Announcement

Collapse
No announcement yet.

XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #61
    The resulting malicious build interferes with authentication in sshd via systemd.​
    Would my main PC with Devuan Ceres Xfce with runit instead of systemd be affected? Would this kind of exploit be possible without systemd?

    Comment


    • #62
      Originally posted by justinkb View Post
      Looks like whoever rolls the release tarballs got their machine owned.
      I'm afraid it's a lot more sinister than that. This exploit code has been gradually introduced and refined in the repository over the course of at least a year.

      Originally posted by justinkb View Post
      PS. This was found relatively fast imo. I am a bit confused how this could have a lot of impact tho, since you'd expect builds to occur in complete isolation. I don't see how an unprivileged xz binary or library invocation could affect the ssh or related files once installed. Who is invoking xz as root? Is the issue in the second stage when a build environment invokes xz to compress the built package?
      The issue is that the SSHD builds on many distros link to libsystemd, which in turn links to liblzma. This can be exploited to get SSHD to run evil code that's been carefully hidden in liblzma…

      Comment


      • #63
        Originally posted by avis View Post
        Whereas big corporations such as Microsoft, Google or Apple endorse every line of code that reaches you as a customer, no such thing exists in the Linux world. And it's not limited to Linux, as FreeBSD is equally affected. I'm not sure about OpenBSD/NetBSD as I've never used those.
        I can say for sure (having worked for big companies) that they don't review everything. Consider something like pulling a new version of LLVM or Boost. No one at Google sits down and check every single changed line, it would be infeasible. You review new dependencies, sure. Depending on the company you may sit down and review it line by line, but probably not for a big dependency. Also code review doesn't catch everything (otherwise we wouldn't have bugs in general).

        So yeah your comment is a load of bullshit (as usual).

        Comment


        • #64
          Originally posted by yoshi314 View Post

          yes, we get zero vulnerabilities or oversights in proprietary software. surely. there are no malicious apps on app stores, there are no backdoors in windows, there are no unauthorized easter eggs in proprietary software. it's all absolutely perfect and flawless and every release they assign a bunch of humans to read all the 300GB of source code to make sure it's tiptop quality.
          1. Whataboutism
          2. Show me backdoors in Windows, I dare you.

          Originally posted by calc View Post

          Here's an article documenting at least a few.

          https://www.theregister.com/2013/07/11/snowden_leak_shows_microsoft_added_outlookencrypti on_backdoor_for_feds/

          And one of the reasons that the US was very upset about the Snowden leak pointing out that they were backdooring all sorts of software with wide industry support.

          I would not be surprised in the least if Bitlocker was similarly backdoored for the NSA.

          There were other companies claiming there were unknown "vulnerabilities" for years in their software that were never fixed until the Snowden leak pointing them out, they were likely similarly working with the NSA but with better plausible deniability.

          A big part of the reason the US govt is concerned about TikTok/ByteDance being controlled by the CCP is that they do the same things themselves.
          Nice hearsay. Show me a CVE, please. The fact that some leaked slides stated that Outlook might have been backdoored doesn't mean its public releases ever were.

          Originally posted by kozman View Post

          I've used Windows since 89 and I too have not remembered hearing about any *known* or intentional backdoors. There's always been rumors for Bitlocker but it's yet to be proven. It doesn't mean there might not be one. No one has access to the code to qualify it. And yes, tons of vendors have been publicly busted for back doors. I hope you are >not< saying that a chain of vulnerabilities in aggregate cannot be manifested as a back door. A back door doesn't just have to just be an app running silently in the background or what this yoyo did to XZ. I'm not claiming to be a coder here but the basic idea of a backdoor has expanded since the old days.
          Microsoft is a $2 trillion company with 2 billion customers and has a reputation to keep. Random Linux distros often created by people with no credentials and zero information have nothing to keep.

          Originally posted by CommunityMember View Post

          Well, it has been, but because the mirrors have various schedules of updating their copies you may not see it yet (just as it says on the top of that page, updates may take time to propagate to mirrors).

          If the mirror(s) you have access to are not cooperating (and you can't find one that is) you can always pull the packages directly from koji.
          There's no update, bodhi has zero info on it. It's not been pushed.

          The only workaround right now is

          Code:
          sudo dnf downgrade xz-libs
          which I've already done.

          Originally posted by kozman View Post

          NO software implies security.
          According to the vast majority of open source fans, Linux is a lot more secure than Windows because it's open source.

          Comment


          • #65
            Originally posted by emansom View Post
            This project needs to be quarantined, all commits made by @JiaT75 and other projects he contributed code with and to, to be considered backdoors and this project to be taken over by a trusted party. If next month a new release is made by @JiaT75 and all distributions packagers just go along with it like nothing happened: nothing was learned from this supply chain attack.

            There's a chance he will likely force-push, corrupting the history of this git repository. So even the repository itself shouldn't be trusted. Retrieve backups from really really old build machines before he ever contributed if possible.

            Yes, be that paranoid. If you don't think that's necessary you don't grasp the severity of what has been exposed today.
            I'm pretty sure aside from a minor public apology and some reverts, nothing else will be done and everything will be business as usual while hackers will try to infiltrate other open source projects (if it's not already been done which is impossible to say).

            Originally posted by Vorpal View Post

            I can say for sure (having worked for big companies) that they don't review everything. Consider something like pulling a new version of LLVM or Boost. No one at Google sits down and check every single changed line, it would be infeasible. You review new dependencies, sure. Depending on the company you may sit down and review it line by line, but probably not for a big dependency. Also code review doesn't catch everything (otherwise we wouldn't have bugs in general).

            So yeah your comment is a load of bullshit (as usual).
            Except they do.

            Except LLVM and GCC include developers from Apple, Microsoft, Google, Intel, AMD and RedHat.

            Good luck trying to push a malicious commit to either of these compilers. BS is on you, not me.

            I get it Linux is very close to your heart but it would be nice if you admitted what I wrote about is kinda true even it it doesn't sound pretty or you're welcome to show backdoors in software products made by major corporations such as MS, Google or Apple. Good luck with that.

            There has a been a lot of BS in this discussion about backdoors in closed source software but no one has been able to demonstrate those aside from an article in The Register which doesn't talk about an actual incident but about leaked slides.
            Last edited by avis; 29 March 2024, 04:41 PM.

            Comment


            • #66
              Originally posted by avis View Post
              Nice hearsay. Show me a CVE, please. The fact that some leaked slides stated that Outlook might have been backdoored doesn't mean its public releases ever were.
              Better yet, show me ANY managed service that has issued a CVE

              CVEs are generally reserved for software you would run yourself on your hardware, not something that Microsoft backdoored for the NSA that they run on their own servers.

              But there are CVEs for issues with customer hardware/software, like for Cisco firewalls, that had "vulnerabilities" for many years that likely were intentionally added for the NSA, adding them as "vulnerabilities" instead of obvious backdoors, when the binaries are inspectable, allows for plausible deniability.

              UPDATE April 20, 2017 Cisco continues to evaluate potential implications of the activities and information posted publicly by the Shadow Brokers Group.




              Comment


              • #67
                Originally posted by calc View Post

                Better yet, show me ANY managed service that has issued a CVE

                CVEs are generally reserved for software you would run yourself on your hardware, not something that Microsoft backdoored for the NSA that they run on their own servers.

                But there are CVEs for issues with customer hardware/software, like for Cisco firewalls, that had "vulnerabilities" for many years that likely were intentionally added for the NSA, adding them as "vulnerabilities" instead of obvious backdoors, when the binaries are inspectable, allows for plausible deniability.
                This XZ malware has been assigned a CVE. And no CVEs for Outlook, right? Great! Only an article in the Register and zero info on any other reputable source, including Microsoft? Great!

                Cisco is not on the list of companies that I've mentioned specifically now three times.

                Keep on digging. Just please don't try to make shit up, so far you've been doing just that.

                BTW, US authorities have not been able to demonstrate a single backdoor in Huawei network equipment and they banned the company regardless. See? I'm also good at whataboutism.

                Talk facts, please.

                Comment


                • #68
                  Originally posted by avis View Post

                  I'm pretty sure aside from a minor public apology and some reverts, nothing else will be done and everything will be business as usual while hackers will try to infiltrate other open source projects (if it's not already been done which is impossible to say).



                  Except they do.

                  Except LLVM and GCC include developers from Apple, Microsoft, Google, Intel, AMD and RedHat.

                  Good luck trying to push a malicious commit to either of these compilers. BS is on you, not me.

                  I get it Linux is very close to your heart but it would be nice if you admitted what I wrote about is kinda true even it it doesn't sound pretty or you're welcome to show backdoors in software products made by major corporations such as MS, Google or Apple. Good luck with that.

                  There has a been a lot of BS in this discussion about backdoors in closed source software but no one has been able to demonstrate those aside from an article in The Register which doesn't talk about an actual incident but about leaked slides.
                  I'll hold your beer. https://arstechnica.com/security/202...dware-feature/

                  Again, as I stated earlier, unpatched vulns all leading to a backdoor. Denial ain't just a river in Egypt son.

                  Comment


                  • #69
                    Originally posted by kozman View Post

                    I'll hold your beer. https://arstechnica.com/security/202...dware-feature/

                    Again, as I stated earlier, unpatched vulns all leading to a backdoor. Denial ain't just a river in Egypt son.
                    The article talks about an unpatched vulnerability. How is this relevant at all to this discussion? You're now person N10 in this discussion who says "But what about?" This is not an argument, OK?

                    We're now discussing malware/backdoor distributed by Linux distros.

                    BTW it's not limited to Fedora 40, Fedora Rawhide and Debian SID. It's found its way to Arch Linux, NixOS unstable, Gentoo, OpenSuse factory/tumbleweed, LibreELEC, AlpineEdge, Solus, NixOS unstable, OpenIndiana, Mandriva rolling, Slackware current, Manjaro testing, pkgsrc current. A lovely list.

                    Many eyes check the code, they said. No way malware can be pushed and distributed, they said.

                    Most people here don't even realize the gravity of the situation.
                    Last edited by avis; 29 March 2024, 05:06 PM.

                    Comment


                    • #70
                      if you're on fedora run `sudo dnf downgrade xz`.
                      Should put it to the oldest version available for your repo

                      Comment

                      Working...
                      X