Audit xz and libarchive in dom0 etc due to being released by known-malicious individual

[no-usernames-left]

Dom0 has xz-5.4.1, which doesn't include that backdoor. Neither Fedora 39 nor Debian 12 are affected.

Originally posted by @marmarek in #9067 (comment)

xz-5.4.1 was released by the very same person who inserted the backdoor into 5.6.0/5.6.1:
https://github.com/tukaani-project/xz/tree/v5.4.1

We should look at libarchive too; vulnerabilities are now known to have been inserted by the same person who backdoored xz:
libarchive/libarchive#1609

A good timeline is still being created here:
https://boehs.org/node/everything-i-know-about-the-xz-backdoor

We may wish to consider the use of zstd instead:
https://github.com/facebook/zstd

[no-usernames-left]

Related:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024

[marmarek]

We are monitoring related information, but for now nobody has found anything nefarious in versions older than 5.6.0 (nor in libarchive). We are not going to audit ourselves all the code he changed, but we may consider some extra mitigation if needed.

[no-usernames-left]

@marmarek Security of libarchive was downgraded (replacement of safe fprint with unsafe fprint) by the same actor:
libarchive/libarchive#1609

[emaste]

Note that "released by known-malicious individual" does not apply to libarchive; they were not involved in the libarchive release process and were not a libarchive maintainer.

The known-malicious individual was successful in getting a change into libarchive that is plausibly an intentional, minor security reduction. That is reverted in libarchive 3.7.3. All of their libarchive changes have been re-reviewed (libarchive/libarchive#2103) and no concern was identified with other changes.

That said, additional code review / audit is certainly welcome.