UBports Robot Logo UBports Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    Secret Backdoor Found in XZ Utils Library, Is ubuntu touch affected?

    Scheduled Pinned Locked Moved
    Support
    2
    3
    544
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      Charly
      last edited by

      Secret Backdoor Found in XZ Utils Library, Impacts Major Linux Distros.
      Is ubuntu touch affected?

      Greetings
      Charly

      UT 20.04 on Volla X23

      arubislanderA 1 Reply Last reply Reply Quote 0
      • arubislanderA
        arubislander @Charly
        last edited by arubislander

        @Charly This is a great question! The short answer is 'no'. The version of the library available in the repositories used by UT does not contain this vulnerability.

        The long answer is more interesting. According to the The Hacker News article I read, the vulnerable library versions are 5.6.0 and 5.6.1. The vulnerability seems to involve potentially exposing SSH services to unauthorized access.

        Opening the Terminal app and running apt-cache policy xz-utils on Focal gives the following output:

        phablet@ubuntu-phablet:~$ apt-cache policy xz-utils
xz-utils:
  Installed: (none)
  Candidate: 5.2.4-1ubuntu1.1
  Version table:
     5.2.4-1ubuntu1.1 500
        500 http://ports.ubuntu.com/ubuntu-ports focal-updates/main arm64 Packages
        500 http://ports.ubuntu.com/ubuntu-ports focal-security/main arm64 Packages
     5.2.4-1 500
        500 http://ports.ubuntu.com/ubuntu-ports focal/main arm64 Packages
phablet@ubuntu-phablet:~$

        As you can see Focal carries version 5.2.4 of the library. Notice that the library isn't even installed by default, which would be the case for most users. Furthermore even if it were installed, SSH is also disabled by default, unless you have enabled Developer mode in the System Settings, which most users will not have done.
        Additionally, even with Developer mode enabled, some ports still require the user to manually start the SSH server for use, on every reboot. Then even after all of this would be in place, a malicious actor would need to be on the same network your device is connected to by WiFi to even attempt to exploit this vulnerability, as the SSH daemon on UT does not listen on the mobile network interface. (That is one reason you should be mindful when connecting to public WiFi)
        So an out of the box install of UT is not affected by this vulnerability.

        What about applications that install and use their own version of the xz library? As long as they are confined and do not start their own SSH server using the library, then this vulnerability would also not be able to be exploited.
        Unconfined apps could potentially install a compromised version of the library system wide, but unless they also start an SSH server, and configure it to listen on the mobile interface, they would still face most of the challenges mentioned above.

        πŸ‡¦πŸ‡Ό πŸ‡³πŸ‡± πŸ‡ΊπŸ‡Έ πŸ‡ͺπŸ‡Έ
        Happily running Ubuntu Touch
        Google Pixel 3a (20.04 DEV)
        JingPad (20.04 DEV)
        Meizu Pro 5 (16.04 DEV)

        C 1 Reply Last reply Reply Quote 3
        • C
          Charly @arubislander
          last edited by

          @arubislander
          Thanks for the fast answer!

          Greetings
          Charly

          UT 20.04 on Volla X23

          1 Reply Last reply Reply Quote 0
          • CiberSheepC CiberSheep moved this topic from 20.04 Focal Fossa on
          • First post
            Last post