The resulting malicious build interferes with authentication in sshd via systemd.
Announcement
Collapse
No announcement yet.
XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access
Collapse
X
-
Originally posted by justinkb View PostLooks like whoever rolls the release tarballs got their machine owned.
Originally posted by justinkb View PostPS. This was found relatively fast imo. I am a bit confused how this could have a lot of impact tho, since you'd expect builds to occur in complete isolation. I don't see how an unprivileged xz binary or library invocation could affect the ssh or related files once installed. Who is invoking xz as root? Is the issue in the second stage when a build environment invokes xz to compress the built package?
- Likes 2
Comment
-
Originally posted by avis View PostWhereas big corporations such as Microsoft, Google or Apple endorse every line of code that reaches you as a customer, no such thing exists in the Linux world. And it's not limited to Linux, as FreeBSD is equally affected. I'm not sure about OpenBSD/NetBSD as I've never used those.
So yeah your comment is a load of bullshit (as usual).
- Likes 8
Comment
-
Originally posted by yoshi314 View Post
yes, we get zero vulnerabilities or oversights in proprietary software. surely. there are no malicious apps on app stores, there are no backdoors in windows, there are no unauthorized easter eggs in proprietary software. it's all absolutely perfect and flawless and every release they assign a bunch of humans to read all the 300GB of source code to make sure it's tiptop quality.
2. Show me backdoors in Windows, I dare you.
Originally posted by calc View Post
Here's an article documenting at least a few.
https://www.theregister.com/2013/07/11/snowden_leak_shows_microsoft_added_outlookencrypti on_backdoor_for_feds/
And one of the reasons that the US was very upset about the Snowden leak pointing out that they were backdooring all sorts of software with wide industry support.
I would not be surprised in the least if Bitlocker was similarly backdoored for the NSA.
There were other companies claiming there were unknown "vulnerabilities" for years in their software that were never fixed until the Snowden leak pointing them out, they were likely similarly working with the NSA but with better plausible deniability.
A big part of the reason the US govt is concerned about TikTok/ByteDance being controlled by the CCP is that they do the same things themselves.
Originally posted by kozman View Post
I've used Windows since 89 and I too have not remembered hearing about any *known* or intentional backdoors. There's always been rumors for Bitlocker but it's yet to be proven. It doesn't mean there might not be one. No one has access to the code to qualify it. And yes, tons of vendors have been publicly busted for back doors. I hope you are >not< saying that a chain of vulnerabilities in aggregate cannot be manifested as a back door. A back door doesn't just have to just be an app running silently in the background or what this yoyo did to XZ. I'm not claiming to be a coder here but the basic idea of a backdoor has expanded since the old days.
Originally posted by CommunityMember View Post
Well, it has been, but because the mirrors have various schedules of updating their copies you may not see it yet (just as it says on the top of that page, updates may take time to propagate to mirrors).
If the mirror(s) you have access to are not cooperating (and you can't find one that is) you can always pull the packages directly from koji.
The only workaround right now is
Code:sudo dnf downgrade xz-libs
Originally posted by kozman View Post
NO software implies security.
- Likes 2
Comment
-
Originally posted by emansom View PostThis project needs to be quarantined, all commits made by @JiaT75 and other projects he contributed code with and to, to be considered backdoors and this project to be taken over by a trusted party. If next month a new release is made by @JiaT75 and all distributions packagers just go along with it like nothing happened: nothing was learned from this supply chain attack.
There's a chance he will likely force-push, corrupting the history of this git repository. So even the repository itself shouldn't be trusted. Retrieve backups from really really old build machines before he ever contributed if possible.
Yes, be that paranoid. If you don't think that's necessary you don't grasp the severity of what has been exposed today.
Originally posted by Vorpal View Post
I can say for sure (having worked for big companies) that they don't review everything. Consider something like pulling a new version of LLVM or Boost. No one at Google sits down and check every single changed line, it would be infeasible. You review new dependencies, sure. Depending on the company you may sit down and review it line by line, but probably not for a big dependency. Also code review doesn't catch everything (otherwise we wouldn't have bugs in general).
So yeah your comment is a load of bullshit (as usual).
Except LLVM and GCC include developers from Apple, Microsoft, Google, Intel, AMD and RedHat.
Good luck trying to push a malicious commit to either of these compilers. BS is on you, not me.
I get it Linux is very close to your heart but it would be nice if you admitted what I wrote about is kinda true even it it doesn't sound pretty or you're welcome to show backdoors in software products made by major corporations such as MS, Google or Apple. Good luck with that.
There has a been a lot of BS in this discussion about backdoors in closed source software but no one has been able to demonstrate those aside from an article in The Register which doesn't talk about an actual incident but about leaked slides.Last edited by avis; 29 March 2024, 04:41 PM.
- Likes 4
Comment
-
Originally posted by avis View PostNice hearsay. Show me a CVE, please. The fact that some leaked slides stated that Outlook might have been backdoored doesn't mean its public releases ever were.
CVEs are generally reserved for software you would run yourself on your hardware, not something that Microsoft backdoored for the NSA that they run on their own servers.
But there are CVEs for issues with customer hardware/software, like for Cisco firewalls, that had "vulnerabilities" for many years that likely were intentionally added for the NSA, adding them as "vulnerabilities" instead of obvious backdoors, when the binaries are inspectable, allows for plausible deniability.
UPDATE April 20, 2017 Cisco continues to evaluate potential implications of the activities and information posted publicly by the Shadow Brokers Group.
- Likes 2
Comment
-
Originally posted by calc View Post
Better yet, show me ANY managed service that has issued a CVE
CVEs are generally reserved for software you would run yourself on your hardware, not something that Microsoft backdoored for the NSA that they run on their own servers.
But there are CVEs for issues with customer hardware/software, like for Cisco firewalls, that had "vulnerabilities" for many years that likely were intentionally added for the NSA, adding them as "vulnerabilities" instead of obvious backdoors, when the binaries are inspectable, allows for plausible deniability.
Cisco is not on the list of companies that I've mentioned specifically now three times.
Keep on digging. Just please don't try to make shit up, so far you've been doing just that.
BTW, US authorities have not been able to demonstrate a single backdoor in Huawei network equipment and they banned the company regardless. See? I'm also good at whataboutism.
Talk facts, please.
- Likes 1
Comment
-
Originally posted by avis View Post
I'm pretty sure aside from a minor public apology and some reverts, nothing else will be done and everything will be business as usual while hackers will try to infiltrate other open source projects (if it's not already been done which is impossible to say).
Except they do.
Except LLVM and GCC include developers from Apple, Microsoft, Google, Intel, AMD and RedHat.
Good luck trying to push a malicious commit to either of these compilers. BS is on you, not me.
I get it Linux is very close to your heart but it would be nice if you admitted what I wrote about is kinda true even it it doesn't sound pretty or you're welcome to show backdoors in software products made by major corporations such as MS, Google or Apple. Good luck with that.
There has a been a lot of BS in this discussion about backdoors in closed source software but no one has been able to demonstrate those aside from an article in The Register which doesn't talk about an actual incident but about leaked slides.
Again, as I stated earlier, unpatched vulns all leading to a backdoor. Denial ain't just a river in Egypt son.
- Likes 1
Comment
-
Originally posted by kozman View Post
I'll hold your beer. https://arstechnica.com/security/202...dware-feature/
Again, as I stated earlier, unpatched vulns all leading to a backdoor. Denial ain't just a river in Egypt son.
We're now discussing malware/backdoor distributed by Linux distros.
BTW it's not limited to Fedora 40, Fedora Rawhide and Debian SID. It's found its way to Arch Linux, NixOS unstable, Gentoo, OpenSuse factory/tumbleweed, LibreELEC, AlpineEdge, Solus, NixOS unstable, OpenIndiana, Mandriva rolling, Slackware current, Manjaro testing, pkgsrc current. A lovely list.
Many eyes check the code, they said. No way malware can be pushed and distributed, they said.
Most people here don't even realize the gravity of the situation.Last edited by avis; 29 March 2024, 05:06 PM.
- Likes 4
Comment
Comment