View previous topic :: View next topic |
Author |
Message |
pablo_supertux Advocate
Joined: 25 Jan 2004 Posts: 2946 Location: Somewhere between reality and Middle-Earth and in Freiburg (Germany)
|
Posted: Fri Mar 29, 2024 9:16 pm Post subject: The xz package has been backdoored |
|
|
I was made aware of this: https://archlinux.org/news/the-xz-package-has-been-backdoored/
My system is currently using app-arch/xz-utils-5.6.1 which seems to be affected. I also found this: https://bugs.gentoo.org/928134
Should I downgrade app-arch/xz-utils to 5.4.6-r1?
Its going to be a hop topic for a week or two yet. Stuck by NeddySeagoon _________________ A! Elbereth Gilthoniel!
silivren penna míriel
o menel aglar elenath,
Gilthoniel, A! Elbereth! |
|
Back to top |
|
|
pablo_supertux Advocate
Joined: 25 Jan 2004 Posts: 2946 Location: Somewhere between reality and Middle-Earth and in Freiburg (Germany)
|
|
Back to top |
|
|
wdsci Tux's lil' helper
Joined: 02 Oct 2007 Posts: 149 Location: US
|
Posted: Fri Mar 29, 2024 9:53 pm Post subject: |
|
|
I'd expect there is or soon will be a GLSA for this, right? That's probably the most visible single communication channel for this kind of thing. |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22696
|
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 5127 Location: Bavaria
|
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3444
|
Posted: Fri Mar 29, 2024 10:43 pm Post subject: |
|
|
Well, that's one rotten take on easter eggs. _________________ Make Computing Fun Again |
|
Back to top |
|
|
CaptainBlood Advocate
Joined: 24 Jan 2010 Posts: 3879
|
Posted: Sat Mar 30, 2024 1:00 am Post subject: |
|
|
@pablo_supertux
+1
Thks 4 ur attention, interest & support. _________________ USE="-* ..." in /etc/portage/make.conf here, i.e. a countermeasure to portage implicit braces, belt & diaper paradigm
LT: "I've been doing a passable imitation of the Fontana di Trevi, except my medium is mucus. Sooo much mucus. " |
|
Back to top |
|
|
saturnalia0 Apprentice
Joined: 13 Oct 2016 Posts: 159
|
Posted: Sat Mar 30, 2024 1:23 am Post subject: |
|
|
If I understand it correctly the exploit relies on ifunc. https://sourceware.org/glibc/wiki/GNU_IFUNC
Seems to me like it would make sense to disable that on single-user Gentoo systems with -march=native CFLAG, where the compile target is exclusively the host, for which the code is optimized by the compiler, as instructed by -march.
Reading this thread: https://forums.gentoo.org/viewtopic-t-1088276-start-0.html, it seems that this can be achieved by setting -multiarch on glibc and rebuilding. Hu mentiones some scenarios where it's useful even with -march, but it seems to me the most common scenario where hardware remains the same there is no advantage for runtime optimization with ifunc?
Thinking about adding -multiarch and maybe -lzma to make.conf and rebuilding the world set... Bad idea? |
|
Back to top |
|
|
pablo_supertux Advocate
Joined: 25 Jan 2004 Posts: 2946 Location: Somewhere between reality and Middle-Earth and in Freiburg (Germany)
|
Posted: Sat Mar 30, 2024 1:26 am Post subject: |
|
|
Github has disabled the repository, if you go to https://github.com/tukaani-project/xz you get an error message.
I don't know how to feel about this. On one hand, it's good that github take steps to protect the community, but on the other hand it rather "hides the crimes", several site with more information and analysis of this issue have been linking to commit and pull requests from the repo and now they all are gone, you cannot inspect them themselves. Somehow I find even more upsetting and it makes almost impossible to keep investigating the behaviour of the xz-utils maintainer. _________________ A! Elbereth Gilthoniel!
silivren penna míriel
o menel aglar elenath,
Gilthoniel, A! Elbereth! |
|
Back to top |
|
|
saturnalia0 Apprentice
Joined: 13 Oct 2016 Posts: 159
|
Posted: Sat Mar 30, 2024 1:45 am Post subject: |
|
|
My guess would be it is an attempt to prevent inadvertent downloads of the compromised versions, and the people who took action didn't have a better way to do it immediately available to them. But yeah, I don't like it either... |
|
Back to top |
|
|
rab0171610 Guru
Joined: 24 Dec 2022 Posts: 424
|
Posted: Sat Mar 30, 2024 2:06 am Post subject: |
|
|
https://gist.github.com/thesamesam
There is enough high-level and general technical info in the "FAQ on the xz-utils backdoor". It is not necessary for every person to need access to the commits linked therein. Git Hub made the right decision. It is clearly not a case of hiding the crimes but as saturnalia0 said " is an attempt to prevent inadvertent downloads of the compromised versions." For the average user, not using the compromised version should be sufficient for now. I don't see how preventing access to the compromised code is impeding anything. |
|
Back to top |
|
|
figueroa Advocate
Joined: 14 Aug 2005 Posts: 3005 Location: Edge of marsh USA
|
Posted: Sat Mar 30, 2024 2:42 am Post subject: |
|
|
saturnalia0 wrote: | ...
Thinking about adding -multiarch and maybe -lzma to make.conf and rebuilding the world set... Bad idea? |
Yeah. -multiarch is only used in glibc so makes more sense to set it /etc/package.use. If you set -lzma in make.conf you loose a lot of functionality, and probably not necessary anyway. _________________ Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22696
|
Posted: Sat Mar 30, 2024 3:14 am Post subject: |
|
|
rab0171610 wrote: | I don't see how preventing access to the compromised code is impeding anything. | It impedes would-be detectives from tracing down specifically when bad commits were introduced, from inspecting what supposed justifications were offered for why the actually-bad commits were supposedly good and useful, and, for those who have not already fetched the compromised code, it impedes their ability to unpack it into a sandbox to inspect its abilities. |
|
Back to top |
|
|
rab0171610 Guru
Joined: 24 Dec 2022 Posts: 424
|
Posted: Sat Mar 30, 2024 3:50 am Post subject: |
|
|
I think "would-be detectives" says it all. |
|
Back to top |
|
|
pizza-rat Tux's lil' helper
Joined: 23 Dec 2022 Posts: 81
|
Posted: Sat Mar 30, 2024 4:23 am Post subject: |
|
|
figueroa wrote: | If you set -lzma in make.conf you loose a lot of functionality, and probably not necessary anyway. |
Err, what kind of functionality? I did this earlier this morning. |
|
Back to top |
|
|
colo-des Tux's lil' helper
Joined: 20 May 2011 Posts: 97
|
|
Back to top |
|
|
sdauth l33t
Joined: 19 Sep 2018 Posts: 652 Location: Ásgarðr
|
Posted: Sat Mar 30, 2024 11:01 am Post subject: |
|
|
Is it reasonable to change kernel compression method too ? I use XZ for both kernel & initramfs. Maybe excessive.. what do you think ? |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54578 Location: 56N 3W
|
Posted: Sat Mar 30, 2024 11:17 am Post subject: |
|
|
sdauth,
Its early days but an abundance of caution is in order. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
sdauth l33t
Joined: 19 Sep 2018 Posts: 652 Location: Ásgarðr
|
Posted: Sat Mar 30, 2024 11:30 am Post subject: |
|
|
Alright, I'll give a try to zstd then |
|
Back to top |
|
|
colo-des Tux's lil' helper
Joined: 20 May 2011 Posts: 97
|
Posted: Sat Mar 30, 2024 11:45 am Post subject: |
|
|
https://hackaday.com/2024/03/29/security-alert-potential-ssh-backdoor-via-liblzma/#comment-6745880
"One of the xz maintainers, [Jia Tan], weighed in on that Gentoo bug, suggesting that it was a GCC bug causing the Valgrind errors."
https://www.youtube.com/watch?v=tHtt57iOjpA
Talking about the xz/liblzma ssh backdoor | ASMR WHISPER
extracted from 5.6.1
Code: | $ ls -l
total 48
-rw-r--r-- 1 my-user my-user 512 mar 9 05:16 bad-3-corrupt_lzma2.xz
-rw-r--r-- 1 my-user my-user 4399 mar 9 05:16 build-to-host.m4
-rw-r--r-- 1 my-user my-user 35421 mar 9 05:16 good-large_compressed.lzma |
UD to 5.4.1 from a portage backup so not -sync.
I see that the only unmasked version is 5.4.2
Code: | $ eix -Ic app-arch/xz-utils
[I] app-arch/xz-utils (5.4.1[1]@30/03/24): Utils for managing LZMA compressed files
[1] "repo_local" /usr/local/portage |
|
|
Back to top |
|
|
psycho_driver n00b
Joined: 03 Feb 2011 Posts: 20
|
Posted: Sat Mar 30, 2024 11:53 am Post subject: |
|
|
From what I've been reading it's unlikely to be active on gentoo systems due to it getting hooked into sshd via systemd-notify support which is not enabled by default for gentoo systems. I do not believe there has been a full analysis completed yet on what all the malicious code might be compromising yet though. _________________ Gentoo user since 2001 or 2002? <- Early onset dementia thanks to dementia. |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22696
|
Posted: Sat Mar 30, 2024 3:04 pm Post subject: |
|
|
rab0171610 wrote: | I think "would-be detectives" says it all. | Correct. They would be detectives if they could get the relevant data, but since the data is now unavailable, they will not be detectives. Hence, "would-be detectives." |
|
Back to top |
|
|
saturnalia0 Apprentice
Joined: 13 Oct 2016 Posts: 159
|
Posted: Sat Mar 30, 2024 3:18 pm Post subject: |
|
|
psycho_driver wrote: |
From what I've been reading it's unlikely to be active on gentoo systems due to it getting hooked into sshd via systemd-notify support which is not enabled by default for gentoo systems. I do not believe there has been a full analysis completed yet on what all the malicious code might be compromising yet though. |
Right, this exploit wouldn't, but another one might? My point being, is there a point to ifunc on single-user Gentoo targeting exclusively the host, and where hardware does not change (common desktop use case)? I'm leaning towards -multiarch, not because of this issue in particular, but because it seems like unnecessary attack surface. |
|
Back to top |
|
|
flysideways Guru
Joined: 29 Jan 2005 Posts: 491
|
|
Back to top |
|
|
user Apprentice
Joined: 08 Feb 2004 Posts: 211
|
Posted: Sat Mar 30, 2024 4:50 pm Post subject: |
|
|
OT: time to look at lzip |
|
Back to top |
|
|
|