Trust & Security

Summary

A backdoor was identified in the popular XZ data compression library. We do not believe any JuliaHub infrastructure or any Julia users are affected by this issue.

Background

A thread in oss-security mailing list reported that the XZ Utils project was affected by a backdoor: one of the current maintainers of the project appeared to have injected malicious code, included in versions v5.6.0 and v5.6.1 of the xz-utils package, that under certain circumstances could potentially compromise an OpenSSH client and obtain login credentials to remote systems. This issue has been assigned CVE-2024-3094.

Details

The open source Julia ecosystem

The backdoor is added to a binary build of XZ under the following conditions:

1. The target system is x86_64-linux-gnu (Linux kernel, on x86_64 architecture, using glibc as standard C library)
2. the compiler is GCC
3. the build system detects dpkg or rpm are being used

Julia packages use binary builds of native C libraries that are created using our own infrastructure, which are distributed as so-called jll packages. This build system does not meet condition 3 above, and therefore we believe Julia users who have installed XZ using the Julia package manager are not vulnerable to this backdoor. The announcement of the security exploit in the oss-security mailing list includes a script to detect whether a build of liblzma is vulnerable, by checking a certain pattern is present in the hexadecimal dump of the library. We have verified our builds of liblzma.so in XZ_jll v5.6.0 and v5.6.1 do not contain the known pattern. Please talk to your JuliaHub support contact if you want to run this analysis yourself.

In the abundance of caution however, the XZ_jll package versions 5.6.0 and 5.6.1 have been removed from the Julia package registry. They can no longer be installed – users are able to install only versions up to 5.4.6.

The Juliahub Platform

All JuliaHub platform servers and container images are derived from Debian stable. The vulnerable packages were only added to Debian unstable, and therefore did not make it into any of our builds or images.

JuliaHub enterprise customers should talk to their support contacts if they need any assistance in extracting the list of users who have installed XZ versions v5.6.0 and v5.6.1 from the logs. Again, this is only for an abundance of caution, as we do not believe those users are vulnerable.

Acknowledgements

• The original announcement by Andres Freund: https://www.openwall.com/lists/oss-security/2024/03/29/4
• The Julia ecosystem bulletin by Mosè Giordano: https://discourse.julialang.org/t/psa-backdoor-in-xz-utils-and-relevance-for-the-julia-ecosystem/112328