CVE-2024-3094: Urgent alert for Fedora Linux 40 and Rawhide users
The Fedora Project was made aware of CVE-2024-3094 on Friday, March 29th related to the xz tools and libraries. At this time, Fedora Rawhide users are likely to have received the tainted package and Fedora Linux 40 Beta users may have received the package if they opted into updating from testing repositories. Fedora Linux 40 Beta users only using stable repositories are NOT impacted. Fedora Linux 39 and 38 users are also NOT impacted.
PLEASE IMMEDIATELY STOP USAGE FEDORA RAWHIDE for work or personal activity. Fedora Rawhide will be reverted to xz-5.4.x shortly, and once that is done, Fedora Rawhide instances can safely be redeployed. As a reminder, Fedora Rawhide is the development distribution of Fedora Linux, and serves as the basis for future Fedora Linux builds (in this case, the yet-to-be-released Fedora Linux 41).
CVE-2024-3094 highlights
Red Hat Product Security published this description of the recently-discovered vulnerability:
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
A detailed update history of the xz package across all currently-supported Fedora/EPEL branches is available on Fedora Bodhi. While the malicious update was never sent to Fedora Linux 40 Beta stable repositories, Fedora Linux 40 Beta users may have received it from the testing repositories, which are enabled by default in pre-release versions to assist with testing.
Fedora Linux 40 Beta users can mitigate this vulnerability now. The downgraded version is now in the Fedora Linux 40 testing repositories, so if you update now, you get the downgraded one from the testing repositories. It will synced to stable repositories and new ISO images soon. (If the package is not shown in a dnf upgrade, some users report dnf distro-sync as correctly pulling in the downgraded package.)
An extended discussion on the oss-security mailing list provides more detail about the nature of the attack and how it was initially discovered. More information about this vulnerability can also be found on the Red Hat Blog.
Thank you first responders!
Fedora has a reputation on being First, but it would not be possible without the Friends who make it possible. It is difficult to predict when news like this may land. Many Fedora contributors have also already gone on vacation for the upcoming holiday weekend. We appreciate the hours that many have already put in and continue putting in to address this problem and ultimately protect Fedora users from malicious software. Thanks to the timely and prompt action by our packaging and infrastructure community, all users running on stable update channels only were NOT impacted by this vulnerability.
Special recognition goes out to our Fedora Infrastructure Team for coordinating these prompt and timely actions to reduce end-user impact. We could not do it without you!
As a reflection on the upcoming release of Fedora Linux 40, there remains a lot of uncertainty about this exploit. It appears to be a sophisticated breach of trust that may have taken place over an extended period of time. Fedora Linux 40 is around the corner, which is also distinguished from other Fedora releases because Fedora Linux 40 is the branch point for CentOS Stream 10, the next major version of Enterprise Linux. Therefore, if this exploit had been discovered even two or three months later, this vulnerability would also have impacted downstream builds from Fedora and CentOS Stream, including Red Hat Enterprise Linux (RHEL), AlmaLinux, Rocky Linux, Amazon Linux, Oracle Linux, and others.
The prompt actions of our Fedora community first responders and Infrastructure Team are an example of our community working at its best. Thanks for helping keep the Fedora user community safe.
Get in touch about CVE-2024-3094
This is an emerging story and there will be more news and updates about this vulnerability to the xz package set. You can follow your usual channels for updates on security vulnerabilities. You can also reach out to the Fedora developer community on the devel mailing list or #devel:fedoraproject.org on Matrix.
Justin W. Flory
Justin W. Flory is a creative maker. He is best known as an Open Source contributor and Free Culture advocate originally from the United States. Justin has participated in numerous Open Source communities and led different initiatives to build sustainable software and communities for over ten years.
In October 2022, Justin joined Red Hat as the fourth Fedora Community Architect (FCA). He works closely between the Fedora Project community and Red Hat to lead initiatives that grow the Fedora user and developer communities. He also helps make Red Hat and Fedora interactions more transparent and open.
Justin is also a contributor to the Fedora Project since 2015. In Fedora, he volunteered as the team leader of the Community Operations team for four years and was a founding member of the Diversity, Equity, & Inclusion Team. He represented Fedora internationally at events and conferences, including FOSDEM, DevConf CZ, All Things Open, OSCAL, and others.