View previous topic :: View next topic |
Author |
Message |
figueroa Advocate
Joined: 14 Aug 2005 Posts: 2965 Location: Edge of marsh USA
|
Posted: Sat Mar 30, 2024 5:33 pm Post subject: |
|
|
pizza-rat wrote: | figueroa wrote: | If you set -lzma in make.conf you loose a lot of functionality, and probably not necessary anyway. |
Err, what kind of functionality? I did this earlier this morning. |
One would lose the lzma functionality in the applications that are currently using it:
Code: | euse -I lzma
global use flags (searching: lzma)
************************************************************
[+ D ] /var/db/repos/gentoo/profiles/use.desc:lzma - Support for LZMA compression algorithm
Installed packages matching this USE flag:
app-arch/libarchive-3.7.2-r2
app-arch/zstd-1.5.5-r1
dev-libs/boost-1.84.0-r3
dev-libs/elfutils-0.190
dev-libs/libxml2-2.12.5
media-gfx/imagemagick-7.1.1.25
media-libs/imlib2-1.9.1-r1
media-libs/tiff-4.6.0
media-video/ffmpeg-6.0.1-r4
sys-apps/file-5.45-r4
sys-apps/kmod-31
www-client/links-2.29
x11-libs/wxGTK-3.2.2.1-r3 |
Of course, your mileage may vary. _________________ Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
Back to top |
|
|
figueroa Advocate
Joined: 14 Aug 2005 Posts: 2965 Location: Edge of marsh USA
|
Posted: Sat Mar 30, 2024 5:41 pm Post subject: |
|
|
saturnalia0 wrote: | ...
I'm leaning towards -multiarch, not because of this issue in particular, but because it seems like unnecessary attack surface. |
I just did so by adding -multiarch to /etc/portage/package.use for glibc.
Code: | # emerge -uDU @world -a
These are the packages that would be merged, in order:
Calculating dependencies... done!
Dependency resolution took 23.45 s (backtrack: 0/20).
[ebuild R ] sys-libs/glibc-2.38-r10 USE="-multiarch*"
Would you like to merge these packages? [Yes/No]
|
_________________ Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
Back to top |
|
|
colo-des Tux's lil' helper
Joined: 20 May 2011 Posts: 97
|
|
Back to top |
|
|
bstaletic Apprentice
Joined: 05 Apr 2014 Posts: 253
|
Posted: Sun Mar 31, 2024 7:54 am Post subject: |
|
|
colo-des wrote: | In reference to what is commented on:
https://bugs.gentoo.org/928134#c24
https://bugs.gentoo.org/928134#c25
I have downgrade to 5.2.5-r2, from full backups that always I do before emerge-sync
(including /usr/portage/distfiles).
Code: | $ genlop -t xz-utils |grep app-arch/xz-utils-5.2.5-r2
Tue Apr 26 02:45:07 2022 >>> app-arch/xz-utils-5.2.5-r2
Sat Mar 30 18:49:25 2024 >>> app-arch/xz-utils-5.2.5-r2 |
|
You're just trading one security vulnerability for another this way. According to GLSA 202209-01, <=xz-utils-5.2.5 is also vulnerable.
Reference: CVE-2022-1271
Maybe your =xz-utils-5.2.5-r2 is already patched. I could not find a definitive answer.
I just don't want others to think reverting so far back has no consequences.
Last edited by bstaletic on Sun Mar 31, 2024 8:01 pm; edited 1 time in total |
|
Back to top |
|
|
miket Guru
Joined: 28 Apr 2007 Posts: 488 Location: Gainesville, FL, USA
|
Posted: Sun Mar 31, 2024 5:48 pm Post subject: |
|
|
user wrote: | OT: time to look at lzip |
Indeed, right away I thought of the complaint of Antonio Diaz Diaz that XZ is not suitable for long-term archiving (https://www.nongnu.org/lzip/xz_inadequate.html). |
|
Back to top |
|
|
figueroa Advocate
Joined: 14 Aug 2005 Posts: 2965 Location: Edge of marsh USA
|
Posted: Sun Mar 31, 2024 6:11 pm Post subject: |
|
|
How would you pull that off (lzip) with all of these dependencies to xz-utils?
Code: | $ emerge -cpv xz-utils
Calculating dependencies... done!
app-arch/xz-utils-5.4.2 pulled in by:
@system requires app-arch/xz-utils
app-accessibility/at-spi2-core-2.50.1 requires app-arch/xz-utils
app-arch/file-roller-43.1 requires app-arch/xz-utils
app-arch/libarchive-3.7.2-r2 requires >=app-arch/xz-utils-5.2.5-r1[abi_x86_64(-)]
app-arch/zstd-1.5.5-r1 requires app-arch/xz-utils
app-cdr/brasero-3.12.3 requires app-arch/xz-utils
app-cdr/graveman-0.3.12_p5-r5 requires app-arch/xz-utils
app-crypt/gcr-3.41.1-r2 requires app-arch/xz-utils
app-crypt/libsecret-0.21.1 requires app-arch/xz-utils
app-editors/ghex-44.2 requires app-arch/xz-utils
app-office/glabels-3.4.1 requires app-arch/xz-utils
app-portage/eix-0.36.7-r1 requires app-arch/xz-utils
app-portage/elt-patches-20240213 requires app-arch/xz-utils
app-text/evince-45.0 requires app-arch/xz-utils
app-text/gspell-1.12.2 requires app-arch/xz-utils
app-text/yelp-tools-42.1 requires app-arch/xz-utils
dev-build/gtk-doc-am-1.33.2 requires app-arch/xz-utils
dev-cpp/atkmm-2.28.3 requires app-arch/xz-utils
dev-cpp/glibmm-2.66.6 requires app-arch/xz-utils
dev-cpp/gtkmm-3.24.8 requires app-arch/xz-utils
dev-cpp/pangomm-2.46.3 requires app-arch/xz-utils
dev-lang/php-8.2.15 requires app-arch/xz-utils
dev-lang/python-3.11.8_p1 requires app-arch/xz-utils:0/0=, app-arch/xz-utils:=
dev-lang/python-3.12.2_p1 requires app-arch/xz-utils:0/0=, app-arch/xz-utils:=
dev-lang/vala-0.56.14 requires app-arch/xz-utils
dev-libs/boost-1.84.0-r3 requires app-arch/xz-utils:=[abi_x86_64(-)], app-arch/xz-utils:0/0=[abi_x86_64(-)]
dev-libs/elfutils-0.190 requires >=app-arch/xz-utils-5.0.5-r1[abi_x86_64(-)]
dev-libs/glib-2.78.3 requires app-arch/xz-utils
dev-libs/gmp-6.3.0-r1 requires app-arch/xz-utils
dev-libs/gobject-introspection-1.78.1 requires app-arch/xz-utils
dev-libs/gobject-introspection-common-1.78.1 requires app-arch/xz-utils
dev-libs/json-glib-1.8.0 requires app-arch/xz-utils
dev-libs/libltdl-2.4.7-r1 requires app-arch/xz-utils
dev-libs/libsigc++-2.12.0 requires app-arch/xz-utils
dev-libs/libxml2-2.12.5 requires >=app-arch/xz-utils-5.0.5-r1:=[abi_x86_64(-)], app-arch/xz-utils, >=app-arch/xz-utils-5.0.5-r1:0/0=[abi_x86_64(-)]
dev-libs/libxmlb-0.3.14 requires app-arch/xz-utils
dev-libs/libxslt-1.1.39 requires app-arch/xz-utils
dev-libs/vala-common-0.56.14 requires app-arch/xz-utils
dev-python/pygobject-3.46.0 requires app-arch/xz-utils
dev-util/desktop-file-utils-0.27 requires app-arch/xz-utils
dev-util/gdbus-codegen-2.78.3 requires app-arch/xz-utils
dev-util/glib-utils-2.78.3 requires app-arch/xz-utils
dev-util/meld-3.22.0-r2 requires app-arch/xz-utils
gnome-base/dconf-0.40.0 requires app-arch/xz-utils
gnome-base/gnome-keyring-42.1-r2 requires app-arch/xz-utils
gnome-base/gsettings-desktop-schemas-45.0 requires app-arch/xz-utils
gnome-base/gvfs-1.52.1 requires app-arch/xz-utils
gnome-base/librsvg-2.57.0 requires app-arch/xz-utils
gnome-extra/yelp-xsl-42.1 requires app-arch/xz-utils
gui-libs/gtk-4.12.4 requires app-arch/xz-utils
gui-libs/libadwaita-1.4.2 requires app-arch/xz-utils
gui-libs/libhandy-1.8.2 requires app-arch/xz-utils
gui-libs/vte-common-0.74.2 requires app-arch/xz-utils
media-gfx/gimp-2.10.36 requires app-arch/xz-utils
media-gfx/gnome-screenshot-41.0 requires app-arch/xz-utils
media-gfx/imagemagick-7.1.1.25 requires app-arch/xz-utils
media-libs/flac-1.4.3 requires app-arch/xz-utils
media-libs/gexiv2-0.14.2 requires app-arch/xz-utils
media-libs/imlib2-1.9.1-r1 requires app-arch/xz-utils[abi_x86_64(-)]
media-libs/libcanberra-0.30-r7 requires app-arch/xz-utils
media-libs/tiff-4.6.0 requires >=app-arch/xz-utils-5.0.5-r1[abi_x86_64(-)]
media-libs/xine-lib-1.2.13-r2 requires app-arch/xz-utils
media-sound/easytag-2.4.3-r5 requires app-arch/xz-utils
media-video/ffmpeg-6.0.1-r4 requires >=app-arch/xz-utils-5.0.5-r1[abi_x86_64(-)]
net-dns/dnsmasq-2.90 requires app-arch/xz-utils
net-libs/glib-networking-2.78.0 requires app-arch/xz-utils
net-libs/libsoup-2.74.3 requires app-arch/xz-utils
net-libs/libsoup-3.4.4 requires app-arch/xz-utils
net-libs/libtirpc-1.3.4-r2 requires app-arch/xz-utils
net-mail/fetchmail-6.4.37 requires app-arch/xz-utils
net-misc/wget-1.21.4 requires app-arch/xz-utils
net-misc/whois-5.5.20 requires app-arch/xz-utils
sys-apps/baobab-45.0 requires app-arch/xz-utils
sys-apps/coreutils-9.4-r1 requires app-arch/xz-utils
sys-apps/ethtool-6.7 requires app-arch/xz-utils
sys-apps/file-5.45-r4 requires app-arch/xz-utils[abi_x86_64(-)]
sys-apps/gnome-disk-utility-45.1 requires >=app-arch/xz-utils-5.0.5, app-arch/xz-utils
sys-apps/iproute2-6.6.0-r3 requires app-arch/xz-utils
sys-apps/kmod-31 requires >=app-arch/xz-utils-5.0.4-r1
sys-apps/man-db-2.12.0 requires app-arch/xz-utils
sys-apps/net-tools-2.10 requires app-arch/xz-utils
sys-apps/sandbox-2.38 requires app-arch/xz-utils
sys-apps/shadow-4.14.2 requires app-arch/xz-utils
sys-block/gparted-1.5.0-r1 requires app-arch/xz-utils
sys-boot/grub-2.12-r2 requires app-arch/xz-utils
sys-devel/m4-1.4.19-r2 requires app-arch/xz-utils
sys-fs/ddrescue-1.27 requires >=app-arch/xz-utils-5.4.0
sys-kernel/linux-headers-6.6-r1 requires app-arch/xz-utils
sys-libs/gpm-1.20.7-r6 requires app-arch/xz-utils
www-client/links-2.29 requires app-arch/xz-utils
x11-libs/gdk-pixbuf-2.42.10-r1 requires app-arch/xz-utils
x11-libs/gtk+-2.24.33-r3 requires app-arch/xz-utils
x11-libs/gtk+-3.24.39 requires app-arch/xz-utils
x11-libs/gtksourceview-4.8.4 requires app-arch/xz-utils
x11-libs/libfm-1.3.2 requires app-arch/xz-utils
x11-libs/libfm-extra-1.3.2 requires app-arch/xz-utils
x11-libs/libnotify-0.8.3 requires app-arch/xz-utils
x11-libs/libwnck-43.0-r1 requires app-arch/xz-utils
x11-libs/vte-0.74.2 requires app-arch/xz-utils
x11-libs/wxGTK-3.2.2.1-r3 requires app-arch/xz-utils
x11-misc/notification-daemon-3.20.0-r1 requires app-arch/xz-utils
x11-themes/adwaita-icon-theme-45.0 requires app-arch/xz-utils
x11-themes/gnome-themes-standard-3.28 requires app-arch/xz-utils
x11-themes/gtk-engines-adwaita-3.28 requires app-arch/xz-utils
x11-themes/hicolor-icon-theme-0.17 requires app-arch/xz-utils |
_________________ Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
Back to top |
|
|
colo-des Tux's lil' helper
Joined: 20 May 2011 Posts: 97
|
Posted: Sun Mar 31, 2024 6:40 pm Post subject: |
|
|
bstaletic wrote: |
You're just trading one security vulnerability for another this way. According to GLSA 202209-01, <xz-utils-5.2.5 is also vulnerable.
Reference: CVE-2022-1271
Maybe your =xz-utils-5.2.5-r2 is already patched. I could not find a definitive answer.
I just don't want others to think reverting so far back has no consequences. |
Ohh my gooshh ... we get out of bad to get into a worse...thanks for warning.
I stay at 5.4.1 because I have the sources of this version and I don't want to update the entire system.
Code: | $ genlop -t app-arch/xz-utils-5.4.1
* app-arch/xz-utils
Mon Mar 13 23:47:30 2023 >>> app-arch/xz-utils-5.4.1
merge time: 41 seconds.
Sun Mar 31 15:12:37 2024 >>> app-arch/xz-utils-5.4.1
merge time: 59 seconds. |
|
|
Back to top |
|
|
miket Guru
Joined: 28 Apr 2007 Posts: 488 Location: Gainesville, FL, USA
|
Posted: Sun Mar 31, 2024 9:58 pm Post subject: |
|
|
figueroa wrote: | How would you pull that off (lzip) with all of these dependencies to xz-utils?
... |
There's the rub. Lots of packages depend on it. Diaz has sounded like a voice crying in the wilderness for many years, but in the meantime lots of projects have come to depend on lzma. In the meantime, only a few packages (including Diaz' own ddrescue) have chosen to depend on lzip.
At this point we're pretty well stuck with XZ.
The thing I think we'll have to count on is the development of a target clean version of xz-utils, probably with a complete reworking of the build process. Both the sources of that package and its build scripts will need a careful audit. We would insist that any distribution tarball be buildable from the contents of the repo without any reliance on outside scripts. (But then, a lot of people on LWN are suspicious of distribution tarballs in the first place, saying they are not as auditable as Git commits.) All this is hard, but it would be more feasible to rescue xz-utils than it would to make all those projects which depend on xz-utils to switch to something else. |
|
Back to top |
|
|
axl Veteran
Joined: 11 Oct 2002 Posts: 1144 Location: Romania
|
|
Back to top |
|
|
colo-des Tux's lil' helper
Joined: 20 May 2011 Posts: 97
|
Posted: Sun Mar 31, 2024 10:38 pm Post subject: |
|
|
The firsts tools and listings of the objects (liblzma_la-crc64-fast.o) are appearing:
https://www.openwall.com/lists/oss-security/2024/03/31/5
https://github.com/karcherm/xz-malware
For PAM's defenders, there are some gifts.
Code: |
948: 'mm_answer_pam_start\x00'
40: 'mm_do_pam_account\x00'
70: 'mm_sshpam_free_ctx\x00'
58: 'mm_sshpam_init_ctx\x00'
60: 'mm_sshpam_query\x00'
68: 'mm_sshpam_respond\x00'
c58: 'parse PAM\x00' |
Keep expanding the attack surface and see how many more of these backdoors appear.
Greetings |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3165
|
Posted: Sun Mar 31, 2024 11:40 pm Post subject: |
|
|
colo-des wrote: |
For PAM's defenders, there are some gifts.
Code: |
948: 'mm_answer_pam_start\x00'
40: 'mm_do_pam_account\x00'
70: 'mm_sshpam_free_ctx\x00'
58: 'mm_sshpam_init_ctx\x00'
60: 'mm_sshpam_query\x00'
68: 'mm_sshpam_respond\x00'
c58: 'parse PAM\x00' |
Keep expanding the attack surface and see how many more of these backdoors appear.
Greetings |
Although I roughly agree with your sentiment towards PAM, you're really stretching it there. It wasn't PAM that got exploited to sneak malware into installed systems, and you can't blame it for a rogue application >maybe< interfacing with it after it got smuggled in.
You're basically pulling hydrogen monoxide on us. You know, the thing that's been found in high concentration in acid rain and cancer cells _________________ Make Computing Fun Again |
|
Back to top |
|
|
flexibeast Guru
Joined: 04 Apr 2022 Posts: 325 Location: Naarm/Melbourne, Australia
|
Posted: Mon Apr 01, 2024 12:08 am Post subject: |
|
|
Although i'm very sympathetic to the critique of the design and implementation of xz, those things aren't the fundamental cause of the current situation: fundamentally, this is a social engineering attack.
Say lzip had been used in place of xz; great. It becomes widely-used, which means there's increasing pressure on Diaz to deal with bugs and feature requests. Then Diaz starts to develop health issues which make it even more difficult to deal with those bugs and feature requests. There will be an incentive for Diaz to take on extra maintainers, and a susceptibility to being brigaded into doing so, especially when a proposed maintainer seems to have been doing good work for a couple of years.
These sort of issues will continue to arise until we work out an effective way of dealing with "the xkcd 2347 problem" ("Dependency").
(i can imagine some will argue that lzip's design and implementation would have resulted in there being fewer bugs to deal with, and thus less pressure on Diaz. Perhaps; i'll leave that to the alternate-history people to analyse. But no software is bug-free - insert Knuth quote here - and past a certain threshold, any amount of bugs can be too much for a single person to wrangle.) |
|
Back to top |
|
|
colo-des Tux's lil' helper
Joined: 20 May 2011 Posts: 97
|
Posted: Mon Apr 01, 2024 3:06 am Post subject: |
|
|
szatox wrote: |
>maybe< interfacing with it after it got smuggled in. |
That is precisely what I was referring to, being available, it is easy to make to the creator of backdoor that if I were not.
It is like accessing the central control panel and just pressing the buttons you need, which were already there for each task.
For my part I do not use pam, dbus, elogind/systemd, only the old eudev, now already at its continuation after he was removed from gentoo.
Code: | $ eix -I sys-fs/eudev
[I] sys-fs/eudev [1]
Available versions: 3.2.14^t{tbz2} {+kmod rule-generator selinux split-usr static-libs test ABI_MIPS="n32 n64 o32" ABI_S390="32 64" ABI_X86="32 64 x32"}
Installed versions: 3.2.14^t{tbz2}(21:35:35 19/03/24)(kmod rule-generator split-usr -selinux -static-libs -test ABI_MIPS="-n32 -n64 -o32" ABI_S390="-32 -64" ABI_X86="32 64 -x32")
Homepage: https://github.com/eudev-project/eudev
Description: Linux dynamic and persistent device naming support (aka userspace devfs)
[1] "repo_local" /usr/local/portage |
|
|
Back to top |
|
|
flexibeast Guru
Joined: 04 Apr 2022 Posts: 325 Location: Naarm/Melbourne, Australia
|
Posted: Mon Apr 01, 2024 3:58 am Post subject: |
|
|
This is OT, but a few years ago, Ted T'so wrote an interesting comment on The Orange Site about PAM on Linux, "[T]he fact that PAM was adopted by Linux is mostly my fault". Excerpt:
Quote: | I was the tech lead for Kerberos at MIT, and in 1995 I was visiting Sun to discuss how kerberos might be included in Solaris. One of the technical discussions that we had was that each time people wanted to add support for various new large scale distributed infrastructures, whether it was Yellow Pages, or Hesiod (YP's rough equivalent developed at MIT Project Athena), or OpenLDAP, or Kerberos, or when we wanted to automatically mount the user's home directory, either using NFS as in Sun, or creating a temporary home directory, or creating a symlink into AFS and then getting AFS tokens, etc. we had to keep on modifying the sources for /bin/login. And this was a positive drag. Basically each large scale site was editing the source code for /bin/login and there was a private customized copy of login at MIT Project Athena, CMU Project Andrew, various US National Labs, yadda, yadda, yadda.
This was how things were done before PAM, and it presumed that you could twist the arms of the proprietary Unix vendors hard enough that they would give you to the source to /bin/login, which of course back then was encumbered by the AT&T Unix license, which means you needed to pay AT&T to get a Source License before you went back to twisting the arms of the proprietary Unix vendor. And if you had a multi-vendor deployment, you might need to separately customize the /bin/login for OSF/1, Solaris, AIX, HP/UX, AUX, and Irix for your large scale deployment --- since all of the proprietary Unix vendors had added their own, incompatible, "value adds" to the OS. Yelch!
The Solaris developers told me about this cool library called Pluggable Authentication Modules which they had been working on, and it was clear to me that this was the answer we were looking for. |
|
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3165
|
Posted: Mon Apr 01, 2024 11:17 am Post subject: |
|
|
colo-des wrote: |
That is precisely what I was referring to, being available, it is easy to make to the creator of backdoor that if I were not.
It is like accessing the central control panel and just pressing the buttons you need, which were already there for each task.
| I don't understand what you're actually referring to. Yes, we create control panels and stuff them with buttons to make things easier and more convenient to use. This is exactly the purpose of control panels and buttons, they make things easy, convenient, and hopefully efficient for humans to use, which is a good thing and not a problem.
The problem is that the rogue code got smuggled into a space no rogue code was ever expected to enter. It is not buttons' fault that an intruder knows about their existence. It's guards' fault that the intruder was able to get in. The same attack could have targeted systems equipped with any other set of tools.
So far it looks like the only reason it targets sshd+pam and not sshd alone is because all big players use sshd+pam.
Now, the first reports basically say the attack was performed on xz's overly complicated build process. This is something we can learn from. Like importance of transparency and simplicity for example. _________________ Make Computing Fun Again |
|
Back to top |
|
|
user Apprentice
Joined: 08 Feb 2004 Posts: 202
|
Posted: Mon Apr 01, 2024 2:56 pm Post subject: |
|
|
figueroa wrote: | How would you pull that off (lzip) with all of these dependencies to xz-utils?
Code: | $ emerge -cpv xz-utils
Calculating dependencies... done!
app-arch/xz-utils-5.4.2 pulled in by:
...
|
|
As long as transition from bzip2 to xz was took.
xz was more and more common because of better compress result against gzip/bzip2 but not in term of desgin structure, sadly. |
|
Back to top |
|
|
GreenNeonWhale n00b
Joined: 30 Mar 2016 Posts: 56
|
Posted: Mon Apr 01, 2024 4:43 pm Post subject: Wipe Everything Due to this? |
|
|
Hi,
I'm currently building a new Gentoo install. As a result of that, I did install xz-utils. I never installed the ~and64 version, thus it looks like I ducked the worst of this. However, I did install the current stable version at the time, which was one of the ones that the malicious actor signed, but not one of the currently known compromised versions. I have since downgraded to v5.4.2. I haven't run much else except for portage, and a few other things. However, it is likely that the then installed version of xz util, the one signed by the bad actor but not the known compromised version, was executed as root. My question is this: Out of an abundance of caution, should I simply wipe the entire install, and start fresh?
I'd appreciate any thoughts and/or recommendations.
Thank You! |
|
Back to top |
|
|
figueroa Advocate
Joined: 14 Aug 2005 Posts: 2965 Location: Edge of marsh USA
|
Posted: Mon Apr 01, 2024 5:36 pm Post subject: |
|
|
GreenNeonWhale,
Since you are still building the system, it is surely not yet multiuser and exposed to the Internet in a meaningful way. Therefore, I think wiping and starting over would be excessively paranoid.
That said, we will surely continue to learn more and hopefully systemically apply lessons learned for a safer Linux ecosystem. _________________ Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
Back to top |
|
|
user Apprentice
Joined: 08 Feb 2004 Posts: 202
|
Posted: Mon Apr 01, 2024 6:47 pm Post subject: |
|
|
flexibeast wrote: | Although i'm very sympathetic to the critique of the design and implementation of xz, those things aren't the fundamental cause of the current situation: fundamentally, this is a social engineering attack.
Say lzip had been used in place of xz; great. It becomes widely-used, which means there's increasing pressure on Diaz to deal with bugs and feature requests. Then Diaz starts to develop health issues which make it even more difficult to deal with those bugs and feature requests. There will be an incentive for Diaz to take on extra maintainers, and a susceptibility to being brigaded into doing so, especially when a proposed maintainer seems to have been doing good work for a couple of years.
These sort of issues will continue to arise until we work out an effective way of dealing with "the xkcd 2347 problem" ("Dependency").
(i can imagine some will argue that lzip's design and implementation would have resulted in there being fewer bugs to deal with, and thus less pressure on Diaz. Perhaps; i'll leave that to the alternate-history people to analyse. But no software is bug-free - insert Knuth quote here - and past a certain threshold, any amount of bugs can be too much for a single person to wrangle.) |
As long author will not fall into feature bloat and keep version number less than π.
But in general community will sharpen their perception after unkindly reminder
- monitoring deltas between version control system and release archives
- more suspicion about non source code bloat
- more suspicion if package elected build framework include custom extension
- overall package separation into more predictable sub packages like lib,frontend,backend,test,...
- no custom patching of exposed packages like sshd
- more focus and defence of untrusted content processing
- revaluation of dependency trust |
|
Back to top |
|
|
logrusx Veteran
Joined: 22 Feb 2018 Posts: 1587
|
Posted: Mon Apr 01, 2024 6:50 pm Post subject: Re: Wipe Everything Due to this? |
|
|
GreenNeonWhale wrote: | Hi,
I'm currently building a new Gentoo install. As a result of that, I did install xz-utils. I never installed the ~and64 version, thus it looks like I ducked the worst of this. However, I did install the current stable version at the time, which was one of the ones that the malicious actor signed, but not one of the currently known compromised versions. I have since downgraded to v5.4.2. I haven't run much else except for portage, and a few other things. However, it is likely that the then installed version of xz util, the one signed by the bad actor but not the known compromised version, was executed as root. My question is this: Out of an abundance of caution, should I simply wipe the entire install, and start fresh?
I'd appreciate any thoughts and/or recommendations.
Thank You! |
To my understanding, you should not freak out about it. According to people who researched it, Including our Gentoo dev Sam James, it backdoored only the deb and rpm packages built on x86_64 on Debian and REDHAT-like systems. The script wasn't triggered for local build which Gentoo uses, even for building the binary packages on the binhost. I spent some time to read all I could find about it and I find Sam's words the most reassuring because I myself, being a programmer but not a security or cryptographic expert, could understand what he said.
If you want to be sure, just recompile xz-utils and openssh and you should be fine although I personally consider it unnecessary for Gentoo users.
Best Regards,
Georgi |
|
Back to top |
|
|
colo-des Tux's lil' helper
Joined: 20 May 2011 Posts: 97
|
Posted: Mon Apr 01, 2024 7:43 pm Post subject: |
|
|
szatox wrote: | The same attack could have targeted systems equipped with any other set of tools. |
I summarize it, the thief no longer needs to wear his backpack with his tools, he finds them inside the house where he enters to steal.
This also applies perfectly to busybox.
I understand your point of view and respect your position, but I personally have to choose between ease of use and safety, I prefer to choose security.
Chemically speaking, some are finding out that the water wets. |
|
Back to top |
|
|
flexibeast Guru
Joined: 04 Apr 2022 Posts: 325 Location: Naarm/Melbourne, Australia
|
Posted: Tue Apr 02, 2024 12:50 am Post subject: |
|
|
user wrote: | As long author will not fall into feature bloat and keep version number less than π. |
Well, have you ever developed and/or maintained any FOSS, or packages for FOSS, yourself, as a volunteer?
i have, and do, as well as spending large amounts of time writing and updating documentation (refer to my user page on the Gentoo wiki for some details). And i've not only been doing that for a number of years, but more generally observing how volunteers get treated for even longer (more than 25 years). The amount of pressure that can be put on us, by entitled people who typically aren't willing to do such work themselves, can be .... rather large.
On the one hand, there's the fundamentalist anti-bloat crowd, who consider things like being able to change a program's text size without recompiling to be 'bloat', and even having a build process where one can enable and disable certain features is apparently 'bloat'. On the other hand, there's the "every possible feature must be implemented" crowd, who not only want someone else to implement the functionality for them, but to do so in a way that meets their personal UX standards.
Both crowds - and in fact many FOSS users more generally - are willing to harass, insult, and encourage brigading of devs and maintainers until they get their way. Yet it's clearly not possible to always please both crowds simultaneously, or all users in general. And when devs and maintainers don't, further harassment, insults, and brigading are not uncommon.
In this overall context, if Lasse experienced brigading pressuring him to take on a new maintainer for xz-utils, it doesn't necessarily come across as "unusual behaviour, perhaps even the work of an APT", thus raising red flags; instead, it doesn't seem like particularly unusual behaviour at all. EDITED TO ADD: Indeed, there were two accounts, apparently sockpuppets, pressuring Lasse, in ways that i encounter regularly, across various FOSS projects.
Consider how that impacts volunteers' time, resources, and mental health, and how that might impact volunteers' ability to provide and maintain software and the QA (including security stuff) related to it.
The contents of the screenshot i used to demonstrate my 'Ebuku' Elisp package are not random.
Last edited by flexibeast on Tue Apr 02, 2024 6:54 am; edited 1 time in total |
|
Back to top |
|
|
ritzmax72 Tux's lil' helper
Joined: 10 Aug 2014 Posts: 83
|
Posted: Tue Apr 02, 2024 5:44 am Post subject: |
|
|
Is there any trace of IP or domain names in those malicious code which could reveal
the identity of the backdoor sink? |
|
Back to top |
|
|
colo-des Tux's lil' helper
Joined: 20 May 2011 Posts: 97
|
Posted: Tue Apr 02, 2024 6:10 am Post subject: |
|
|
You can read in the comments, the user ceretullis outlines possible IPv4 and IPV6 addresses.
https://gynvael.coldwind.pl/?id=782 |
|
Back to top |
|
|
logrusx Veteran
Joined: 22 Feb 2018 Posts: 1587
|
Posted: Tue Apr 02, 2024 6:14 am Post subject: |
|
|
ritzmax72 wrote: | Is there any trace of IP or domain names in those malicious code which could reveal
the identity of the backdoor sink? |
It worked with a specific private key so the intruder could log in from anywhere and just use that key and get in, so no. That would be very silly and given the preparation and knowledge that went into it makes it impossible.
However this is off topic, so maybe discuss it in Gentoo Chat if you want to.
Best Regards,
Georgi |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|