noauthority.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
Long live NAS!

Administered by:

Server stats:

1.4K
active users

Oooooooof

> Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. The tarballs included extra .m4 files, which contained instructions for building with automake that did not exist in the repository.

security.archlinux.org/CVE-202

security.archlinux.orgCVE-2024-3094 - xz - Arch Linux

Fear not, xz users, a new developer has stepped up to take over the project:

Tia Jan <jant1203@proton.me>

Guy has Go project that wraps xz to provide native Go bindings. Project has had no commits for THREE YEARS.

Suddenly some guy sends a PR to update the version of xz in use to the backdoored version:
github.com/jamespfennell/xz/pu

Then you got some guy in the HN comments astroturfing everyone claiming that he knows the guy who submitted the PR IRL and he's a "cool dude", or something.

All this shit is so sus.

CAN THE FUCKING FEDS PLEASE STOP BACKDOORING OPEN SOURCE SOFTWARE PLEASE? K THANKS

GitHubfeat: update vendored xz to 5.6.1 by jaredallard · Pull Request #2 · jamespfennell/xzBy jaredallard

oh yeah, and the guy who submitted the PR supposedly works at 1Password.

So that's nice.

Both of the maintainer accounts for the xz (under the github.com/tukaani-project) have been suspended, presumably by Github staff:

The suspension isn't listed on the account profile, but visible in the Following/Followers list for some reason, ex: github.com/JiaT75?tab=followin

@John @eriner My unconsidered and off the cuff opinion:

0) from a technical standpoint, it's quite severe. It's exactly where you don't want this to happen

1) this doesn't have much impact on end users, because it was discovered and corrected relatively quickly, before it was incorporated in many projects, and welded deeply into many projects which might not be actively developed and updated.

@John @eriner

2) the larger and more frightening aspect of this is the vulnerability of the open source supply chain to this type of infiltration. It raises the prospect that a similar (but much more expertly executed) infiltration might have been conducted sometime in the past.

@John @eriner

3) it also points to what one might consider sloppiness and laziness, in that projects were trusting tarballs (more or less zipfiles containing pre-built output resources which are sometimes provided as a convenience), instead of taking the trouble to actually build the output code themselves from first principles, out of the original source files from the project's repository.

@John The post you're commenting on is a bit in the weeds. At a high level, the xz compression library was intentionally subverted by one of the project maintainers and a backdoor was inserted. This impacted SSH on Debian and Fedora, two very popular linux distros.

The best high-level writeup I can find is Michael Larabel's: phoronix.com/news/XZ-CVE-2024-

www.phoronix.comXZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access

@eriner @John dang I didn't realize that ssh was affected. That musta been a patient actor.

@Derdnik @John This specific attack was at least one year in the making. In particular, this commit: github.com/tukaani-project/xz/

and then the disabling of ifunc in google/oss-fuzz to hide the vulnerability: github.com/google/oss-fuzz/pul

This attack didn't happen overnight, but also suggests that, given the extensive planning and setup that precipitated this backdoor, there very well may be other intentionally introduced bugs; the simple reversion of xz to a prior version may not be sufficient.

GitHubliblzma: Add ifunc implementation to crc64_fast.c. · tukaani-project/xz@ee44863The ifunc method avoids indirection via the function pointer crc64_func. This works on GNU/Linux and probably on FreeBSD too. The previous __attribute((__constructor__)) method is kept for compatib...

@eriner @John If your running Fedora, or debian distros, you can use the command;
xz --version
to see if your system has the backdoor'd; XZ 5.6.0/5.6.1
(It most likely doesn't.)