Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

Security News

How to Use Socket to Find out if You Were Affected by the Backdoored xz Package

XZ utils, a package for data compression software used in nearly every Linux distribution, was found to be backdoored and may allow unauthorized access to affected systems.

How to Use Socket to Find out if You Were Affected by the Backdoored xz Package

Sarah Gooding

Philipp Burckhardt

March 30, 2024


XZ utils, a package for data compression software used in nearly every Linux distribution, was found to be backdoored and may allow unauthorized access to affected systems.

This set off a number of urgent security alerts from CISA, RedHat, Kali Linux, and others. The malicious code is included in versions 5.6.0 and 5.6.1 of the xz libraries, and was discovered by PostgreSQL developer and committer Andres Freund.

From the GitHub Advisory Database:

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. The tarballs included extra .m4 files, which contained instructions for building with automake that did not exist in the repository. These instructions, through a series of complex obfuscations, extract a prebuilt object file from one of the test archives, which is then used to modify specific functions in the code while building the liblzma package. This issue results in liblzma being used by additional software, like sshd, to provide functionality that will be interpreted by the modified functions.

To find out which version you have installed, open a terminal and run the following command:

$ xz --version               
xz (XZ Utils) 5.4.6
liblzma 5.4.6

In case of running 5.6.0 or 5.6.1, developers and users are strongly advised to downgrade XZ Utils to an uncompromised version such as XZ Utils 5.4.6 Stable. macOS users who have installed XZ Utils using Homebrew can downgrade to the latest non-malicious version by running the following command in their terminal:

brew upgrade xz

Linux users on Debian-based distributions such as Ubuntu can update XZ Utils via sudo apt-get update followed by sudo apt-get install --only-upgrade xz-utils.

Although this is technically an OS system-level dependency, it may also affect bundled application-level dependencies. It’s possible that npm, Python, Go, or other packages include the xz utils dependency bundled into a package, which could be another attack vector.

The easiest way to figure out who this affects is to determine what are the most popular xz dependencies are that exist in the ecosystem. The question to answer is whether the vulnerable version is bundled into this JavaScript library or is it merely linking to the library that’s already installed on the system.

As you can see in the example above, Socket has a "Native code" alert which indicates if a dependency contains naive code which could be a vector to obscure malicious code.

Below are some of the most popular packages that we have examined to make a determination about whether or not they are safe or affected. (We will keep updating this list as more information becomes available.)

Socket users can use the Dependency Search feature to search for these packages to determine if your organization is using them.

If you are a current Socket customer and you need more help finding out if you were affected, contact us and we will assist you.

If you’re not a Socket customer, you can install our free Socket for GitHub app in two clicks and follow these instructions to find out if your dependencies were affected.

npm packages

  • xz: comes with binary version 5.2.4 (safe)
  • lzma-native: comes with binary version 5.2.3 (safe)
  • xz-pipe: requires xz to be in PATH, so could have been affected if one installed one of the malicious binaries (potentially unsafe)
  • xz-ys: pure JS implementation (safe)
  • @sirherobrine23/decompress: uses lzma-native under the hood (safe)
  • decompress-tarxz: uses lzma-native under the hood (safe)
  • @napi-rs/lzma: Pre-compiled Node.js addons from Rust via https://napi.rs (safe)
  • node-liblzma: can be used with included prebuilt binaries (safe) or can optionally use system binaries (potentially unsafe)
  • lzma-purejs: as the name implies, pure JS (safe)
  • xz-json: uses "xz" npm package under the hood (safe)

PyPI packages

  • pyliblzma: directly links against the liblzma library to provide xz compression and decompression functionality (potentially unsafe)
  • python-xz: pure Python (safe)

Go#

  • https://github.com/jamespfennell/xz: Recently, a PR updating the vendored binary to malicious version 5.6.1 was opened: https://github.com/jamespfennell/xz/pull/2 (safe because the PR was not merged)
  • https://github.com/ulikunitz/xz: pure Go (safe)
  • https://github.com/xi2/xz: native Go (safe)

Subscribe to our newsletter

Get notified when we publish new security blog posts!

Try it now

Ready to block malicious and vulnerable dependencies?

Install GitHub AppBook a demo

Related posts

Back to all posts
SocketSocket SOC 2 Logo

Product

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc