Backdoor found in widely used Linux utility

[Ice Tea]

Backdoor found in widely used Linux utility breaks encrypted SSH connections

Malicious code planted in xz Utils has been circulating for more than a month.

arstechnica.com

Malicious backdoor spotted in Linux compression library xz

Red Hat in all caps says STOP USAGE OF ANY FEDORA RAWHIDE INSTANCES

www.theregister.com

 

[Mercurial]

A lot to be said about using a LTS build. Checked my installs this morning and most are still on 5.4.1 (affected version is 5.6).

LTS, stable and testing. This got caught in testing, so at least shows the system works.

 

[Throrik]

LTS, stable and testing. This got caught in testing, so at least shows the system works.

As a Debian Stable user I am thankful for this, not that it would have really affected me on my workstation, the older I get the less interested in cutting edge nonsense I get.

 

[Ice Tea]

Malicious xz backdoor reveals fragility of open source

This time, we got lucky. It mostly affected bleeding-edge distros. But that's not a defense strategy

www.theregister.com

More info, i've not had time to read through it yet.

 

[Throrik]

Malicious xz backdoor reveals fragility of open source

This time, we got lucky. It mostly affected bleeding-edge distros. But that's not a defense strategy

www.theregister.com

More info, i've not had time to read through it yet.

I don't disagree with the article from a skim, but I think people seem to be underestimating how skilled an attack vector was, someone who had built up trust and contributed for multiple years, very skilled injection via various obfuscations, if anything to me it shows the non-fragility of open source because people can review the details whereas closed source they can't.

 

[Ice Tea]

Open source groups fear xz repeat as suspicious messages fly

Social engineering patterns spotted across range of popular projects

www.theregister.com

Sigh!

 

[Cromulent]

Open source groups fear xz repeat as suspicious messages fly

Social engineering patterns spotted across range of popular projects

www.theregister.com

Sigh!

I mean you'd hope they wouldn't fall for those attempts. It sounds dodgy right from the start. But what is more worrying is this is what we do know. What is there that we don't know?

 

[Throrik]

I mean you'd hope they wouldn't fall for those attempts. It sounds dodgy right from the start. But what is more worrying is this is what we do know. What is there that we don't know?

The difficulty is with how complex and well thought out the xz attack was, it's very difficult to detect if they're done that well, after all it was a slow build up of trust over multiple years, with well reviewed changes, which bit-by-bit didn't seem suspicious, plus then the attack on a package which had a single main maintainer who then had a documented mental health history it was a storm in a teacup in a way.

 

[Cromulent]

The difficulty is with how complex and well thought out the xz attack was, it's very difficult to detect if they're done that well, after all it was a slow build up of trust over multiple years, with well reviewed changes, which bit-by-bit didn't seem suspicious, plus then the attack on a package which had a single main maintainer who then had a documented mental health history it was a storm in a teacup in a way.

Ah, I didn't realise. Just a lesson to stay vigilant I guess in that case.

 

[Throrik]

Ah, I didn't realise. Just a lesson to stay vigilant I guess in that case.

There'll definitely be an increase of people looking out for these now, which is good.

 

[Ice Tea]

XZ 5.6.2 Released With The Frightening Backdoor Removed - Phoronix

www.phoronix.com

also dropping the GNU Indirect Function (IFUNC) support. The IFUNC support was used by the XZ backdoor but the removal of this code is coming because the performance benefits of using it were too small while adding much complexity.

 

[Ice Tea]

XZ Patches For The Linux Kernel Updated, Drops "Jia Tan" As A Maintainer - Phoronix

www.phoronix.com

I wonder why it took so long to remove him?