search

termux / termux-app

Termux - a terminal emulator application for Android OS extendible by variety of packages.
https://f-droid.org/en/packages/com.termux
Other
31.27k stars 3.32k forks source link

[NOTICE] 2024-04-01 Termux Apps Vulnerability Disclosure #3904

Closed Rstment25 closed 1 month ago

Rstment25 commented 1 month ago

Problem description

I privately disclosed this already but someone on termux team rejected it??

I'mgonna be opening public disclosure instead:

Liblzma library has been compromised, versions 5.6.0 and 5.6.1 that termux uses allow for remote code execution and unauthorized ssh access... In short every platform that ran or still runs termux allows full remote access over ssh :P

Here's a good video that explains it in detail: https://www.youtube.com/watch?v=jqjtNDtbDNI

Here's how to check if you're affected:

apt list | grep installed | grep xz

*Returns 5.6.1 for me

If this returns 5.6.0 / 5.6.1 then gg, in the video there's link to a script which actually does further checking to make sure but the above already tells enough to know there's a high likelihood of compromise

I hope there's gonna be an update soon which will downgrade liblzma to a lower version...

Steps to reproduce the behavior.

apt list | grep installed | grep xz

What is the expected behavior?

No response

System information

Latest termux version 0.118.0 has affected xz library.

TomJo2000 commented 1 month ago

We are aware of the liblzma/xz-utils incident and it was already addressed in termux/termux-packages@4c6c0d0. Not only is this is wrong repository, the vulnerability report is also factually false. This is not a vulnerability in the Termux app, but a backdoor inserted into the upstream release tarballs for xz 5.6.0 and 5.6.1. We addressed the issue 2.5 hours after initial disclosure by reverting the package to 5.4.5, which is the last known unaffected version.

Closing as outdated/incorrect.

Rstment25 commented 1 month ago

Thank you !

Sorry for the confusion

TomJo2000 commented 1 month ago

Additionally - I don't know if it's noted in the video - the backdoor is only applicable to:

This backdoor was targeted at Ubuntu 24.04, Debian Sid, and Fedora 40, 41 and Rawhide.

Rstment25 commented 1 month ago

Do you know where we can get termux that uses reverted package? (Has it been built/published yet?)

I get mine from fdroid, so idk when that'll get updates ...

Additionally - I don't know if it's noted in the video - the backdoor is only applicable to:

* Glibc systems

* using Systemd

* that use either DEB or RPM packaging

* and patch SSHD to support systemd-notify

* that built `xz-utils` from a release tarball

This backdoor was targeted at Ubuntu 24.04, Debian Sid, and Fedora 40, 41 and Rawhide.

TomJo2000 commented 1 month ago

Do you know where we can get termux that uses reverted package? (Has it been built/published yet?)

Just apply the regular package update procedure.

Rstment25 commented 1 month ago

Do you know where we can get termux that uses reverted package? (Has it been built/published yet?)

Just apply the regular package update procedure.

* `pkg up`

Thank you, but I'm going to wait for a newer version if it comes with the fix pre applied 🥲

If not well... At least thanks to you I know how but I don't think I'm brave enough to try xd

TomJo2000 commented 1 month ago

Thank you, but I'm going to wait for a newer version if it comes with the fix pre applied 🥲

The incident does not effect any shipped version of the Termux application, and was only ever present from February 25th, until the public disclosure on March 29th. As stated above, the payload of the backdoor does not target, and is not active on Termux. And we have reverted the package to a known safe version.

Termux uses a rolling release model, and the main App and packages are updated independently. Please keep your Termux installation updated, using pkg up for security and feature updates to all packages. Additionally, package updates should be done in full. Termux does not support, nor plans to suppport, partial upgrades. The only officially supported package versions are the latest ones offered through termux/termux-packages and its mirrors.

Yonle commented 1 month ago

Additionally - I don't know if it's noted in the video - the backdoor is only applicable to:

* Glibc systems

* using Systemd

* that use either DEB or RPM packaging

* and patch SSHD to support systemd-notify

* that built `xz-utils` from a release tarball

This backdoor was targeted at Ubuntu 24.04, Debian Sid, and Fedora 40, 41 and Rawhide.

Additionally, it only targets x86_64 arch. So if you are using Termux in a phone, then you should not worry much for that.