Announcement

Collapse
No announcement yet.

XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access

    Phoronix: XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access

    Red Hat today issued an "urgent security alert" for Fedora 41 and Fedora Rawhide users over XZ. Yes, the XZ tools and libraries for this compression format. Some malicious code was added to XZ 5.6.0/5.6.1 that could allow unauthorized remote system access...

    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite

  • #2
    That's not good. It'll be interesting to see the fallout. RedHat's writeup states the malicious code is not in the git repo, but only in the download packages. So, did the dev's local box get owned or did the dev go malicious? ie: their build box is compromised?

    Comment


    • #3
      Wow... at first I figured this was just a bug where a malformed archive could cause a buffer overflow, double free, or something like that. But this is a pretty tricky attack on the source itself that would be hard to detect by the developers who typically would just be pulling directly from git instead of downloading a release tarball.

      This wasn't done by an amateur, and XZ along with a lot of other open source projects need to be super careful with monitoring what ends up in the repo.

      Comment


      • #4
        Originally posted by rhavenn View Post
        That's not good. It'll be interesting to see the fallout. RedHat's writeup states the malicious code is not in the git repo, but only in the download packages. So, did the dev's local box get owned or did the dev go malicious? ie: their build box is compromised?
        It's the *source* tarball which contains the final piece of the malicious code, not the binaries. It's no coincidence that starting from today Arch Linux switched to the git tag lol
        Last edited by darkbasic; 29 March 2024, 12:58 PM.
        ## VGA ##
        AMD: X1950XTX, HD3870, HD5870
        Intel: GMA45, HD3000 (Core i5 2500K)

        Comment


        • #5
          None of this would have happened if they had completely replaced autotools with CMake in the first place.

          Comment


          • #6
            Originally posted by darkbasic View Post

            It's the *source* tarball which contains the final piece of the malicious code, not the binaries. It's no coincidence that starting from today Arch Linux switched to the git tag lol
            Agh, okay. However, still...how do those get "built" without that code being reflected in the actual git repo? I would think that would be even more of a locked down permission to allow those to be uploaded. It would be one thing if everything was 100% in the git repo and some "new developer" pushed some new code that looked good and they snuck in the malicious stuff, but they're sneaking in malicious stuff both in the git repo and different code in the source tarball.

            Comment


            • #7
              I've been talking about this issue for years and how woeful Linux (in)security is as a result. I knew something like that would happen and it just happened.

              Almost all distros, aside from maybe RHEL, rush to push upstream packages without ever verifying that the source code has not been tampered with.

              What's worse, independent maintainers assigned for packaging , are often not even developers themselves, so they have no means or qualifications to read the code and see if it's still trustworthy. And oftentimes maintainers are in charge of multiple packages, and at the same time it's not their primary job or something they get paid for, so there's little to no interest to make sure things are right.

              Whereas big corporations such as Microsoft, Google or Apple endorse every line of code that reaches you as a customer, no such thing exists in the Linux world. And it's not limited to Linux, as FreeBSD is equally affected. I'm not sure about OpenBSD/NetBSD as I've never used those.

              Can this issue be solved? I've no idea.

              There should be a concerted effort by Linux distros to verify packages and mark them as safe. I've never heard of anything in this regard with the only exception of RHEL which is not a desktop distro and besides they have severely limited their ties to the community.

              This is not an XZ issue. This is the issue of the entire Linux ecosystem. The issue of safety, security, trust and verifiability.

              Comment


              • #8
                Long story short, make sure you don't have XZ 5.6.0/5.6.1 on your systems now.
                Fedora 41 beta users have already "luckily" updated to it.

                Comment


                • #9
                  Originally posted by avis View Post
                  I've been talking about this issue for years and how woeful Linux (in)security is as a result. I knew something like that would happen and it just happened.

                  Almost all distros, aside from maybe RHEL, rush to push upstream packages without ever verifying that the source code has not been tampered with.
                  Which distros? Fedora 41 when Fedora 40 is not even released yet? Rush, verifying source code? Are you fking kidding me? The difference is you can verify code on Linux while you can only dream about this on Windows or macOS. Thanks for reminding me how a total joke Windows 'security' is. That's one of the reasons Windows is slow crap. Backdoors are consuming your CPU time!

                  Whereas big corporations such as Microsoft, Google or Apple endorse every line of code
                  Good JOKE! Especially in proprietary apps! Closed source must be prohibited, because of security reasons. Now you're the biggest Open Source advocate and proprietary hater. Thanks! Oh, we can't forget microsoft and apple introduce backdoors themselves.
                  Last edited by Volta; 29 March 2024, 01:17 PM.

                  Comment


                  • #10
                    Whereas big corporations such as Microsoft, Google or Apple endorse every line of code that reaches you as a customer, no such thing exists in the Linux world. And it's not limited to Linux, as FreeBSD is equally affected. I'm not sure about OpenBSD/NetBSD as I've never used those.

                    Can this issue be solved? I've no idea.
                    Excuse me while i laugh....

                    Comment

                    Working...
                    X