://salsa.debian.org/debian/xz-utils/-/blob/debian/unstable/m4/build-to-host.m4?ref_type=heads#L63
That line is *not* in the upstream source of build-to-host, nor is build-to-host used by xz in git. However, it is present in the tarballs released upstream, except for the "source code" links, which I think github generates directly from the repository contents:
https://github.com/tukaani-project/xz/releases/tag/v5.6.0
https://github.com/tukaani-project/xz/releases/tag/v5.6.1
This injects an obfuscated script to be executed at the end of configure. This script is fairly obfuscated and data from "test" .xz files in the repository.
[oss-security] backdoor in upstream xz/liblzma leading to ssh server compromise
