Vulnerability Discovered in xz Libraries

Apr 01, 2024

An urgent alert for Fedora 40 has been posted and users should pay attention.

On March 28, the Fedora community received word about CVE-2024-3094, which impacted any instance of Fedora 40 that used repositories outside of the stable branch.

The vulnerability is found in the upstream tarballs of the xz application, which is a compression tool that has been around for a long time.

CVE-2024-3094 is marked as critical with a score of 10, which means it is of the highest severity and should be taken seriously.

The issue affects versions 5.6.0 and 5.6.1 of the xz libraries and is only found in the tarball download package (and not the Git distribution, which lacks the M4 macro trigger).

According to the Red Hat Customer Portal, "Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library."

If you're a Fedora 40 beta user, you can resolve this issue by downgrading xz from the testing repositories by issuing the command sudo dnf upgrade --refresh --advisory=FEDORA-2024-d02c7bb266. If you find the command doesn't work, try again later.


Related content

  • News

    TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU; XZ Utils Vulnerability Patched; Canonical Collaborates with Qualcommon New Venture; Kodi 21.0 Entertainment Hub Released; Linux Usage Increases in Two Key Areas; Canonical Bumps LTS Support to 12 Years; Fedora 40 Beta Released; SnoopGod to Compete with Kali Linux; Juno Computers Launches Neptune 17 v6; and Juno Computers Launches Neptune 17 v6.

  • XZ Gets the All-Clear

    The back door xz vulnerability has been officially reverted for Fedora 40 and versions 38 and 39 were never affected.

  • New Linux Vulnerability Enables a Privilege Escalation

    Looney Tunables is a new Linux vulnerability that has been discovered in the GNU C library that can lead to privilege escalation.

  • NEWS

    In the news: Microsoft Edge Coming to Linux; Open Invention Network Backs Gnome Project Against Patent Troll; Fedora 31 Released; openSUSE OBS Can Now Build Windows WSL Images; Sudo Vulnerability; Hetzner Launches New Ryzen-Based Dedicated Root Servers; and IBM Joins the Mayflower Autonomous Ship Project.

  • Fedora 39 Prepares for Release

    The latest release from the Fedora team is about to be unleashed and it includes plenty to excite users of all types.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More