Note that this is actively unfolding event so we might not have all the facts straight right now, if anything changes this thread will be updated appropriately.
It was posted on Openwall earlier today that the xz-utils project (also known as xz and liblzma) had a malicious backdoor committed and published in the v5.6.0 and v5.6.1 releases of the project. CVE-2024-3094 has been assigned to this event.
The Python Security Response Team was alerted due to the CPython project bundling xz for the lzma standard library module. After investigation it was determined that there are no CPython releases that bundle a known malicious version of xz. The most recent version of xz that CPython bundles is v5.2.5, which was released before the contributor who committed the backdoor started contributing to the xz project.
Since the backdoor was discovered not long after it was first published the malicious versions only appear to affect new or âedgeâ software distributions. Check with your OS distribution if youâre concerned about the version of xz youâre running. See these known alerts for Fedora, openSUSE, and from CISA. Homebrew previously published a backdoored version of xz and should be upgraded.
After checking with @miketheman, PyPI is running Debian Bookworm which isnât affected. Official Python Docker images are also not using distributions with backdoored xz releases.
After querying the content of Python packages on PyPI I wasnât able to find packages which contained xz 5.6.0 or 5.6.1 but my querying method isnât fool-proof and relies on the compiled library names (ie liblzma). This makes sense because most libraries are bundled in wheels using stable software distributions, not unstable or âedgeâ versions. If you maintain a Python package and use the xz library ensure that youâre not using a backdoored version.
This thread will be updated if new information changes anything about whatâs been published above. My hope is that this helps Pythonistas sleep soundly or know what to do if they need to take action.
The most recent version of xz that CPython bundles is v5.2.5, which was released before the contributor who committed the backdoor started contributing to the xz project.
Itâs becoming a bit of challenge to download v5.2.5 of xz if one is building python from source as the current GitHub repo has been made offline by GitHub staff and another download location used by Homebrew, https://xz.tukaani.org/xz-utils/ is also offlineâŚ
After some digging, I found that if one puts http://tukaani.org/xz/xz-5.2.5.tar.gz in a browser it will redirect to the sourceforge xz-utils site and actually download the archive. But is this safe? The site owner larhzu is apparently also suspended by GitHub according to the current hacker-news discussion on the subject.
Interesting. I currently hold a PR which adds a new test data for the lzma module (and support of new features added in last 2 years).
It LGTM in general, but I was going to reorganize tests and make the test data not inlined in Python files, but provided as separate binary files. If the current GitHub repo of xz-utils is offline, it will be more difficult to check that the test data matches the original files.