xz - Compression utility for .lzma and .xz formats
ChangeLog
| Web site: | http://tukaani.org/xz/ |
| Repository: | https://github.com/tukaani-project/xz |
HOWTO
# XZ Utils 5.4.4
# ==============
# XZ Utils backdoor
#
# For now, the Git repository and XZ Utils web site are not available.
# The git.tukaani.org copy is accessible here:
# https://git.tukaani.org/
#
# From what I know, if you don't use a patched OpenSSH which links to systemd
# which links to liblzma, you're not effected (with OpenSSH...).
# XZ Utils 5.6.0 and 5.6.1 appear to be the compromized releases.
# Anywhere you see "Jia Tan", that is the person that compromized
# it.
#
# Read here or any of the other gazillion articles about it for more information:
# https://tukaani.org/xz-backdoor/
# https://mastodon.social/@AndresFreundTec/112180406142695845
# https://www.openwall.com/lists/oss-security/2024/03/29/4
# https://www.cve.org/CVERecord?id=CVE-2024-3094
# https://lwn.net/Articles/967180/
# https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/
# https://www.wired.com/story/xz-backdoor-everything-you-need-to-know/
# https://en.wikipedia.org/wiki/XZ_Utils_backdoor
# https://www.kali.org/blog/about-the-xz-backdoor/
# https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
# https://lists.debian.org/debian-security-announce/2024/msg00057.html
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024
# https://archlinux.org/news/the-xz-package-has-been-backdoored/
# https://news.opensuse.org/2024/03/29/xz-backdoor/
# https://bugs.gentoo.org/show_bug.cgi?id=928134
# https://www.akamai.com/blog/security-research/critical-linux-backdoor-xz-utils-discovered-what-to-know
# https://news.itsfoss.com/xz-utils-backdoor/
# https://www.theregister.com/2024/04/01/xz_backdoor_open_source/
# https://security.apache.org/blog/cve-2024-3094/
# https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
# Slackware 14.0: xz 5.0.4
# Slackware 14.1: xz 5.0.5
# Slackware 14.2: xz 5.2.2
# Slackware 15.0: xz 5.2.5
# GitHub XZ Utils 5.4.4 Stable release
# SourceForge project page
# liblzma (XZ Utils) docs
# Get the source
cd
test -f installed/xz-5.4.4.tar.bz2 && mv installed/xz-5.4.4.tar.bz2 .
test ! -f xz-5.4.4.tar.bz2 && wget https://tukaani.org/xz/xz-5.4.4.tar.bz2
# Extract the source
mkdir -p -m 0700 ~/src
cd ~/src
find -maxdepth 1 -type d -name "xz-*" -exec rm -r {} \;
tar xjvf ~/xz-5.4.4.tar.bz2
cd xz-5.4.4
test $UID = 0 && chown -R root:root .
# Be aware that you may have an older liblzma.* in /lib or /lib64
# from the aaa_elflibs package
# Configure the build for 64-bit
test $(uname -m) = 'x86_64' &&
./configure --prefix=/usr --docdir=/usr/doc/xz --infodir=/usr/info \
--libdir=/usr/lib64 --mandir=/usr/man --disable-static --disable-nls
# Configure the build for anything else
test $(uname -m) != 'x86_64' &&
./configure --prefix=/usr --docdir=/usr/doc/xz --infodir=/usr/info \
--mandir=/usr/man --disable-static --disable-nls
# Build it
make
# Check the build
make check
# Become root to install it
su
# Remove the Slackware package
test -x /sbin/removepkg && /sbin/removepkg xz
# Install it
make install
ldconfig
# Become your non-root user again
exit
# Save the source for later
cd
mkdir -p -m 0700 installed
rm -f installed/xz-*.tar.*
mv xz-5.4.4.tar.bz2 installed/
# If you ever want to uninstall XZ Utils, this should do it:
cd
su
test -d src/xz-* && ( cd src/xz-* ; make uninstall )
( cd /usr/bin ; rm -f lzdiff lzgrep lzmadec lzmainfo lzmore xz xzdec \
xzdiff xzgrep xzless xzmore )
type -d /usr/doc/xz && rm -r /usr/doc/xz
find /usr/doc/ -maxdepth 1 -name "xz-*" -exec rm -r {} \;
test -d /usr/include/lzma && rm -r /usr/include/lzma
test -d /usr/lib64 &&
( cd /usr/lib64 ; rm -f liblzma.* pkgconfig/liblzma.pc )
( cd /usr/man/man1 ; rm -f lzdiff.1* lzgrep.1* lzmainfo.1* lzmore.1* \
xz.1* xzdec.1* xzdiff.1* xzgrep.1* xzless.1* xzmore.1* )
type -d /usr/share/doc/xz && rm -r /usr/share/doc/xz
find /usr/share/doc/ -maxdepth 1 -name "xz-*" -exec rm -r {} \;
( cd /usr/share/man/man1 ; rm -f lzdiff.1* lzgrep.1* lzmainfo.1* lzmore.1* \
xz.1* xzdec.1* xzdiff.1* xzgrep.1* xzless.1* xzmore.1* )
rm -f /bin/xz /lib/liblzma.* /usr/include/lzma.h /usr/lib/liblzma.* \
/usr/lib/pkgconfig/liblzma.pc
ldconfig
exit
find ~/src -maxdepth 1 -type d -name "xz-*" -exec rm -r {} \;
rm -f ~/installed/xz-*.tar.*
List of HOWTOs
Web page itself last updated: 2023-12-20 8:06pm (EST -0500)
HOWTO last updated: 2024-04-03 2:58pm
Copyright © 2001-2024 Jason Englander. All Rights reserved.
HOWTO last updated: 2024-04-03 2:58pm
Copyright © 2001-2024 Jason Englander. All Rights reserved.
![[HTML5]](HTML5_Logo_64-black.png){kind=logo}
