Announcement

**Paradigm Shifter** · 29 March 2024, 10:19 PM

Originally posted by Sonadow View Post

This is already not possible when building Python packages or Rust binaries. pip3 will pull dependencies from the internet to satisfy build requirements as will cargo for rust binaries.

The "pulls in everything and the kitchen sink" is one of the reasons I dislike working with Python. I've been really enjoying tinkering with Julia recently, but that suffers the same issue (although the ecosystem isn't as large yet).

**piotrj3** · 29 March 2024, 10:21 PM

Originally posted by Monsterovich View Post

Is it commercial?

It is as opensource as (if in fact more) than xz. Total public domain, do whatever you want to it. LZMA SDK and 7zip are opensource and xz-utils are literal code taken away of some old version of LZMA-SDK (i think in 2009 it happened).

Since than 2 big things happened:
- 7zip has actual linux support,
- LZMA actually evolved.

2 problems i could see:
- 7zip as entire program is probably not well fit for linux world as it is archiver for all kinds of files (7z, rar, zip tar.gz .bz .xz ... but can also unpack .iso .rpm .deb .exe etc.....) so most people won't for for it
- LZMA SDK - is literally SDK. Probably would require some contribution to turn it into actual lib others can use.

LZMA SDK (Software Development Kit)

https://www.7-zip.org/sdk.html

7z, lzma, 7-zip, archiver, free, compression, zip, best, compress, solid, high, ratio, unzip, far, win32, 7zip, long, file, names

But on positive side, that SDK can decompress compress .xz files - totally independent of xz util repo (really look here, files as author is Igor Pavlov, not chinese state agent) . What essentially means it could be used (potentially with some small compability wrapper) instead of entire xz utils abomination.

Is it battle tested? Yes. In fact almost every anti-virus on windows will use LZMA SDK to scan archives.

**qarium** · 29 March 2024, 10:23 PM

Originally posted by avis View Post

Microsoft has never distributed malware, period. Stop making shit up.

Microsoft edge is in fact malware see: https://youtu.be/gb_Na320j6k

as soon as the option startup-boost is active and by default it is active then the microsoft edge browser goes nuts it download stuff all the time it writes data to the harddrive all the time even if this destroy the SSD. and also it upload data all the time.

to get to know more you can install W10Privacy and then you see that microsoft sucks up all your data and its official means microsoft windows is in fact malware.

only if you disable startup-boost and use tools like W10Privacy you can make microsoft windows stop spy on you.

**qarium** · 29 March 2024, 10:35 PM

Originally posted by sophisticles View Post

The Win XP code was supposedly used to build a functional copy of XP.
BTW, the argument you are using here is the same one I have used against Linux for years, you have no way of knowing if the code listed on a distros site is the same that was used to build the ISO you install from.
Thank you for confirming the weakness of open source for me.

people should keep in mind that sophisticles is from the Advanced Persistent Threat actors hacker group "Magnet Goblin"

Magnet Goblin hackers use 1-day flaws to drop custom Linux malware

https://www.bleepingcomputer.com/news/security/magnet-goblin-hackers-use-1-day-flaws-to-drop-custom-linux-malware/amp/

A financially motivated hacking group named Magnet Goblin uses various 1-day vulnerabilities to breach public-facing servers and deploy custom malware on Windows and Linux systems.

this "Magnet Goblin" Hacker group where the one who did hack me they used

"CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, CVE-2024-21893., Apache ActiveMQ"

to hack a web server who then was used to place a link to a hacked web server on phoronix.com forum to make victims like me click on the link.,

they then escaped a firefox version 119 CVE and used a glibc CVE to gain root access to then manipulate /boot/efi/image.jpg to perform a logofail attack to defeat secure-boot and to become resistance against formating the harddisk and reinstall the operating system.

**sophisticles** · 29 March 2024, 11:35 PM

people should keep in mind that sophisticles is from the Advanced Persistent Threat actors hacker group "Magnet Goblin"

Oh no, I have been demoted!

I used to be Israeli Intelligence but now I am a member of a hacker group.

What a bummer.

this "Magnet Goblin" Hacker group where the one who did hack me they used

"CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, CVE-2024-21893., Apache ActiveMQ"

to hack a web server who then was used to place a link to a hacked web server on phoronix.com forum to make victims like me click on the link.,

they then escaped a firefox version 119 CVE and used a glibc CVE to gain root access to then manipulate /boot/efi/image.jpg to perform a logofail attack to defeat secure-boot and to become resistance against formating the harddisk and reinstall the operating system.

How funny is this stuff?

LOL.

**and.elf** · 30 March 2024, 12:15 AM

Originally posted by avis View Post

I've been talking about this issue for years and how woeful Linux (in)security is as a result. I knew something like that would happen and it just happened.

Almost all distros, aside from maybe RHEL, rush to push upstream packages without ever verifying that the source code has not been tampered with.

What's worse, independent maintainers assigned for packaging , are often not even developers themselves, so they have no means or qualifications to read the code and see if it's still trustworthy. And oftentimes maintainers are in charge of multiple packages, and at the same time it's not their primary job or something they get paid for, so there's little to no interest to make sure things are right.

Whereas big corporations such as Microsoft, Google or Apple endorse every line of code that reaches you as a customer, no such thing exists in the Linux world. And it's not limited to Linux, as FreeBSD is equally affected. I'm not sure about OpenBSD/NetBSD as I've never used those.

Can this issue be solved? I've no idea.

There should be a concerted effort by Linux distros to verify packages and mark them as safe. I've never heard of anything in this regard with the only exception of RHEL which is not a desktop distro and besides they have severely limited their ties to the community.

This is not an XZ issue. This is the issue of the entire Linux ecosystem. The issue of safety, security, trust and verifiability.

From what I can gather, Debian requires the packages to be built by an online pipeline, which should stop this kind of problem.. right?

**smitty3268** · 30 March 2024, 12:22 AM

Originally posted by avis View Post

Microsoft has never distributed malware, period. Stop making shit up.

They shipped a CD back in the mid-90s with malware on it. I'm sure you'll find some excuse to say that doesn't count because you are stubborn and incapable of ever admitting you are wrong, but nobody cares. I'm sure there are other cases too. It's almost never safe to make absolutist statements that something has "never" happened, because there's always something hiding in the past.

Anyway, supply chain attacks are nothing new or that only linux is vulnerable to, but I would agree that it is more vulnerable than many other OS's. Largely simply due to the nature of widely sharing online code between various untrusted parties, and much faster releases with a large rate of change vs what you'd typically see from MS or Apple. Something like LTS distros is more similar to what you'd see from them, and are likely much less vulnerable then someone who's running a bleeding edge rolling release.

**zeehio** · 30 March 2024, 02:22 AM

On Ubuntu there is a bug report asking to sync xz-utils 5.6 from Debian experimental

Bug #2055422 “Please sync xz-utils 5.6.0-0.2 from Debian experim...” : Bugs : xz-utils package : Ubuntu

https://bugs.launchpad.net/ubuntu/+source/xz-utils/+bug/2055422

NOTE: THE VERSION MENTIONED HERE HAS BEEN BACKDOORED. I am keeping the text below unchanged due to its possible historical relevance. ====== Xz-utils 5.6.0 was released last Friday. It features a much faster decompression code on all platforms but on x86_64 in particular, it is 60% faster in my testing. It also aligns better current practices of enabling multi-threading by default (always with a default memory limit of 25% of the system physical memory). Sebastian Andrzej Siewior has uplo...

**Keats** · 30 March 2024, 03:11 AM

Originally posted by avis View Post

1. They signed someone else's code. They did not distribute anything themselves.
2. Ditto.
3. Not Apple's own software.
4. Ditto.
5. Not Microsoft's own software.
6. Ditto.

For examples of Linux "stores" willingly distributing actual malware look no further, only there will be a ton more than that:

1. https://popey.com/blog/2024/03/exodu...et-part-three/
2. https://checkmarx.com/blog/pypi-is-u...ion-suspended/

This is for the past two weeks alone.

There have been countless more instances of malware in Python, NPM, Ruby, etc. "stores". Don't start this please.

You didn't ask for Microsoft's software, you asked for software they were distributing.

**lethalwp** · 30 March 2024, 03:17 AM

Fedora40 just downgraded from 5.6.0 to 5.4.6
So it was probably also impacted.

Announcement

XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment