Resolved: XZ tools and libraries compromised with a critical issue


I saw this

and on my ClearLinux server, I see:

$ xz --version
xz (XZ Utils) 5.6.1
liblzma 5.6.1

I guess that is effected and removing it is a bad idea, since swupd would remove it with 47 other bundles.

I hope the CL devs know about this. :slight_smile:

Someone wrote on Github:

Using --disable-ifumc is another mitigation possibility. Or simply downgrade

Is already prepared in 41370: xz-utils compromised >= 5.6.0 · Issue #255 · clearlinux/clr-bundles · GitHub

the 41370 build has been rolling out for some time, and at least my own personal machine got updated to it already – if you really cannot wait for the rollout and somehow your swupd does not see 370 yet you can force it with “swupd update --format staging”

a few other comments

  • It seems we got very lucky, in that our sshd does not link to liblzma … not going to claim that we were smart or anything – this is luck…but I’ll take it
  • we’re preparing a 41380 build right now that also removes xz support from big chunks of the OS for places where it was really optional and “just in case” kind of stuff (most of these places switched to zstd already as default) — but our patience for xz/liblzma obviously has run out and we just want to not use it anymore anywhere we can
  • this does not mean that /usr/bin/xz goes away – that would be extreme and the only time we would consider that is if the international investigation into this thing makes it impossible to keep
  • but assume we’ll try hard to have liblzma be unused completely outside of /usr/bin/xz