Closed Rstment25 closed 1 month ago
We are aware of the liblzma/xz-utils incident and it was already addressed in termux/termux-packages@4c6c0d0
.
Not only is this is wrong repository, the vulnerability report is also factually false.
This is not a vulnerability in the Termux app, but a backdoor inserted into the upstream release tarballs for xz
5.6.0 and 5.6.1.
We addressed the issue 2.5 hours after initial disclosure by reverting the package to 5.4.5, which is the last known unaffected version.
Closing as outdated/incorrect.
Thank you !
Sorry for the confusion
Additionally - I don't know if it's noted in the video - the backdoor is only applicable to:
xz-utils
from a release tarballThis backdoor was targeted at Ubuntu 24.04, Debian Sid, and Fedora 40, 41 and Rawhide.
Do you know where we can get termux that uses reverted package? (Has it been built/published yet?)
I get mine from fdroid, so idk when that'll get updates ...
Additionally - I don't know if it's noted in the video - the backdoor is only applicable to:
* Glibc systems * using Systemd * that use either DEB or RPM packaging * and patch SSHD to support systemd-notify * that built `xz-utils` from a release tarball
This backdoor was targeted at Ubuntu 24.04, Debian Sid, and Fedora 40, 41 and Rawhide.
Do you know where we can get termux that uses reverted package? (Has it been built/published yet?)
Just apply the regular package update procedure.
pkg up
Do you know where we can get termux that uses reverted package? (Has it been built/published yet?)
Just apply the regular package update procedure.
* `pkg up`
Thank you, but I'm going to wait for a newer version if it comes with the fix pre applied 🥲
If not well... At least thanks to you I know how but I don't think I'm brave enough to try xd
Thank you, but I'm going to wait for a newer version if it comes with the fix pre applied 🥲
The incident does not effect any shipped version of the Termux application, and was only ever present from February 25th, until the public disclosure on March 29th. As stated above, the payload of the backdoor does not target, and is not active on Termux. And we have reverted the package to a known safe version.
Termux uses a rolling release model, and the main App and packages are updated independently.
Please keep your Termux installation updated, using pkg up
for security and feature updates to all packages.
Additionally, package updates should be done in full.
Termux does not support, nor plans to suppport, partial upgrades.
The only officially supported package versions are the latest ones offered through termux/termux-packages and its mirrors.
Additionally - I don't know if it's noted in the video - the backdoor is only applicable to:
* Glibc systems * using Systemd * that use either DEB or RPM packaging * and patch SSHD to support systemd-notify * that built `xz-utils` from a release tarball
This backdoor was targeted at Ubuntu 24.04, Debian Sid, and Fedora 40, 41 and Rawhide.
Additionally, it only targets x86_64 arch. So if you are using Termux in a phone, then you should not worry much for that.
Problem description
I privately disclosed this already but someone on termux team rejected it??
I'mgonna be opening public disclosure instead:
Liblzma library has been compromised, versions 5.6.0 and 5.6.1 that termux uses allow for remote code execution and unauthorized ssh access... In short every platform that ran or still runs termux allows full remote access over ssh :P
Here's a good video that explains it in detail: https://www.youtube.com/watch?v=jqjtNDtbDNI
Here's how to check if you're affected:
apt list | grep installed | grep xz
*Returns 5.6.1 for me
If this returns 5.6.0 / 5.6.1 then gg, in the video there's link to a script which actually does further checking to make sure but the above already tells enough to know there's a high likelihood of compromise
I hope there's gonna be an update soon which will downgrade liblzma to a lower version...
Steps to reproduce the behavior.
apt list | grep installed | grep xz
What is the expected behavior?
No response
System information
Latest termux version 0.118.0 has affected xz library.