UBports Robot Logo UBports Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    Secret Backdoor Found in XZ Utils Library, Is ubuntu touch affected?

    Scheduled Pinned Locked Moved Support
    3 Posts 2 Posters 874 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
      Reply
      • Reply as topic
      Log in to reply
      This topic has been deleted. Only users with topic management privileges can see it.
      • C Offline
        Charly
        last edited by

        Secret Backdoor Found in XZ Utils Library, Impacts Major Linux Distros.
        Is ubuntu touch affected?

        Greetings
        Charly

        UT 24.04 on Volla X23

        arubislanderA 1 Reply Last reply Reply Quote 0
        • arubislanderA Offline
          arubislander @Charly
          last edited by arubislander

          @Charly This is a great question! The short answer is 'no'. The version of the library available in the repositories used by UT does not contain this vulnerability.

          The long answer is more interesting. According to the The Hacker News article I read, the vulnerable library versions are 5.6.0 and 5.6.1. The vulnerability seems to involve potentially exposing SSH services to unauthorized access.

          Opening the Terminal app and running apt-cache policy xz-utils on Focal gives the following output:

          phablet@ubuntu-phablet:~$ apt-cache policy xz-utils
xz-utils:
  Installed: (none)
  Candidate: 5.2.4-1ubuntu1.1
  Version table:
     5.2.4-1ubuntu1.1 500
        500 http://ports.ubuntu.com/ubuntu-ports focal-updates/main arm64 Packages
        500 http://ports.ubuntu.com/ubuntu-ports focal-security/main arm64 Packages
     5.2.4-1 500
        500 http://ports.ubuntu.com/ubuntu-ports focal/main arm64 Packages
phablet@ubuntu-phablet:~$

          As you can see Focal carries version 5.2.4 of the library. Notice that the library isn't even installed by default, which would be the case for most users. Furthermore even if it were installed, SSH is also disabled by default, unless you have enabled Developer mode in the System Settings, which most users will not have done.
          Additionally, even with Developer mode enabled, some ports still require the user to manually start the SSH server for use, on every reboot. Then even after all of this would be in place, a malicious actor would need to be on the same network your device is connected to by WiFi to even attempt to exploit this vulnerability, as the SSH daemon on UT does not listen on the mobile network interface. (That is one reason you should be mindful when connecting to public WiFi)
          So an out of the box install of UT is not affected by this vulnerability.

          What about applications that install and use their own version of the xz library? As long as they are confined and do not start their own SSH server using the library, then this vulnerability would also not be able to be exploited.
          Unconfined apps could potentially install a compromised version of the library system wide, but unless they also start an SSH server, and configure it to listen on the mobile interface, they would still face most of the challenges mentioned above.

          πŸ‡¦πŸ‡Ό πŸ‡³πŸ‡± πŸ‡ΊπŸ‡Έ πŸ‡ͺπŸ‡Έ
          Happily running Ubuntu Touch
          JingPad (24.04-1.x daily)
          OnePlus Nord N10 5G (24.04-2.x daily)
          PinePhone OG (20.04)
          Meizu Pro 5 (16.04 DEV)

          C 1 Reply Last reply Reply Quote 3
          • C Offline
            Charly @arubislander
            last edited by

            @arubislander
            Thanks for the fast answer!

            Greetings
            Charly

            UT 24.04 on Volla X23

            1 Reply Last reply Reply Quote 0
            • CiberSheepC CiberSheep moved this topic from 20.04 Focal Fossa on

            Hello! It looks like you're interested in this conversation, but you don't have an account yet.

            Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.

            With your input, this post could be even better πŸ’—

            Register Login
            • First post
              Last post