Malicious Code Discovered in xz 5.6.0/5.6.1 Packages Affecting Fedora 40 and Rawhide (CVE‑2024‑3094)

Red Hat issued an urgent security advisory for Fedora Linux 40 and Fedora Rawhide users, stating that the latest xz 5.6.0/5.6.1 tools and libraries contain malicious code that could allow unauthorized remote system access.

xz is a generic data compression format present in almost every Linux distribution; it compresses large files into smaller, more manageable sizes for transfer.

Red Hat has assigned CVE‑2024‑3094 to the vulnerability. Investigation shows the affected packages exist only in Fedora 41 and Fedora Rawhide within the Red Hat ecosystem; all versions of Red Hat Enterprise Linux are unaffected.

Security researcher Andres Freund’s reverse‑engineering analysis discovered that the malicious code uses sophisticated techniques to evade detection. More details are available in the oss‑security list.

GitHub has completely disabled the tukaani-project/xz repository, citing a violation of its Terms of Service; owners can contact GitHub support for details.

The attacker, identified as JiaT75 (Jia Tan), created a GitHub account in 2021, contributed to xz‑utils, gained trust, and became a maintainer, inserting malicious code over a three‑year period.

The malicious additions were staged via test case data, m4 scripts that re‑assemble and decompress the code, a hook into an OpenSSL function, and an SSH backdoor. After creating the backdoor version, JiaT75 urged major Linux distro maintainers to adopt it, claiming “great new features”.

The backdoor code contained bugs that caused crashes; JiaT75 communicated with developers to fix issues and advised them not to disclose the problem publicly.

Both the GitHub account and the xz‑utils repository have now been shut down.

The incident highlights challenges faced by maintainers of low‑visibility open‑source projects when malicious actors offer “help”.

Original maintainer Lasse Collin expressed exhaustion, noting he can fix bugs but cannot develop new features, and considered giving Jia Tan a larger role, eventually making him a co‑maintainer despite the project being unpaid.