miguel bracamontes

what is xz-utils?

xz utils, which used to be called lzma utils, is a free software toolbox for lossless data compression. it's mainly used through command line interaction and it works on systems like linux and also windows starting from version 5.0. when you use xz utils to compress or decompress data, it uses something called the lempel-ziv-markov chain algorithm, or lzma for short. this fancy name basically means it's a smart way to crunch down data without messing it up.

originally, xz utils was made as a version of another program called lzma-sdk, which was created by a guy named igor pavlov. but then the xz utils folks tweaked it to work smoothly on unix systems (like linux) and to match how things usually work in those environments.

discovery of a backdoor

on march 29th, 2024, andres freund, a software engineer at microsoft, accidentally stumbled upon a sneaky backdoor in xz-utils versions 5.6.0 and 5.6.1 while researching odd cpu usage by ssh processes.

the sneaky code wasn't spotted in the original code stored in the git repository, which is like the master storage for code changes. why? because it was using a tool called an m4 macro, which wasn't part of the git distribution. according to freund, who discovered this mischief and talked about it on the oss-security's openwall, this m4 macro is like the secret handshake for the backdoor to sneak into the building process. now, here's where it gets serious: red hat says that this sneaky build can mess with the security of sshd, which is a way to securely connect to computers remotely. if everything lines up just right, this meddling could let a bad actor break through sshd's security and get into the whole system without permission.

suspected actor

when we're talking about an "under-the-radar" project like xz, they are usually not backed by any big company and runs purely on volunteer power. that's the vibe of many open-source projects. the lesser-known ones, sometimes used by loads of people, are looked after by just a handful of folks who donate their time to keep things running smoothly.

this particular tool was put together by lasse collin from the get-go, with jia tan jumping in about two years back, seemingly out of the blue. jia got the keys to the kingdom about six months later, which means this seemingly "boring" tool, used by tons of folks, was being looked after by just two people. and when lasse needed to take a breather due to health stuff, that left jia in charge of making changes and giving the green light to two versions that, so far, seem to be affected.

as freund pointed out in their message on the openwall forum, considering the activity over a few weeks, the person making the changes is either directly involved or their system got hit hard. but it seems less likely that it's just a hacked system, especially since they were talking for some time about the "fixes" needed. these fixes were basically band-aids to patch up crashes caused by xz and the sneaky backdoor itself not interacting so well. jia tan teamed up with other developers to push these fixes (basically, workarounds for the backdoor glitches) into major linux distributions, like fedora 40 and 41. they even pitched in to write code to tackle related issues and speed up the fixes.

now, here's where things get a bit intense. pulling off something like this, spreading a sneaky attack through a project over two years of work and collaboration, takes serious cash. it's like, you need big bucks to make big moves. so, when you see something this slick, it's hard not to think it's being bankrolled by a government or something. it's got us wondering: could sneaking into open-source software through supply-chain attacks become the new target for certain groups? it's definitely a spooky thought.