Announcement

**Volta** · 29 March 2024, 01:42 PM

Originally posted by avis View Post

All the code Linux distros include must be manually inspected (and run through automated systems as well, since people don't always catch/see everything) and verified for being safe, period.

What a fucking joke. Linux code is way more inspected than everything that comes from microsoft or apple. What a hypocrite.

**Gottox** · 29 March 2024, 01:52 PM

VoidLinux has shipped the malicious release, but apparently is not affected.

VoidLinux (@[email protected])

https://chaos.social/@VoidLinux/112180164741264471

Bad news: https://www.openwall.com/lists/oss-security/2024/03/29/4 Good news: As of the current state of investigation VoidLinux is not affected by this backdoor.

Revert "xz: update to 5.6.0." by Gottox · Pull Request #49593 · void-linux/void-packages

https://github.com/void-linux/void-packages/pull/49593

This reverts commit ba6c7f1. See: https://www.openwall.com/lists/oss-security/2024/03/29/4

**avis** · 29 March 2024, 01:54 PM

Originally posted by oibaf View Post

All the details are here: https://lwn.net/ml/oss-security/2024...3.anarazel.de/

I still have no clue.

Does that mean that if sshd gets ever executed, my system is entirely compomised? The mail is talking about liblzma and oh boy a lot of stuff is linked to it.

In Fedora 40 with relatively few packages, the following ones depend on it:

Code:

deltarpm-3.6.3-11.fc39.x86_64
elfutils-libs-0.191-2.fc39.x86_64
gdb-headless-14.1-4.fc39.x86_64
GraphicsMagick-1.3.40-3.fc39.x86_64
grub2-tools-1:2.06-118.fc39.x86_64
grub2-tools-extra-1:2.06-118.fc39.x86_64
grub2-tools-minimal-1:2.06-118.fc39.x86_64
imlib2-1.11.1-3.fc39.x86_64
kmod-30-6.fc39.x86_64
kmod-libs-30-6.fc39.x86_64
libarchive-3.7.1-1.fc39.x86_64
libsolv-0.7.28-1.fc39.x86_64
libxml2-2.10.4-3.fc39.x86_64
libxmlb-0.3.15-1.fc39.x86_64
libzip-1.10.1-1.fc39.x86_64
minizip-ng-3.0.7-5.fc39.x86_64
perf-6.7.10-200.fc39.x86_64
python3-libs-3.12.2-2.fc39.x86_64
rpm-libs-4.19.1.1-1.fc39.x86_64
squashfs-tools-4.6.1-2.fc39.x86_64
systemd-254.10-1.fc39.x86_64
systemd-libs-254.10-1.fc39.x86_64
systemd-udev-254.10-1.fc39.x86_64
zstd-1.5.5-4.fc39.x86_64

Even systemd, grub and rpm are linked to it! Oh, boy. That's fucked up.

**bug77** · 29 March 2024, 01:55 PM

Originally posted by avis View Post

This is 100% unrelated and VB was a single toggle to switch/disable and not deal with possibly malicious macros, if you ever were concerned about this attack vector.

That roliverio guy heavily implied and joked about MS/Apple/Google actually distributing malware (an interpreter is not malware cause otherwise a compiler in your distro is ALSO an attack vector and Python gets installed by default in pretty much in all distros) and I'm sad these companies won't sue him for libel.

Right, so unnecessarily creating a new attack surface for malware (despite prior warning) is fine, but unknowingly distributing malware is not. Duly noted.

**bug77** · 29 March 2024, 01:57 PM

Originally posted by avis View Post

I still have no clue.

Stating the obvious...

**avis** · 29 March 2024, 01:58 PM

Originally posted by bug77 View Post

Right, so unnecessarily creating a new attack surface for malware (despite prior warning) is fine, but unknowingly distributing malware is not. Duly noted.

Your Linux system includes the following roughly the same attack vectors:

Bash (installed by default)
Python (installed by default)
Perl (often installed by default)
GCC/Clang
Ruby
PHP
Lua

There are many more. And many Linux users happily git clone whatever they find on the internet and run it.

Microsoft has never distributed malware, period. Stop making shit up.

Originally posted by bug77 View Post

Stating the obvious...

If you're so smart, could you enlighten us or you're only capable of insulting others?

**HEL88** · 29 March 2024, 02:02 PM

Originally posted by Volta View Post

Linux code is way more inspected than everything that comes from microsoft or apple.

Then why is desktop Linux so buggy when it has better inspection than macOS and Windows????

Linux desktop is legendary for its bugs.

Answer yourself why so many developers switched from Linux to macOS???? Because they're tired of fighting stupid bugs, unsuccessful updates. They want to work.

**avis** · 29 March 2024, 02:06 PM

The update hasn't yet been pushed to Fedora 40 beta users: https://bodhi.fedoraproject.org/upda...z&releases=F40

What the actual hell?

Should the affected systems be nuked and reinstalled from scratch? I still don't understand.

Originally posted by HEL88 View Post

Then why is desktop Linux so buggy when it has better inspection than macOS and Windows????

Linux desktop is legendary for its bugs.

Answer yourself why so many developers switched from Linux to macOS???? Because they're tired of fighting stupid bugs, unsuccessful updates. They want to work.

Most of my friends have long switched to MacOS or Windows after dealing with Linux bugs for years. I'm the lone survivor.

Some people love to use their PC, not the other way around.

**varikonniemi** · 29 March 2024, 02:16 PM

This seems to have been a very thought out and involved attack, obfuscated at every turn. Imagine the design effort they had to put in, compared to microsoft and apple who just put out code that no-one knows and when the exploit is found, they "fix" it by code that no-one knows, probably just moving it around a bit. Thiss, avis, is why they "never got caught". Because you believed them and their constant "innocently" backdoored releases.

**shmerl** · 29 March 2024, 02:17 PM

I switched to using zstd + tar from xz + tar for making compressed archives. Works better and faster even if compression is slightly lower.

Announcement

XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment