https://www.openwall.com/lists/oss-security/2024/03/29/4

xz upstream maintainer knowingly introduced a pretty sophiasticated backdoor (with preparation steps that took almost a year to hide as long as possiblre)

Xz versions v5.6.0 and v5.6.1 are vulnerable. The backdoor is programmed in such a way that it only changes the ssh behaviour (assuming some prerequisities are met, for example not run from a terminal)

proceed appropriately

Do we know it was the maintainer or just someone commiting code? I didn't have time to read thru all this. GNU/Systemd is getting hit.

https://www.linuxquestions.org/questions/slackware-14/backdoor-in-upstream-xz-liblzma-4175735461/#post6492764


https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094

https://access.redhat.com/security/cve/CVE-2024-3094

https://news.ycombinator.com/item?id=39865810

>Those tarballs are PGP signed, too..

[bold:Solaris] and OpenVMS are safe! The script kiddies are going to love this one. Alot of stuff uses xz/lzma.

[bold:Someone set us up the bomb!]

The furries are fighting over Xz utils.

>Nice ad hominem, maybe you could learn a thing or two about security if you didn't disregard people's opinions based on if they are a furry or not.

https://github.com/tukaani-project/xz/commit/6e636819e8f070330d835fce46289a3ff72a7b89

It only targets Linux/systemd? OpenBaSeD wins again.

P86770
Sshd that uses liblzma, which is only the case on Systemd/Linux. Here on Slackware we don't have systemd so it's not an issue, but there's an update in the pipe for tomorrow (actually it's out right now but might not be on all the mirrors).

You can check liblzma for the function.

Really makes you think - how many of these are out there right now that no one knows about? I guess that's why they say "defense in depth". If a foreign actor, say from China, did something like this, there would be no recourse against him. My guess is that something this sneaky and deep is possibly a state actor.

so debian is affected?

Moldy-oldy Debian isn't, but new Debian looks like it is.

https://lists.debian.org/debian-security-announce/2024/msg00057.html

P86773
Yes. The exploit hinges on a lot of particular shit. It's possible only Debian unstable is affected. The exploit allegedly doesn't work on Arch, but they recommend updating just in case.

The profile of that xz maintainer is hella sus. Near zero online presence, active at times consistent with living in China, original xz maintainer having weird mental health issues just in time for him to take the project over... Oh, and he tried to "contribute" to Linux as well.

Not trusting xz again until it changes leadership or gets audited, that's for sure.

>$~ xz -V
>xz (XZ Utils) 5.2.5
>liblzma 5.2.5
Get fucked, archfags.

P86795
$ zoo -version
zoo 2.1 $Date: 91/07/09 02:10:34 $

> zoo -version
zoo 2.11-rc1

P86747
>a compression algo nobody asked for, in pile of C, bash and [[[[[[[[[[m4]]]]]]]]]] [[[unreadable build system]]] chicken scratch that no normal person would ever bother to look into is backdoored
woah i totally didnt see this coming and totally dont warn about this on a daily basis
>700 commits to some autistic pet project (no really, why does a compression algo need more than one commit per year)
wow its almost as if this is what i warn about every day while un*x faggots say its fine and im just dumb. you stupid little aspie fucks find comfy corner where you can spend 3000 hours "improving" and adding features to some gay little library that everything depends on which has a build script that has more code than how much code is actually required to implement the requirements of the project. you people also don't understand that extending languages constantly means no auditor can ever do a good job. you people also don't understand that adding more versions makes the code more complex
>only affects ssh+systemd
you niggers deserve it
>only affects muh "bleeding edge" "release stream" (aka where chicken scratch is delivered on a daily basis directly from autists in their basements)
you double deserve it
>proceed appropriately
i dont come here to get security notifications let alone any sort of news at all, you dumb fucking sperg loser
anyway, now watch some aspie point out how this is not a BTFO because it was just barely caught or theyre one of the 2 users who doesnt use systemd (slackware doesnt count since thats just LARP, and, as insecure as something a LARPer would make. it doesnt even need this backdoor)
also watch the techwiggers react to this by rolling out some new dipshit "solution" that really solves 0.1% of the problem but with 3000x effort, just like they did for other problems they recently discoverd, with linters, deterministic builds, 2fa, containers

P86795
Newer software versions lose again LOL.
Arch is such a joke.

P86872
Arch wasn't affected by this.

Ahh...I was wondering what Trixie thought of b\.\.mer un*x w^iggers in regard to xz. He's got one point though, in that this sort of thing is totally possible with free software.

I've seen some people criticizing Github, and you shouldn't use it for releases, but before that it was Sourceforge, Freshmeat, or someone's ftp server, or someone's website. With free software, more or less anyone can add/tamper with it and there is no way to 100% audit all that.

If we go the proprietary route, then you are a slave to Apple and can do only what they want you to do in their walled garden. They also censor out things for political reasons. Things like OpenVMS are laughably expensive ($12,000+ for a usable system with multiple, legal licenses) and we know Windows, despite being closed-source, has historically had many, many security issues.

Myself, I'd rather deal with the problems of free software; the issue didn't affect me and, even still, there was a fix later in the day to make sure. That's fast. I had the info of what was going on and could take a course of action within hours.


Now with that said, who do you think was most likely the responsible actor? My guesses:

1) Determined, intential backdoor from the beginning. NSA and other 3-letters play the long game, embedding holes like this that can be used later in cyber warfare. Russia does this as well. Maybe N. Korea.

2) A legit developer that gets a call saying "doing it for the Father Land" (or else). This would be in line with China or their allies.

3) Just some blackhat. This is the least likely one, as the backdoor was pretty specific and was introduced over a very long period of time. Some random hacker usually doesn't spend this much time and effort.

If 1 or 2 is the case, the person likely won't be found and nothing will happen to him.

P86883
Forgot signature

https://bsky.app/profile/filippo.abyssdomain.expert/post/3kowjkx2njy2b

>The hooked RSA_public_decrypt verifies a signature on the server's host key by a fixed Ed448 key, and then passes a payload to system().

>It's RCE, not auth bypass, and gated/unreplayable.

I'm leaning more towards the NSA now. This was probably at the order of Emperor Fuckstick, to make sure you're not misbehaving (going against communism). Can't have people storing Bibles on their computers or making funny pictures.

>check if feature is present by checking whether a C program compiles
>insert syntax error to make it not compile
Nothing personel, lincucks.

P86748
P86974
So how bad or big is this?

can u explain to me like im dumb or lamen terms

P86842
>only affects muh "bleeding edge" "release stream" (aka where chicken scratch is delivered on a daily basis directly from autists in their basements)

So its the debian unstable or rolling releases and all arch?

P86986
It's probably these niggers:
https://en.wikipedia.org/wiki/Tailored_Access_Operations

because it seems to target only Debian unstable (or whatever names they give their newer stuff), and a few mainstream others. I'm going to add them to my shitlist, right after Google, Cuckflare, Spamhaus and that other one I since forgot.

P86883
software is just software, proprietary is a buzzword for CEO faggots who think compilation makes it unpiratable
>With free software, more or less anyone can add/tamper with it and there is no way to 100% audit all that.
yes, because the """community""" is a bunch of fags with literal autism that therefore need to expand each library as much as possible AAAAH IM DEVELOPPING. making everything in C and thus having 100x more code than there would otherwise be doesnt help either

P86784
>It's possible only Debian unstable is affected.
OH NO NO NO
>debian stable is unsecure cuz dis n dat patches not there
>switch to unstable
>gets exploit RCE anyway
>stable not affected

P87076
>>debian stable is unsecure cuz dis n dat patches not there
Yes. Only a small portion of security vulnerabilities (only some vulns that get CVEs) are patched in Debian stable.
>>switch to unstable
It's a shitty distribution for security anyway. The real answer is to switch to a distribution that doesn't have this problem in the first place, like Arch.
>>gets exploit RCE anyway
>>stable not affected
>one (1) exploit doesn't affect my distro that keeps hundreds of vulnerabilities that other distros don't have! checkmate, infosec nerds!

P87053
that link gave me ptsd at first cuz it looks like youtube or some other site full of popups, js, captchas, ip blocks
P87076
as a fang dev i use debian unstable as my daily driver because we have heightened security requirements. i have had zero issues with it.

It doesn't make sense to conclude X distro wins Y distro loses from this. It looks like Debian unstable was targeted specifically. I would assume this could've happened to your favorite whatever other distro if they were the target.

P87531
So debian stable is safe?

We just got a mention on Coast to Coast Am for Xz! They are talking about Linux, free software, and Unix history.

P87700
sauce?

P87531
>It doesn't make sense to conclude X distro wins Y distro loses from this.
The xz backdoor was ultimately targeting sshd and linked to it via libsystemd. So all systemdless distros (Alpine/ Devuan/ Gentoo etc.) were never in danger.

>It looks like Debian unstable was targeted specifically.
Fedora was worst hit with the backdoor making it all the way to real world F41 and Rawhide systems. Fedora is also a distro that Linus and other high level kernel devs are known to use. Imply your own implications.

P87053
>I don't want to say "it's the NSA" but ...
The attacker was using streetshitter names. The commits were under Jia Tan and he samefagged as Jigar Kumar on mailing lists to pressure devs to merge his backdoors. It could still have been the NSA but curryniggers are exactly the kind of tards who would do something like this and then refuse to cover their tracks because india superpower 2020. Honestly nobody has more unjustified national pride.
https://boehs.org/node/everything-i-know-about-the-xz-backdoor

>https://gynvael.coldwind.pl/?id=782
That's still an interesting read though thanks.

imagine what they don't got

P87723
I heard it last night on the show, towards the beginning. When I checked their website it wasn't listed so I guess you had to have been listening.

P87843
There's only a few countries that do this:
1. USA via the NSA or whatever group is responsible for this now.
2. Irsael - you might as well say "USA" again, because they work together. Think Stuxnet.
3. East Asians - mainly China and N. Korea.
4. Russia - Fancy Bear, etc. Nothing happens in Russia without OK from Putin.

"Jia Tan" was likely the account for the NSA group. If you are #3 above, you wouldn't use an Asian-sounding name. India is famous for rapes and sketchy tech support. Not hacking of this level. It's the NSA.

What's certain is this: nothing will happen to "him" (them).

It does go to prove my point of using "off-the-path" computing systems is more secure. But that's a topic for another thread.

>curryniggers are exactly the kind of tards who would do something like this and then refuse to cover their tracks because india superpower 2020. Honestly nobody has more unjustified national pride.
could denpa comment on this?

P87953
Proud moment saar. Love from India.
Status: REDEEMED.

P87892
>India is famous for rapes and sketchy tech support. Not hacking of this level.
>hacking of this level
He infiltrated a semi-abandoned open source project and gradually added low quality code which could eventually get exploited. Curry niggers do that everyday by accident.

>There's only a few countries that do this:
Obviously India has hackers
https://www.darkreading.com/threat-intelligence/india-s-cybercrime-and-apt-operations-on-the-rise

>It does go to prove my point of using "off-the-path" computing systems is more secure.
Well of course the most secure computer system is one that doesn't do anything.

P87978
I'm sorry you're a subhuman shitskit. It's not your fault. It's not my fault either though.

Also, Tor links liblzma.

ldd /usr/bin/tor
linux-vdso.so.1 (0x00007ffff7fc4000)
libz.so.1 => /lib64/libz.so.1 (0x00007ffff7be6000)
libm.so.6 => /lib64/libm.so.6 (0x00007ffff7afd000)
libevent-2.1.so.7 => /usr/lib64/libevent-2.1.so.7 (0x00007ffff7aa9000)
libssl.so.3 => /lib64/libssl.so.3 (0x00007ffff79b3000)
libcrypto.so.3 => /lib64/libcrypto.so.3 (0x00007ffff7400000)
liblzma.so.5 => /lib64/liblzma.so.5 (0x00007ffff7983000)
libzstd.so.1 => /lib64/libzstd.so.1 (0x00007ffff72ea000)
libseccomp.so.2 => /usr/lib64/libseccomp.so.2 (0x00007ffff7963000)
libcap.so.2 => /lib64/libcap.so.2 (0x00007ffff7f70000)
libc.so.6 => /lib64/libc.so.6 (0x00007ffff7000000)
/lib64/ld-linux-x86-64.so.2 (0x00007ffff7fc6000)

Might be a good time to rebuild that just because.

P88522
>rebuild that
What do you not understand about dynamic linking?

P88583
I got distracted. I was thinking about updating Tor, and that message about libraries on the current system not matching the headers it was built with, and it came out wrong.

P88622
wtf is this that keeps getting spammed?

P88623
I've been seeing it all over. Some gold/silver jewelry site?

P88630
>gold/silver jewelry
goldberg
silverstein
[bold: jew]elry

So to avoid this in the future:
1. Compile from the actual source tarball generated from the commit, not from a different one uploaded by the developer.
2. Diversity of systems. Having different implementations works fine if right to standards and compile from source, but prevents stuff like this from working (he was loading pre-compiled stuff that depended on glibc, in addition to the requirement for openssh to be patched to link to systemd).

It really is that easy.
(Using Qubes might have fixed this even if he had targeted your favorite distribution.)

P86842
You can say that when you publish a working alternative.

P88767
Debian stable was not touched by this.
Debian wins again over muh w*gger bleeding edge w systemd arch

P90396
Arch was also not affected, since Arch does not patch OpenSSH to depend on systemd.

Imagine patching something as important as OpenSSH with something as bloated and unneeded as systemdicks. That's like shitting in your protein shake.

P90754
thats why i use pentoo tbh

P88767
>So to avoid this in the future:
>1. Compile from the actual source tarball generated from the commit, not from a different one uploaded by the developer.
The backdoor only targeted .deb and .rpm packages. So then should I also not use deb/rpm? Face it, at some point you're going to have to trust the developer at one point. Avoiding official releases doesn't solve anything.

P90878
just write your own software smh

P90878
I know...having the source not matching was how this one hid itself, though.
The point of using the git code that matches the tag is that the git code is (hopefully) more thoroughly examined by others. Various distributions were just assuming the two matched when they did not.

P91140
Source of pic please?

P91251
I don't remember.

Yeah right faggot send me the deets I imported your key love...

-----BEGIN PGP MESSAGE-----

InVsS513wgGlIglJnGln6ZF1d0Wt/xm2gkbn1TRhA2UEsyLdEurcXJ7y3v2F6i+1
1PAdBrabmqUZ35/qvJS7qpzrXnplgPKXsPx2timyUgt/I7U07/PBfsv6tsfHst8f
IRiQLcHJFOat01dhHE9Ifp4wCwJxFCg4bMc57/QeESp738DTnafoZrmUThKgaIKr
LKrPByTeSwMRXUxcoByXSGL2ZjfLklxurMiaDmkjnMQOthtAwOrcVTFhkqP1kYAx
vkPudJMPPm1yyjDjZTo8xg+IqjIvygY3ZgsXXpenAPnrpeielmQFnrKjDkAiVIhV
liZQG5UTueh/Av1yRSn6XnJrG37kBzo8qFQ8eMcdUQURWKjrOmIY9Ai8F7kvgTkC
yr2WahWmdwqQoVNXEWCZuB82rBb63fn/dOEmCee8BD1VH2W8iRFvZNI2h7hVOTZJ
Co6VSf0yW+Tr9a1QUUADFyppkv5Q5UzZrt1PWDyEfqYXI8n7QFN5If3tKZ9h+kS3
09uARG58eceW068HUokgSa5TtEw9ZPRqv68CxGk3sSmwQBp7tjquljTJ33j51mfB
IzbJTFhqhT3Q8zYN3oN/wNFn43izlvAqbsOegKW+8lEEpGzNFG69Une9DWYGbFrj
bXnSEyDxZB3Xi4Y986lqksBrTzzDxRRm3jdT4Gcelq1F1WbFurQDCSEUH1bqokgc
ILT/q9EqTHj3v5x99OcmWafDm4FYKlXUaAdeKjjpVwO70nUNA7LlmVUqF96ujh+G
f/5UjVGS14sMW8CAQuYlGPzpF7GnI0hh+cFBwuiRztTDawnDAx5mTFzrDtdW+fMc
zM3I/4qbb+NxnJs51B5kRCQXvle2tG/+lF6FEJySRDZYy1xogOhHWOVKGOO5syZJ
YChd4viNxcNxurVMz/iID5VqbKR657qX3A5DadOsMrOKdqVeFS6moF5MzSHz+Z+h
UpFP18pfr9cVw2Jb48H1eP7o/s/avd6eyiDT8I5ddY8KzHOkBNH4NT23NcCSG8hS
hcFjnuwLEaKotlxXHFlQI0wn8s7+GZHlzVRYeH2qD9d3kKPmRcAZbEbrFr+yxbJ3
kNe5eGRpMhFUIvMSKlgHmGseiNVIR6NTe5m57Rj/pLNHUXqi2SF4s9UQ2F235+78
Iww7t5cCa/7l6EhrusW5M6XxAHRt10KxVi5nFVN9pMNPO4kgLTHp9qBP8nG5fbs/
5K6kUH8Xydl73iuN6G0RWG0wUIU+ZLR62H2H2FRrWMPxI6czlPFrGy3fu84Cmqan
Vl9IZdt7YxXEbGGkX8+e9TYCi82Yk+xdegNeo4VAtBL6d7fgVDMbXFLNg3KC8c8r
GMKpGm9uyHUGMjRuDYv8HTEwmRujI+lZVMsM/VBDnYOQLFp6qlHiyk8q885Hk69O
0O/aJjLNAgfel3UdT6oIpnA54nve1cWSTq1K+yb8WqY3d0lNexvxgcQRidhUnYNh
97s/Bqy5hjntz0NYQ9QUgg4fiN+sqQztED4n+ksz3rr7s64RyWXR2ikm3QDTNfR7
b9F+d39AFcfcoxpUMvZkg29f/PwUpL7FGQWGjo947ms66f/iKK3LqkEc9hS7nxV5
fMR03RaHvghK5xlwG68ulhBaff8rQ+qJ+DCnQmj41DL/bTAYA2d0Z8pW4SrV/KeN
2Fv2CBNqifzJxlDVJOXPdUjiAYAcr7GYwxAjdLMnctQMBO2b8xu9qjqToGEh/R/f
sW/fhBvGiMhSReY06ZPWl8GJX6CGFiNSexVv/FWE97bwzBjp2kc+LE7w0h7iqhn5
+cot8M00nOYQ9U4bomsRMqS/qOUkjO5GkQCUaZAQ3NM4eaJJldUmGRHVEsFBD1wn
E4qETAj+uNK+T/puDbxoUTYxEXdhhR8BLlZbKyWzo72s8DJ/6+hUSEk7xvjDW+EX
iVXPNfVwSYNg3Njvt5r0O+/PFmahebw/W+YmA27waOAJH4XVH0RdEMoJidut5rQP
CAw9NkhEdo8vb6ysq834bsFbu2RqJNBEPPWdc84s5PvuQNDGIm7iyKv4GVIyApsP
uR92EIDO9gRxvdaqs7bvUYIB4P8sz0JW8pHsgVxb15s4jOnMWP3/JJ5iIxzF82Xk
iDrBTVQ54llqg8hIjUMZxVKe7gxkX30qwXIV7QUgYKN8sgI/QnZ1A/W6/+EGh7x9
ic93VFfsJE/z2SyIfxeRwk17Vk0KqKYL08HxF20YOEYByxkeJhF2hYNB0/B/EtuI
3VtT7GLab4Nv1Hr9Ps4u/x/WVE7sllRxIBQtRkWZfmZQkpaI3b6y5lSIK5ZOjDuf
9l6zycdh2r6I+joUQ/bcvs1TCJH38dcZTvXVRjS98QHbS2otxguynM8tH9ielFbT
JWKFJKi03LTXF1koOfEwP1pcorAyTEClyInKaF6N1x5OL4zAIgPDyioXGxIuroqq
M/B+BG+Ha8cy7fBKdS86wAxJTso9rLzeX0AEy0VZr5BQMKdslUrK2RanuxwNs8se
wFRMUzqut17PXaQCiKZyOn8S9k6ag1ugXHzDFXFZuIE1CCTQVpDZqBsj64Ct9jQ2
8G8+mLlGgUxvuUzNBn0xE0B2h1ZaxAIQm8HJR9Y10j/u0VVBGEU5VOMMWyJ+7U81
l/R9fUtst5V3JKEVSG4sdLimjDljY0h1Se7dIdnUehBkoG4egNcmUwybbExRuD9w
EhLc0dhD9p6f3tYvhfqc713D+hpR1sjqUh1P++YlacbuIv7CToLcBo/OxijRwNSL
d1AzK1FmL2Vtwx42SnjgDYT7BBZnWr5XVCjlY2kYkQ6mjraa7k3tRFfui3QbpE7c
AD5hR8s0ddDfZqldEi/i0CmI6XFdKQnQ/6===
=/JM1xqbIjYIdrA
-----END PGP MESSAGE-----

P91370
You have clearly mistaken me for someone else.

P88583
>rebuild that
The Gentoo package has a lzma USE flag so it is possible to rebuild Tor without lzma.
https://packages.gentoo.org/packages/net-vpn/tor

P90754
>Imagine patching something as important as OpenSSH with something as bloated and unneeded as systemdicks
Don't break your jaw sucking his dick, Arch was the first distro to use systemd in the first place.

P91879
wut bout the ligma USE flag or will it give you BOUTS of low energy?