The Fedora Council was notified of CVE-2024-3094 on Friday, March 29th related to the xz tools and libraries. At this time, Fedora Rawhide users are likely to have received the tainted package. Fedora Linux 40 pre-release users may have received the tainted package build xz-5.6.0-2.fc40 through the updates-testing repository (5.6.0-2.fc40). Fedora Linux 39 and 38 users are also NOT impacted.
Any instances of Fedora Linux 40 and Fedora Rawhide pre-releases before March 29th should be considered as potentially COMPROMISED. Fedora Linux 40 was updated to xz-5.4.6-3.fc40 on Friday, March 29th at 04:33:13 UTC (see f40 Bodhi update). Fedora Rawhide was reverted to xz-5.4.6-3.fc41 on Friday, March 29th at 15:21:19 UTC (see f41 Bodhi update). As a reminder, Fedora Rawhide is the development distribution of Fedora Linux, and serves as the basis for future Fedora Linux builds (in this case, the yet-to-be-released Fedora Linux 41).
CVE-2024-3094 highlights
Red Hat Product Security published this description of the recently-discovered vulnerability:
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
https://access.redhat.com/security/cve/CVE-2024-3094
A detailed update history of the xz package across all currently-supported Fedora/EPEL branches is available on Fedora Bodhi. While the malicious update was never sent to Fedora Linux 40 stable repositories, Fedora Linux 40 pre-release users (including beta users) may have received it from the updates-testing repositories, which are enabled by default in pre-release versions of Fedora Linux to assist with testing.
Fedora Linux 40 Beta users can mitigate this vulnerability now. The downgraded version is in the Fedora Linux 40 stable repositories. If you update now, you get the downgraded one from the stable repositories. (If the package is not shown in a dnf upgrade, some users report dnf distro-sync as correctly pulling in the downgraded package.)
An extended discussion on the oss-security mailing list provides more detail about the nature of the attack and how it was initially discovered. More information about this vulnerability can also be found on the Red Hat Blog.
Thank you first responders!
Fedora has a reputation on being First, but it would not be possible without the Friends who make it possible. It is difficult to predict when news like this may land. Many Fedora contributors have also already gone on vacation for the upcoming holiday weekend. We appreciate the hours that many have already put in and continue putting in to address this problem and ultimately protect Fedora users from malicious software. Thanks to the timely and prompt action by our packaging and infrastructure community, all users running on stable update channels only were NOT impacted by this vulnerability.
Special recognition goes out to our Fedora Infrastructure Team for coordinating these prompt and timely actions to reduce end-user impact. We could not do it without you!
As a reflection on the upcoming release of Fedora Linux 40, there remains a lot of uncertainty about this exploit. It appears to be a sophisticated breach of trust that may have taken place over an extended period of time. Fedora Linux 40 is around the corner, which is also distinguished from other Fedora releases because Fedora Linux 40 is the branch point for CentOS Stream 10, the next major version of Enterprise Linux. Therefore, if this exploit had been discovered even two or three months later, this vulnerability would also have impacted downstream builds from Fedora and CentOS Stream, including Red Hat Enterprise Linux (RHEL), AlmaLinux, Rocky Linux, Amazon Linux, Oracle Linux, and others.
The prompt actions of our Fedora community first responders and Infrastructure Team are an example of our community working at its best. Thanks for helping keep the Fedora user community safe.
Get in touch about CVE-2024-3094
This is an emerging story and there will be more news and updates about this vulnerability to the xz package set. You can follow your usual channels for updates on security vulnerabilities. You can also reach out to the Fedora developer community on the devel mailing list or #devel:fedoraproject.org on Matrix.
2024-03-30 edit: Fedora community first responders were made aware on Thursday, March 28th.
2024-04-01 edit: Edited to clarify exposure of Fedora Linux 40 users to the tainted package. The updates-testing repository is enabled on ALL pre-release variants including the beta release of Fedora Linux 40.
2024-04-04 edit: Edited the opening paragraph to clarify the specific Fedora Linux 40 package version vulnerable to the exploit, and that F40 users MAY or MAY NOT have received the tainted version.