Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
The xz package has been backdoored
View unanswered posts
View posts from last 24 hours

Goto page 1, 2, 3, 4, 5  Next  
Reply to topic    Gentoo Forums Forum Index Portage & Programming
View previous topic :: View next topic  
Author Message
pablo_supertux
Advocate
Advocate


Joined: 25 Jan 2004
Posts: 2946
Location: Somewhere between reality and Middle-Earth and in Freiburg (Germany)

PostPosted: Fri Mar 29, 2024 9:16 pm    Post subject: The xz package has been backdoored Reply with quote

I was made aware of this: https://archlinux.org/news/the-xz-package-has-been-backdoored/

My system is currently using app-arch/xz-utils-5.6.1 which seems to be affected. I also found this: https://bugs.gentoo.org/928134

Should I downgrade app-arch/xz-utils to 5.4.6-r1?

Its going to be a hop topic for a week or two yet. Stuck by NeddySeagoon
[Administrator edit: Unstuck 2024-11-25. -Hu]
_________________
A! Elbereth Gilthoniel!
silivren penna míriel
o menel aglar elenath,
Gilthoniel, A! Elbereth!
Back to top
View user's profile Send private message
pablo_supertux
Advocate
Advocate


Joined: 25 Jan 2004
Posts: 2946
Location: Somewhere between reality and Middle-Earth and in Freiburg (Germany)

PostPosted: Fri Mar 29, 2024 9:26 pm    Post subject: Reply with quote

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e12c7ce6dab9f016b3efdd0a774793865c486b8c

Ok, I made a downgrade right now. Perhaps it would be a good idea to make this information more visible for anybody using the forum and visiting gentoo's web page
_________________
A! Elbereth Gilthoniel!
silivren penna míriel
o menel aglar elenath,
Gilthoniel, A! Elbereth!
Back to top
View user's profile Send private message
wdsci
Tux's lil' helper
Tux's lil' helper


Joined: 02 Oct 2007
Posts: 149
Location: US

PostPosted: Fri Mar 29, 2024 9:53 pm    Post subject: Reply with quote

I'd expect there is or soon will be a GLSA for this, right? That's probably the most visible single communication channel for this kind of thing.
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 22754

PostPosted: Fri Mar 29, 2024 10:11 pm    Post subject: Reply with quote

This made LWN and has bug >=app-arch/xz-utils-5.6.0: backdoor in release tarballs in Gentoo. The affected versions are masked.
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5169
Location: Bavaria

PostPosted: Fri Mar 29, 2024 10:16 pm    Post subject: Reply with quote

wdsci wrote:
I'd expect there is or soon will be a GLSA for this, right? [...]

Yes. => https://glsa.gentoo.org/glsa/202403-04
_________________
https://wiki.gentoo.org/wiki/User:Pietinger
Back to top
View user's profile Send private message
szatox
Advocate
Advocate


Joined: 27 Aug 2013
Posts: 3467

PostPosted: Fri Mar 29, 2024 10:43 pm    Post subject: Reply with quote

Well, that's one rotten take on easter eggs.
_________________
Make Computing Fun Again
Back to top
View user's profile Send private message
CaptainBlood
Advocate
Advocate


Joined: 24 Jan 2010
Posts: 3941

PostPosted: Sat Mar 30, 2024 1:00 am    Post subject: Reply with quote

@pablo_supertux
+1

Thks 4 ur attention, interest & support.
_________________
USE="-* ..." in /etc/portage/make.conf here, i.e. a countermeasure to portage implicit braces, belt & diaper paradigm
LT: "I've been doing a passable imitation of the Fontana di Trevi, except my medium is mucus. Sooo much mucus. "
Back to top
View user's profile Send private message
saturnalia0
Apprentice
Apprentice


Joined: 13 Oct 2016
Posts: 159

PostPosted: Sat Mar 30, 2024 1:23 am    Post subject: Reply with quote

If I understand it correctly the exploit relies on ifunc. https://sourceware.org/glibc/wiki/GNU_IFUNC

Seems to me like it would make sense to disable that on single-user Gentoo systems with -march=native CFLAG, where the compile target is exclusively the host, for which the code is optimized by the compiler, as instructed by -march.

Reading this thread: https://forums.gentoo.org/viewtopic-t-1088276-start-0.html, it seems that this can be achieved by setting -multiarch on glibc and rebuilding. Hu mentiones some scenarios where it's useful even with -march, but it seems to me the most common scenario where hardware remains the same there is no advantage for runtime optimization with ifunc?

Thinking about adding -multiarch and maybe -lzma to make.conf and rebuilding the world set... Bad idea? :roll:
Back to top
View user's profile Send private message
pablo_supertux
Advocate
Advocate


Joined: 25 Jan 2004
Posts: 2946
Location: Somewhere between reality and Middle-Earth and in Freiburg (Germany)

PostPosted: Sat Mar 30, 2024 1:26 am    Post subject: Reply with quote

Github has disabled the repository, if you go to https://github.com/tukaani-project/xz you get an error message.

I don't know how to feel about this. On one hand, it's good that github take steps to protect the community, but on the other hand it rather "hides the crimes", several site with more information and analysis of this issue have been linking to commit and pull requests from the repo and now they all are gone, you cannot inspect them themselves. Somehow I find even more upsetting and it makes almost impossible to keep investigating the behaviour of the xz-utils maintainer.
_________________
A! Elbereth Gilthoniel!
silivren penna míriel
o menel aglar elenath,
Gilthoniel, A! Elbereth!
Back to top
View user's profile Send private message
saturnalia0
Apprentice
Apprentice


Joined: 13 Oct 2016
Posts: 159

PostPosted: Sat Mar 30, 2024 1:45 am    Post subject: Reply with quote

My guess would be it is an attempt to prevent inadvertent downloads of the compromised versions, and the people who took action didn't have a better way to do it immediately available to them. But yeah, I don't like it either...
Back to top
View user's profile Send private message
rab0171610
Guru
Guru


Joined: 24 Dec 2022
Posts: 436

PostPosted: Sat Mar 30, 2024 2:06 am    Post subject: Reply with quote

https://gist.github.com/thesamesam
There is enough high-level and general technical info in the "FAQ on the xz-utils backdoor". It is not necessary for every person to need access to the commits linked therein. Git Hub made the right decision. It is clearly not a case of hiding the crimes but as saturnalia0 said " is an attempt to prevent inadvertent downloads of the compromised versions." For the average user, not using the compromised version should be sufficient for now. I don't see how preventing access to the compromised code is impeding anything.
Back to top
View user's profile Send private message
figueroa
Advocate
Advocate


Joined: 14 Aug 2005
Posts: 3007
Location: Edge of marsh USA

PostPosted: Sat Mar 30, 2024 2:42 am    Post subject: Reply with quote

saturnalia0 wrote:
...
Thinking about adding -multiarch and maybe -lzma to make.conf and rebuilding the world set... Bad idea? :roll:

Yeah. -multiarch is only used in glibc so makes more sense to set it /etc/package.use. If you set -lzma in make.conf you loose a lot of functionality, and probably not necessary anyway.
_________________
Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 22754

PostPosted: Sat Mar 30, 2024 3:14 am    Post subject: Reply with quote

rab0171610 wrote:
I don't see how preventing access to the compromised code is impeding anything.
It impedes would-be detectives from tracing down specifically when bad commits were introduced, from inspecting what supposed justifications were offered for why the actually-bad commits were supposedly good and useful, and, for those who have not already fetched the compromised code, it impedes their ability to unpack it into a sandbox to inspect its abilities.
Back to top
View user's profile Send private message
rab0171610
Guru
Guru


Joined: 24 Dec 2022
Posts: 436

PostPosted: Sat Mar 30, 2024 3:50 am    Post subject: Reply with quote

I think "would-be detectives" says it all.
Back to top
View user's profile Send private message
pizza-rat
Tux's lil' helper
Tux's lil' helper


Joined: 23 Dec 2022
Posts: 81

PostPosted: Sat Mar 30, 2024 4:23 am    Post subject: Reply with quote

figueroa wrote:
If you set -lzma in make.conf you loose a lot of functionality, and probably not necessary anyway.

Err, what kind of functionality? I did this earlier this morning.
Back to top
View user's profile Send private message
colo-des
Tux's lil' helper
Tux's lil' helper


Joined: 20 May 2011
Posts: 97

PostPosted: Sat Mar 30, 2024 9:02 am    Post subject: Reply with quote

https://www.youtube.com/watch?v=jqjtNDtbDNI
malicious backdoor found in ssh libraries

There are inconsistencies between glsa and packages mask

https://glsa.gentoo.org/glsa/202403-04
https://packages.gentoo.org/packages/app-arch/xz-utils
Back to top
View user's profile Send private message
sdauth
l33t
l33t


Joined: 19 Sep 2018
Posts: 659
Location: Ásgarðr

PostPosted: Sat Mar 30, 2024 11:01 am    Post subject: Reply with quote

Is it reasonable to change kernel compression method too ? I use XZ for both kernel & initramfs. Maybe excessive.. what do you think ?
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54596
Location: 56N 3W

PostPosted: Sat Mar 30, 2024 11:17 am    Post subject: Reply with quote

sdauth,

Its early days but an abundance of caution is in order.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
sdauth
l33t
l33t


Joined: 19 Sep 2018
Posts: 659
Location: Ásgarðr

PostPosted: Sat Mar 30, 2024 11:30 am    Post subject: Reply with quote

Alright, I'll give a try to zstd then :wink:
Back to top
View user's profile Send private message
colo-des
Tux's lil' helper
Tux's lil' helper


Joined: 20 May 2011
Posts: 97

PostPosted: Sat Mar 30, 2024 11:45 am    Post subject: Reply with quote

https://hackaday.com/2024/03/29/security-alert-potential-ssh-backdoor-via-liblzma/#comment-6745880
"One of the xz maintainers, [Jia Tan], weighed in on that Gentoo bug, suggesting that it was a GCC bug causing the Valgrind errors."
https://www.youtube.com/watch?v=tHtt57iOjpA
Talking about the xz/liblzma ssh backdoor | ASMR WHISPER

extracted from 5.6.1
Code:
$ ls -l
total 48
-rw-r--r-- 1 my-user my-user   512 mar  9 05:16 bad-3-corrupt_lzma2.xz
-rw-r--r-- 1 my-user my-user  4399 mar  9 05:16 build-to-host.m4
-rw-r--r-- 1 my-user my-user 35421 mar  9 05:16 good-large_compressed.lzma

UD to 5.4.1 from a portage backup so not -sync.
I see that the only unmasked version is 5.4.2
Code:
$ eix -Ic app-arch/xz-utils
[I] app-arch/xz-utils (5.4.1[1]@30/03/24): Utils for managing LZMA compressed files
[1] "repo_local" /usr/local/portage
Back to top
View user's profile Send private message
psycho_driver
n00b
n00b


Joined: 03 Feb 2011
Posts: 20

PostPosted: Sat Mar 30, 2024 11:53 am    Post subject: Reply with quote

saturnalia0 wrote:
If I understand it correctly the exploit relies on ifunc. https://sourceware.org/glibc/wiki/GNU_IFUNC


From what I've been reading it's unlikely to be active on gentoo systems due to it getting hooked into sshd via systemd-notify support which is not enabled by default for gentoo systems. I do not believe there has been a full analysis completed yet on what all the malicious code might be compromising yet though.
_________________
Gentoo user since 2001 or 2002? <- Early onset dementia thanks to dementia.
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 22754

PostPosted: Sat Mar 30, 2024 3:04 pm    Post subject: Reply with quote

rab0171610 wrote:
I think "would-be detectives" says it all.
Correct. They would be detectives if they could get the relevant data, but since the data is now unavailable, they will not be detectives. Hence, "would-be detectives."
Back to top
View user's profile Send private message
saturnalia0
Apprentice
Apprentice


Joined: 13 Oct 2016
Posts: 159

PostPosted: Sat Mar 30, 2024 3:18 pm    Post subject: Reply with quote

psycho_driver wrote:
saturnalia0 wrote:
If I understand it correctly the exploit relies on ifunc. https://sourceware.org/glibc/wiki/GNU_IFUNC


From what I've been reading it's unlikely to be active on gentoo systems due to it getting hooked into sshd via systemd-notify support which is not enabled by default for gentoo systems. I do not believe there has been a full analysis completed yet on what all the malicious code might be compromising yet though.


Right, this exploit wouldn't, but another one might? My point being, is there a point to ifunc on single-user Gentoo targeting exclusively the host, and where hardware does not change (common desktop use case)? I'm leaning towards -multiarch, not because of this issue in particular, but because it seems like unnecessary attack surface.
Back to top
View user's profile Send private message
flysideways
Guru
Guru


Joined: 29 Jan 2005
Posts: 496

PostPosted: Sat Mar 30, 2024 4:17 pm    Post subject: Reply with quote

backdoor in app-arch/xz-utils informative post on the matter.
Back to top
View user's profile Send private message
user
Apprentice
Apprentice


Joined: 08 Feb 2004
Posts: 212

PostPosted: Sat Mar 30, 2024 4:50 pm    Post subject: Reply with quote

OT: time to look at lzip
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Portage & Programming All times are GMT
Goto page 1, 2, 3, 4, 5  Next
Page 1 of 5

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum