| View previous topic :: View next topic |
| Author |
Message |
pablo_supertux
Advocate
Joined: 25 Jan 2004
Posts: 2931
Location: Somewhere between reality and Middle-Earth and in Freiburg (Germany)
|
 Posted: Fri Mar 29, 2024 9:16 pm Post subject: The xz package has been backdoored |
 |
|
I was made aware of this: https://archlinux.org/news/the-xz-package-has-been-backdoored/
My system is currently using app-arch/xz-utils-5.6.1 which seems to be affected. I also found this: https://bugs.gentoo.org/928134
Should I downgrade app-arch/xz-utils to 5.4.6-r1?
Its going to be a hop topic for a week or two yet. Stuck by NeddySeagoon
_________________
A! Elbereth Gilthoniel!
silivren penna míriel
o menel aglar elenath,
Gilthoniel, A! Elbereth! |
|
| Back to top |
|
 |
pablo_supertux
Advocate
Joined: 25 Jan 2004
Posts: 2931
Location: Somewhere between reality and Middle-Earth and in Freiburg (Germany)
|
|
| Back to top |
|
|
wdsci
Tux's lil' helper
Joined: 02 Oct 2007
Posts: 149
Location: US
|
| Posted: Fri Mar 29, 2024 9:53 pm Post subject: |
|
|
| I'd expect there is or soon will be a GLSA for this, right? That's probably the most visible single communication channel for this kind of thing. |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21642
|
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 4166
Location: Bavaria
|
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3140
|
| Posted: Fri Mar 29, 2024 10:43 pm Post subject: |
|
|
Well, that's one rotten take on easter eggs.
_________________
Make Computing Fun Again |
|
| Back to top |
|
|
CaptainBlood
Advocate
Joined: 24 Jan 2010
Posts: 3628
|
| Posted: Sat Mar 30, 2024 1:00 am Post subject: |
|
|
@pablo_supertux
+1
Thks 4 ur attention, interest & support.
_________________
USE="-* ..." in /etc/portage/make.conf here.
LT: "I've been doing a passable imitation of the Fontana di Trevi, except my medium is mucus. Sooo much mucus. " |
|
| Back to top |
|
|
saturnalia0
Tux's lil' helper
Joined: 13 Oct 2016
Posts: 136
|
| Posted: Sat Mar 30, 2024 1:23 am Post subject: |
|
|
If I understand it correctly the exploit relies on ifunc. https://sourceware.org/glibc/wiki/GNU_IFUNC
Seems to me like it would make sense to disable that on single-user Gentoo systems with -march=native CFLAG, where the compile target is exclusively the host, for which the code is optimized by the compiler, as instructed by -march.
Reading this thread: https://forums.gentoo.org/viewtopic-t-1088276-start-0.html, it seems that this can be achieved by setting -multiarch on glibc and rebuilding. Hu mentiones some scenarios where it's useful even with -march, but it seems to me the most common scenario where hardware remains the same there is no advantage for runtime optimization with ifunc?
Thinking about adding -multiarch and maybe -lzma to make.conf and rebuilding the world set... Bad idea?  |
|
| Back to top |
|
|
pablo_supertux
Advocate
Joined: 25 Jan 2004
Posts: 2931
Location: Somewhere between reality and Middle-Earth and in Freiburg (Germany)
|
| Posted: Sat Mar 30, 2024 1:26 am Post subject: |
|
|
Github has disabled the repository, if you go to https://github.com/tukaani-project/xz you get an error message.
I don't know how to feel about this. On one hand, it's good that github take steps to protect the community, but on the other hand it rather "hides the crimes", several site with more information and analysis of this issue have been linking to commit and pull requests from the repo and now they all are gone, you cannot inspect them themselves. Somehow I find even more upsetting and it makes almost impossible to keep investigating the behaviour of the xz-utils maintainer.
_________________
A! Elbereth Gilthoniel!
silivren penna míriel
o menel aglar elenath,
Gilthoniel, A! Elbereth! |
|
| Back to top |
|
|
saturnalia0
Tux's lil' helper
Joined: 13 Oct 2016
Posts: 136
|
| Posted: Sat Mar 30, 2024 1:45 am Post subject: |
|
|
| My guess would be it is an attempt to prevent inadvertent downloads of the compromised versions, and the people who took action didn't have a better way to do it immediately available to them. But yeah, I don't like it either... |
|
| Back to top |
|
|
rab0171610
Apprentice
Joined: 24 Dec 2022
Posts: 299
|
| Posted: Sat Mar 30, 2024 2:06 am Post subject: |
|
|
https://gist.github.com/thesamesam
There is enough high-level and general technical info in the "FAQ on the xz-utils backdoor". It is not necessary for every person to need access to the commits linked therein. Git Hub made the right decision. It is clearly not a case of hiding the crimes but as saturnalia0 said " is an attempt to prevent inadvertent downloads of the compromised versions." For the average user, not using the compromised version should be sufficient for now. I don't see how preventing access to the compromised code is impeding anything. |
|
| Back to top |
|
|
figueroa
Advocate
Joined: 14 Aug 2005
Posts: 2963
Location: Edge of marsh USA
|
| Posted: Sat Mar 30, 2024 2:42 am Post subject: |
|
|
| saturnalia0 wrote: | ...
Thinking about adding -multiarch and maybe -lzma to make.conf and rebuilding the world set... Bad idea? |
Yeah. -multiarch is only used in glibc so makes more sense to set it /etc/package.use. If you set -lzma in make.conf you loose a lot of functionality, and probably not necessary anyway.
_________________
Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21642
|
| Posted: Sat Mar 30, 2024 3:14 am Post subject: |
|
|
| rab0171610 wrote: | | I don't see how preventing access to the compromised code is impeding anything. |
It impedes would-be detectives from tracing down specifically when bad commits were introduced, from inspecting what supposed justifications were offered for why the actually-bad commits were supposedly good and useful, and, for those who have not already fetched the compromised code, it impedes their ability to unpack it into a sandbox to inspect its abilities. |
|
| Back to top |
|
|
rab0171610
Apprentice
Joined: 24 Dec 2022
Posts: 299
|
| Posted: Sat Mar 30, 2024 3:50 am Post subject: |
|
|
| I think "would-be detectives" says it all. |
|
| Back to top |
|
|
pizza-rat
Tux's lil' helper
Joined: 23 Dec 2022
Posts: 81
|
| Posted: Sat Mar 30, 2024 4:23 am Post subject: |
|
|
| figueroa wrote: | | If you set -lzma in make.conf you loose a lot of functionality, and probably not necessary anyway. |
Err, what kind of functionality? I did this earlier this morning. |
|
| Back to top |
|
|
colo-des
Tux's lil' helper
Joined: 20 May 2011
Posts: 97
|
|
| Back to top |
|
|
sdauth
Guru
Joined: 19 Sep 2018
Posts: 569
Location: Ásgarðr
|
| Posted: Sat Mar 30, 2024 11:01 am Post subject: |
|
|
| Is it reasonable to change kernel compression method too ? I use XZ for both kernel & initramfs. Maybe excessive.. what do you think ? |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54266
Location: 56N 3W
|
| Posted: Sat Mar 30, 2024 11:17 am Post subject: |
|
|
sdauth,
Its early days but an abundance of caution is in order.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
sdauth
Guru
Joined: 19 Sep 2018
Posts: 569
Location: Ásgarðr
|
| Posted: Sat Mar 30, 2024 11:30 am Post subject: |
|
|
Alright, I'll give a try to zstd then  |
|
| Back to top |
|
|
colo-des
Tux's lil' helper
Joined: 20 May 2011
Posts: 97
|
| Posted: Sat Mar 30, 2024 11:45 am Post subject: |
|
|
https://hackaday.com/2024/03/29/security-alert-potential-ssh-backdoor-via-liblzma/#comment-6745880
"One of the xz maintainers, [Jia Tan], weighed in on that Gentoo bug, suggesting that it was a GCC bug causing the Valgrind errors."
https://www.youtube.com/watch?v=tHtt57iOjpA
Talking about the xz/liblzma ssh backdoor | ASMR WHISPER
extracted from 5.6.1
| Code: | $ ls -l
total 48
-rw-r--r-- 1 my-user my-user 512 mar 9 05:16 bad-3-corrupt_lzma2.xz
-rw-r--r-- 1 my-user my-user 4399 mar 9 05:16 build-to-host.m4
-rw-r--r-- 1 my-user my-user 35421 mar 9 05:16 good-large_compressed.lzma |
UD to 5.4.1 from a portage backup so not -sync.
I see that the only unmasked version is 5.4.2
| Code: | $ eix -Ic app-arch/xz-utils
[I] app-arch/xz-utils (5.4.1[1]@30/03/24): Utils for managing LZMA compressed files
[1] "repo_local" /usr/local/portage |
|
|
| Back to top |
|
|
psycho_driver
n00b
Joined: 03 Feb 2011
Posts: 20
|
| Posted: Sat Mar 30, 2024 11:53 am Post subject: |
|
|
From what I've been reading it's unlikely to be active on gentoo systems due to it getting hooked into sshd via systemd-notify support which is not enabled by default for gentoo systems. I do not believe there has been a full analysis completed yet on what all the malicious code might be compromising yet though.
_________________
Gentoo user since 2001 or 2002? <- Early onset dementia thanks to dementia. |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21642
|
| Posted: Sat Mar 30, 2024 3:04 pm Post subject: |
|
|
| rab0171610 wrote: | | I think "would-be detectives" says it all. |
Correct. They would be detectives if they could get the relevant data, but since the data is now unavailable, they will not be detectives. Hence, "would-be detectives." |
|
| Back to top |
|
|
saturnalia0
Tux's lil' helper
Joined: 13 Oct 2016
Posts: 136
|
| Posted: Sat Mar 30, 2024 3:18 pm Post subject: |
|
|
| psycho_driver wrote: |
From what I've been reading it's unlikely to be active on gentoo systems due to it getting hooked into sshd via systemd-notify support which is not enabled by default for gentoo systems. I do not believe there has been a full analysis completed yet on what all the malicious code might be compromising yet though. |
Right, this exploit wouldn't, but another one might? My point being, is there a point to ifunc on single-user Gentoo targeting exclusively the host, and where hardware does not change (common desktop use case)? I'm leaning towards -multiarch, not because of this issue in particular, but because it seems like unnecessary attack surface. |
|
| Back to top |
|
|
flysideways
Guru
Joined: 29 Jan 2005
Posts: 437
|
|
| Back to top |
|
|
user
Apprentice
Joined: 08 Feb 2004
Posts: 202
|
| Posted: Sat Mar 30, 2024 4:50 pm Post subject: |
|
|
| OT: time to look at lzip |
|
| Back to top |
|
|
|
Portage & Programming
