noauthority.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
Long live NAS!

Administered by:

Server stats:

1.4K
active users

Oooooooof

> Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. The tarballs included extra .m4 files, which contained instructions for building with automake that did not exist in the repository.

security.archlinux.org/CVE-202

security.archlinux.orgCVE-2024-3094 - xz - Arch Linux

Fear not, xz users, a new developer has stepped up to take over the project:

Tia Jan <jant1203@proton.me>

Guy has Go project that wraps xz to provide native Go bindings. Project has had no commits for THREE YEARS.

Suddenly some guy sends a PR to update the version of xz in use to the backdoored version:
github.com/jamespfennell/xz/pu

Then you got some guy in the HN comments astroturfing everyone claiming that he knows the guy who submitted the PR IRL and he's a "cool dude", or something.

All this shit is so sus.

CAN THE FUCKING FEDS PLEASE STOP BACKDOORING OPEN SOURCE SOFTWARE PLEASE? K THANKS

GitHubfeat: update vendored xz to 5.6.1 by jaredallard · Pull Request #2 · jamespfennell/xzBy jaredallard

oh yeah, and the guy who submitted the PR supposedly works at 1Password.

So that's nice.

Both of the maintainer accounts for the xz (under the github.com/tukaani-project) have been suspended, presumably by Github staff:

The suspension isn't listed on the account profile, but visible in the Following/Followers list for some reason, ex: github.com/JiaT75?tab=followin

@eriner explain what this means

Matt Hamilton

@John The post you're commenting on is a bit in the weeds. At a high level, the xz compression library was intentionally subverted by one of the project maintainers and a backdoor was inserted. This impacted SSH on Debian and Fedora, two very popular linux distros.

The best high-level writeup I can find is Michael Larabel's: phoronix.com/news/XZ-CVE-2024-

www.phoronix.comXZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access

@eriner @John dang I didn't realize that ssh was affected. That musta been a patient actor.

@Derdnik @John This specific attack was at least one year in the making. In particular, this commit: github.com/tukaani-project/xz/

and then the disabling of ifunc in google/oss-fuzz to hide the vulnerability: github.com/google/oss-fuzz/pul

This attack didn't happen overnight, but also suggests that, given the extensive planning and setup that precipitated this backdoor, there very well may be other intentionally introduced bugs; the simple reversion of xz to a prior version may not be sufficient.

GitHubliblzma: Add ifunc implementation to crc64_fast.c. · tukaani-project/xz@ee44863The ifunc method avoids indirection via the function pointer crc64_func. This works on GNU/Linux and probably on FreeBSD too. The previous __attribute((__constructor__)) method is kept for compatib...

@eriner @John If your running Fedora, or debian distros, you can use the command;
xz --version
to see if your system has the backdoor'd; XZ 5.6.0/5.6.1
(It most likely doesn't.)