Backdoor found in widely used Linux utility

Associate
Joined
19 Oct 2002
Posts
313
Location
The Faithful City
A lot to be said about using a LTS build. Checked my installs this morning and most are still on 5.4.1 (affected version is 5.6).

LTS, stable and testing. This got caught in testing, so at least shows the system works.
 
Soldato
Joined
15 Sep 2009
Posts
2,941
Location
Manchester

More info, i've not had time to read through it yet.

I don't disagree with the article from a skim, but I think people seem to be underestimating how skilled an attack vector was, someone who had built up trust and contributed for multiple years, very skilled injection via various obfuscations, if anything to me it shows the non-fragility of open source because people can review the details whereas closed source they can't.
 
Soldato
Joined
15 Sep 2009
Posts
2,941
Location
Manchester
I mean you'd hope they wouldn't fall for those attempts. It sounds dodgy right from the start. But what is more worrying is this is what we do know. What is there that we don't know?

The difficulty is with how complex and well thought out the xz attack was, it's very difficult to detect if they're done that well, after all it was a slow build up of trust over multiple years, with well reviewed changes, which bit-by-bit didn't seem suspicious, plus then the attack on a package which had a single main maintainer who then had a documented mental health history it was a storm in a teacup in a way.
 
Soldato
Joined
1 Nov 2007
Posts
5,700
Location
England
The difficulty is with how complex and well thought out the xz attack was, it's very difficult to detect if they're done that well, after all it was a slow build up of trust over multiple years, with well reviewed changes, which bit-by-bit didn't seem suspicious, plus then the attack on a package which had a single main maintainer who then had a documented mental health history it was a storm in a teacup in a way.
Ah, I didn't realise. Just a lesson to stay vigilant I guess in that case.
 
Back
Top Bottom