Reply to Secret Backdoor Found in XZ Utils Library, Is ubuntu touch affected? on Sat, 30 Mar 2024 07:48:08 GMT

Charly — Sat, 30 Mar 2024 07:48:08 GMT

@arubislander
Thanks for the fast answer!

Reply to Secret Backdoor Found in XZ Utils Library, Is ubuntu touch affected? on Sat, 30 Mar 2024 08:07:57 GMT

arubislander — Sat, 30 Mar 2024 08:07:57 GMT

@Charly This is a great question! The short answer is 'no'. The version of the library available in the repositories used by UT does not contain this vulnerability.

The long answer is more interesting. According to the The Hacker News article I read, the vulnerable library versions are 5.6.0 and 5.6.1. The vulnerability seems to involve potentially exposing SSH services to unauthorized access.

Opening the Terminal app and running apt-cache policy xz-utils on Focal gives the following output:

phablet@ubuntu-phablet:~$ apt-cache policy xz-utils
xz-utils:
  Installed: (none)
  Candidate: 5.2.4-1ubuntu1.1
  Version table:
     5.2.4-1ubuntu1.1 500
        500 http://ports.ubuntu.com/ubuntu-ports focal-updates/main arm64 Packages
        500 http://ports.ubuntu.com/ubuntu-ports focal-security/main arm64 Packages
     5.2.4-1 500
        500 http://ports.ubuntu.com/ubuntu-ports focal/main arm64 Packages
phablet@ubuntu-phablet:~$

As you can see Focal carries version 5.2.4 of the library. Notice that the library isn't even installed by default, which would be the case for most users. Furthermore even if it were installed, SSH is also disabled by default, unless you have enabled Developer mode in the System Settings, which most users will not have done.
Additionally, even with Developer mode enabled, some ports still require the user to manually start the SSH server for use, on every reboot. Then even after all of this would be in place, a malicious actor would need to be on the same network your device is connected to by WiFi to even attempt to exploit this vulnerability, as the SSH daemon on UT does not listen on the mobile network interface. (That is one reason you should be mindful when connecting to public WiFi)
So an out of the box install of UT is not affected by this vulnerability.

What about applications that install and use their own version of the xz library? As long as they are confined and do not start their own SSH server using the library, then this vulnerability would also not be able to be exploited.
Unconfined apps could potentially install a compromised version of the library system wide, but unless they also start an SSH server, and configure it to listen on the mobile interface, they would still face most of the challenges mentioned above.