Backdoor found in widely used Linux utility

Ice Tea · 30 Mar 2024 at 09:32

Backdoor found in widely used Linux utility breaks encrypted SSH connections

Malicious code planted in xz Utils has been circulating for more than a month.

arstechnica.com

Malicious backdoor spotted in Linux compression library xz

Red Hat in all caps says STOP USAGE OF ANY FEDORA RAWHIDE INSTANCES

www.theregister.com

Mercurial · 31 Mar 2024 at 11:10

A lot to be said about using a LTS build. Checked my installs this morning and most are still on 5.4.1 (affected version is 5.6).

LTS, stable and testing. This got caught in testing, so at least shows the system works.

Throrik · 31 Mar 2024 at 12:55

Mercurial said:
LTS, stable and testing. This got caught in testing, so at least shows the system works.

As a Debian Stable user I am thankful for this, not that it would have really affected me on my workstation, the older I get the less interested in cutting edge nonsense I get.

Ice Tea · 2 Apr 2024 at 09:42

Malicious xz backdoor reveals fragility of open source

This time, we got lucky. It mostly affected bleeding-edge distros. But that's not a defense strategy

www.theregister.com

More info, i've not had time to read through it yet.

Throrik · 2 Apr 2024 at 12:07

Ice Tea said:
Malicious xz backdoor reveals fragility of open source

This time, we got lucky. It mostly affected bleeding-edge distros. But that's not a defense strategy

www.theregister.com

More info, i've not had time to read through it yet.

I don't disagree with the article from a skim, but I think people seem to be underestimating how skilled an attack vector was, someone who had built up trust and contributed for multiple years, very skilled injection via various obfuscations, if anything to me it shows the non-fragility of open source because people can review the details whereas closed source they can't.

Ice Tea · 17 Apr 2024 at 12:04

Open source groups fear xz repeat as suspicious messages fly

Social engineering patterns spotted across range of popular projects

www.theregister.com

Sigh!

Cromulent · 17 Apr 2024 at 14:05

Ice Tea said:
Open source groups fear xz repeat as suspicious messages fly

Social engineering patterns spotted across range of popular projects

www.theregister.com

Sigh!

I mean you'd hope they wouldn't fall for those attempts. It sounds dodgy right from the start. But what is more worrying is this is what we do know. What is there that we don't know?

Throrik · 18 Apr 2024 at 03:20

Cromulent said:
I mean you'd hope they wouldn't fall for those attempts. It sounds dodgy right from the start. But what is more worrying is this is what we do know. What is there that we don't know?

The difficulty is with how complex and well thought out the xz attack was, it's very difficult to detect if they're done that well, after all it was a slow build up of trust over multiple years, with well reviewed changes, which bit-by-bit didn't seem suspicious, plus then the attack on a package which had a single main maintainer who then had a documented mental health history it was a storm in a teacup in a way.

Cromulent · 18 Apr 2024 at 10:44

Throrik said:
The difficulty is with how complex and well thought out the xz attack was, it's very difficult to detect if they're done that well, after all it was a slow build up of trust over multiple years, with well reviewed changes, which bit-by-bit didn't seem suspicious, plus then the attack on a package which had a single main maintainer who then had a documented mental health history it was a storm in a teacup in a way.

Ah, I didn't realise. Just a lesson to stay vigilant I guess in that case.

Throrik · 18 Apr 2024 at 12:03

Cromulent said:
Ah, I didn't realise. Just a lesson to stay vigilant I guess in that case.

There'll definitely be an increase of people looking out for these now, which is good.

Ice Tea · 30 May 2024 at 10:14

XZ 5.6.2 Released With The Frightening Backdoor Removed - Phoronix

www.phoronix.com

also dropping the GNU Indirect Function (IFUNC) support. The IFUNC support was used by the XZ backdoor but the removal of this code is coming because the performance benefits of using it were too small while adding much complexity.

Ice Tea · 22 Jul 2024 at 12:17

XZ Patches For The Linux Kernel Updated, Drops "Jia Tan" As A Maintainer - Phoronix

www.phoronix.com

I wonder why it took so long to remove him?

Ice Tea · 26 Mar 2025 at 12:53

XZ 5.8 Debuts As First Major Feature Release Since The Backdoor Disaster - Phoronix

www.phoronix.com

Some of the phoronix comments seem to have lost trust.