Red Hat Warning on Fedora Linux – CVE-2024-3094
Share this:
Red Hat’s Information Risk and Security and Product Security teams have identified a critical vulnerability in the latest versions of the ‘xz’ compression tools and libraries.
The affected versions, 5.6.0 and 5.6.1, contain malicious code that could potentially allow unauthorized access to systems. Fedora Linux 40 users and those using Fedora Rawhide, the development distribution for future Fedora builds, are at risk.
The vulnerability tracked as CVE-2024-3094, impacts users who have updated the compromised versions of the xz libraries. Red Hat urges all Fedora Rawhide users to immediately cease using the distribution for both work and personal activities until the issue is resolved. Plans are underway to revert Fedora Rawhide to the safer xz-5.4.x version, after which it will be safe to redeploy Fedora Rawhide instances.
The backdoor is not in the source code but rather is in the test suite contained in the distribution tarballs. Hostile payloads masquerading as test data are decompressed during the/configure phase to modify the Makefile and drop modified versions of liblzma_la-crc32_fast.o and liblzma_la-crc64_fast.o When the compromised library is loaded by client programs, these in turn install an audit hook in the dynamic linker, allowing them to intercept lookups/calls to RSA_public_decrypt@….plt, which it then replaces with its own code.
Though Fedora Linux 40 builds have not been confirmed to be compromised, Red Hat advises users to downgrade to a 5.4 build as a precautionary measure. An update reverting xz to 5.4.x has been released and is being distributed to Fedora Linux 40 users through the normal update system.
