Skip to content

Audit xz and libarchive in dom0 etc due to being released by known-malicious individual #9071

New issue
New issue
Closed
Task
Closed
Audit xz and libarchive in dom0 etc due to being released by known-malicious individual#9071
Task
Labels
C: otherNo other component ("C:") label applies to this issue, or the appropriate label is not yet known.P: defaultPriority: default. Default priority for new issues, to be replaced given sufficient information.project managementThis issue pertains to the management of the Qubes OS Project.securityThis issue pertains to the security of Qubes OS.
@no-usernames-left

Description

@no-usernames-left
no-usernames-left
opened on Mar 30, 2024

Dom0 has xz-5.4.1, which doesn't include that backdoor. Neither Fedora 39 nor Debian 12 are affected.

Originally posted by @marmarek in #9067 (comment)

xz-5.4.1 was released by the very same person who inserted the backdoor into 5.6.0/5.6.1:
https://github.com/tukaani-project/xz/tree/v5.4.1

We should look at libarchive too; vulnerabilities are now known to have been inserted by the same person who backdoored xz:
libarchive/libarchive#1609

A good timeline is still being created here:
https://boehs.org/node/everything-i-know-about-the-xz-backdoor

We may wish to consider the use of zstd instead:
https://github.com/facebook/zstd

Metadata

Metadata

Assignees

No one assigned

    Labels

    C: otherNo other component ("C:") label applies to this issue, or the appropriate label is not yet known.P: defaultPriority: default. Default priority for new issues, to be replaced given sufficient information.project managementThis issue pertains to the management of the Qubes OS Project.securityThis issue pertains to the security of Qubes OS.

    Type

    Task

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions