Announcement

Collapse
No announcement yet.

XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access

Collapse
X
Collapse
 
  • Page of 26
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 3 4 5 6 7 8 9 16 26 template Next
  • #51
    Originally posted by avis View Post
    The update hasn't yet been pushed to Fedora 40 beta users: https://bodhi.fedoraproject.org/upda...z&releases=F40
    Well, it has been, but because the mirrors have various schedules of updating their copies you may not see it yet (just as it says on the top of that page, updates may take time to propagate to mirrors).

    If the mirror(s) you have access to are not cooperating (and you can't find one that is) you can always pull the packages directly from koji.

    Comment

    • #52
      Originally posted by avis View Post

      Vulnerabilities and backdoors are two completely different things. Microsoft as any other large software company has fixed a ton of vulnerabilities in its products but I don't remember a single case where they've been caught having backdoors.

      At the same time IoT vendors like TP-Link, ASUS and D-Link have been caught doing this multiple times (in their Linux routers), only those weren't "backdoors" but "test accounts for debugging". Go figure whether they were lying or not.
      I've used Windows since 89 and I too have not remembered hearing about any *known* or intentional backdoors. There's always been rumors for Bitlocker but it's yet to be proven. It doesn't mean there might not be one. No one has access to the code to qualify it. And yes, tons of vendors have been publicly busted for back doors. I hope you are >not< saying that a chain of vulnerabilities in aggregate cannot be manifested as a back door. A back door doesn't just have to just be an app running silently in the background or what this yoyo did to XZ. I'm not claiming to be a coder here but the basic idea of a backdoor has expanded since the old days.
      • Likes 3

      Comment

      • #53
        Looks like whoever rolls the release tarballs got their machine owned.

        PS. This was found relatively fast imo. I am a bit confused how this could have a lot of impact tho, since you'd expect builds to occur in complete isolation. I don't see how an unprivileged xz binary or library invocation could affect the ssh or related files once installed. Who is invoking xz as root? Is the issue in the second stage when a build environment invokes xz to compress the built package?
        Last edited by justinkb; 29 March 2024, 03:14 PM.
        • Likes 1

        Comment

        • #54
          Originally posted by justinkb View Post
          Looks like whoever rolls the release tarballs got their machine owned
          Or did it himself. I'm glad something like this came out, because distros will take security even more seriously. There's still no mention of this on their site:

          https://xz.tukaani.org/xz-utils/


          What's more important it shows how insecure M$ github is. You can modify a tarbal without touching the git repository. We have a KYClient, so it's time for KYCommiter.. It should apply to proprietary as well.
          Last edited by Volta; 29 March 2024, 03:27 PM.
          • Likes 1

          Comment

          • #55
            OK why Linux world uses XZ-utils instead of LZMA SDK/7zip made by Igor Pavlov who is literal author of LZMA/LZMA2 and was known to respond fast to any security problems and fix them seriously?

            Side note: made mini-investigation on opensuse tumbleweed with vulnerable lzma package. The good thing that by default opensuse doesn't install/use/run sshd. So if you don't use sshd on tumbleweed you are mostly fine.
            • Likes 1

            Comment

            • #56
              Originally posted by justinkb View Post
              I am a bit confused how this could have a lot of impact tho, since you'd expect builds to occur in complete isolation. I don't see how an unprivileged xz binary or library invocation could affect the ssh or related files once installed. Who is invoking xz as root? Is the issue in the second stage when a build environment invokes xz to compress the built package?
              The XZ library checks if it is running in an sshd invocation and changes behavior (other conditions apply, check the post linked earlier).
              • Likes 1

              Comment

              • #57
                Originally posted by avis View Post
                Vulnerabilities and backdoors are two completely different things. Microsoft as any other large software company has fixed a ton of vulnerabilities in its products but I don't remember a single case where they've been caught having backdoors.
                Here's an article documenting at least a few.

                https://www.theregister.com/2013/07/11/snowden_leak_shows_microsoft_added_outlookencrypti on_backdoor_for_feds/

                And one of the reasons that the US was very upset about the Snowden leak pointing out that they were backdooring all sorts of software with wide industry support.

                I would not be surprised in the least if Bitlocker was similarly backdoored for the NSA.

                There were other companies claiming there were unknown "vulnerabilities" for years in their software that were never fixed until the Snowden leak pointing them out, they were likely similarly working with the NSA but with better plausible deniability.

                A big part of the reason the US govt is concerned about TikTok/ByteDance being controlled by the CCP is that they do the same things themselves.
                Last edited by calc; 29 March 2024, 03:47 PM.
                • Likes 12

                Comment

                • #58
                  If I update XZ to the correct version is it enough to eliminate the backdoor? I'm not very expert
                  • Likes 2

                  Comment

                  • #59
                    Originally posted by avis View Post
                    Whereas big corporations such as Microsoft, Google or Apple endorse every line of code that reaches you as a customer, no such thing exists in the Linux world. And it's not limited to Linux, as FreeBSD is equally affected. I'm not sure about OpenBSD/NetBSD as I've never used those.
                    yes, we get zero vulnerabilities or oversights in proprietary software. surely. there are no malicious apps on app stores, there are no backdoors in windows, there are no unauthorized easter eggs in proprietary software. it's all absolutely perfect and flawless and every release they assign a bunch of humans to read all the 300GB of source code to make sure it's tiptop quality.

                    • Likes 4

                    Comment

                    • #60
                      This project needs to be quarantined, all commits made by @JiaT75 and other projects he contributed code with and to, to be considered backdoors and this project to be taken over by a trusted party. If next month a new release is made by @JiaT75 and all distributions packagers just go along with it like nothing happened: nothing was learned from this supply chain attack.

                      There's a chance he will likely force-push, corrupting the history of this git repository. So even the repository itself shouldn't be trusted. Retrieve backups from really really old build machines before he ever contributed if possible.

                      Yes, be that paranoid. If you don't think that's necessary you don't grasp the severity of what has been exposed today.
                      • Likes 6

                      Comment

                      Previous 1 3 4 5 6 7 8 9 16 26 template Next
                      Working...
                      X