Announcement

**avis** · 29 March 2024, 02:38 PM

Originally posted by kozman View Post

And how many other obfuscated nuggets are hiding out there that no one has audited yet?

If this accident is "resolved" as a single occurrence only affecting a single package, then nothing will ever change or be done.

Meanwhile: https://checkmarx.com/blog/pypi-is-u...ion-suspended/

"Open Source" does not automatically imply security. Never has, never will.

**sophisticles** · 29 March 2024, 02:39 PM

This is not a Red Hat issue:

[oss-security] backdoor in upstream xz/liblzma leading to ssh server compromise [LWN.net]

https://lwn.net/ml/oss-security/[email protected]/

After observing a few odd symptoms around liblzma (part of the xz package) on Debian sid installations over the last weeks (logins with ssh taking a lot of
CPU, valgrind errors) I figured out the answer:

The upstream xz repository and the xz tarballs have been backdoored.

At first I thought this was a compromise of debian's package, but it turns out to be upstream.

**Volta** · 29 March 2024, 02:40 PM

Originally posted by HEL88 View Post

Then why is desktop Linux so buggy when it has better inspection than macOS and Windows????

Linux desktop is legendary for its bugs.

Answer yourself why so many developers switched from Linux to macOS???? Because they're tired of fighting stupid bugs, unsuccessful updates. They want to work.

It's because Linux takes security seriously. Fixing security bugs introduces regressions. On Windows and macOS regressions are mostly introduced by incompetence. Software developers prefer Linux over mentioned toys, so stop making such claims.

Why is windows so buggy?

While the update was predominantly in place to fix issues identified in previous updates, including a persistent 0x800F0922 error, it's seemingly brewing more trouble for users. According to a spot by Windows Latest, the update is reportedly causing Blue Screen of Death (BSOD) errors for some users.

Multiple users have shared similar accounts across social media platforms. Some have even lodged complaints citing slow boot times and degraded system performance after installing the update.

Cumulative updates: March 12th, 2024 from r/Windows11

Windows Latest's Mayank Parmar indicated that he experienced the BSOD immediately after installing the update, with the reason for the error being "Thread Stuck in Device Driver." In the KB5035853 update's support page, there's a section highlighting that "Microsoft is not currently aware of any issues with this update."

Interestingly, the issue seems to have riddled many users, if the reports lodged across social media are anything to go by. There doesn't seem to be a workaround or fix for the issue, therefore, you'd be better off not installing this update until the issue is fixed.

Very M$ thing. Break what's broken even more.

Windows 11 KB5035853 March 2024 update issues cause BSODs

https://www.windowslatest.com/2024/03/16/windows-11-kb5035853-march-2024-update-causes-major-issues-bsods/

Installed Windows 11 KB5035853 March 2024 update, but it causes Blue Screen of Death errors for me and others.

**sophisticles** · 29 March 2024, 02:41 PM

Originally posted by rhavenn View Post

Do you get paid per troll post or something by some PR / marketing firm? Like....why even bother if the only thing you're going to do is take massive shits over everything, but in reality are just misleading opinions at best and just full on bullshit at worst.

If what I posted is such "bullshit", then you should have no problem pointing out the errors.

[oss-security] backdoor in upstream xz/liblzma leading to ssh server compromise [LWN.net]

https://lwn.net/ml/oss-security/[email protected]/

The attached de-obfuscated script is invoked first after configure, where it decides whether to modify the build process to inject the code.

Sorry to burst the fantasy bubble you and other Linux enthusiast live in, but this attack can be used to compromise any piece of open source software on any Linux distro.

As i have said time and time again, open source is a scam perpetrated on the gullible.

People with a real computer science background just laugh at the absurdity of the belief system.

**ssokolow** · 29 March 2024, 02:42 PM

This sort of thing is why, when setting up something like a Flatpak manifest, I prefer to build from a tag on a git repo instead of from a tarball wherever possible. Minimize the chance that someone who's auditing their code will be looking at something other than what gets built and installed.

**avis** · 29 March 2024, 02:44 PM

Originally posted by kozman View Post

Unless you and the rest of the community can see Microsoft's code, well, it's not a stretch that some kind of backdoor or other grouping of code that would require some known chained exploit could exist in Windows. As is shown by last weeks' Pwn2Own, people FAR SMARTER than us reading this--or giving our collective 2 cents---have found Windows holes to exploit (https://www.zerodayinitiative.com/bl...ay-one-results / https://www.zerodayinitiative.com/bl...ay-two-results). Were they left in on purpose or intentionally not fixed? <shrug> Maybe just sloppy coding. I'm not putting my tinfoil hat on and throwing out any conspiracy theories.

Vulnerabilities and backdoors are two completely different things. Microsoft as any other large software company has fixed a ton of vulnerabilities in its products but I don't remember a single case where they've been caught having backdoors.

At the same time IoT vendors like TP-Link, ASUS and D-Link have been caught doing this multiple times (in their Linux routers), only those weren't "backdoors" but "test accounts for debugging". Go figure whether they were lying or not.

**Volta** · 29 March 2024, 02:45 PM

Imagine Windows trolls talking about security and code review! They have outdone themselves.

**Volta** · 29 March 2024, 02:46 PM

Originally posted by avis View Post

I don't remember a single case where they've been caught having backdoors.

Give us a link for the Windows repo, so we can see.

**spicfoo** · 29 March 2024, 02:52 PM

Originally posted by sophisticles View Post

From the article Michael published:

Michael is wrong. Go read the original sources. There is no such update for "Fedora 41" because it hasn't branched for development yet. The only update linked in the Red Hat blog is for Fedora 40.

**kozman** · 29 March 2024, 02:55 PM

Originally posted by avis View Post

If this accident is "resolved" as a single occurrence only affecting a single package, then nothing will ever change or be done.

Meanwhile: https://checkmarx.com/blog/pypi-is-u...ion-suspended/

"Open Source" does not automatically imply security. Never has, never will.

NO software implies security.

Announcement

XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment