There's also a "Hans" that was pushing for the malicious change to be included. Despite being maintainers of important open source software, they use [email protected] mail addresses. Spoiler: None of these people exist.
>Racism
Isn't weird that every time someone calls an "inferior race" by his race, it is considered racist? Calling a black person black is considered an insult, is like they're seeing them as inferior by just being themselves, so they need to act like the "superior race" -> white people and to be treated like them, to be considered "humans", anything else is an insult. People fighting racism are the most racist people on earth because to fight racism, you acknowledge that there is a difference between races. They treat every "inferior race" as disabled people, and white people as the "Complete race without flaws." You don't see "inferior races" being called racist to the "superior race."
I still think that both of them are morons, it's just stupid how they act ¯_(ツ)_/¯
>UEFA suspends Romanian referee after calling a player "The black one" https://www.aljazeera.com/news/2021/3/9/uefa-suspends-romanian-referee-after-racial-slur-claim
2 months ago
Anonymous
yes, people who complain about racism are usually the most racist people because they subconsciously know that other races are inferior. it's like fatties getting angry when you say something negative about fast food
On a system with ssh patched to support xz, it adds a backdoor to openssh via the xz binaries. It basically affects anything downstream of debian or fedora. Afaik the specific method of entering thru the backdoor is not published, because thousands of systems will be compromised for quite a while. The developer that added the backdoor has been working on the code base for 2+ years so older versions may also be compromised in other ways. It was discovered after his update was causing issues with valgrind and making openssh run slower.
>On a system with ssh patched to support xz, it adds a backdoor to openssh via the xz binaries. It basically affects anything downstream of debian or fedora.
Does that affect personal use, or it will be more harmful to the enterprises? and why do you think that happened anon? is it some china attack or it's just some idiot?
The current lead dev on this project is Jia Tan, probably chinese.
The message on the security mailing list suggests this was an intentional addition from the maintainer.
https://www.openwall.com/lists/oss-security/2024/03/29/4
>openssh does not directly use liblzma. However debian and several other distributions patch openssh to support systemd notification, and libsystemd does depend on lzma.
thanks, systemd
>the Git distribution lacks the M4 macro that triggers the build of the malicious code
i wonder how many distros could actually get hit by this, for example gentoo uses the git repo directly.
I'd expect most binary distros to use git directly too in their build scripts?
The script targets deb and rpm, with glibc and systemd.
Arch and Gentoo unaffected.
HOWEVER: This is a supply chain attack.
There could be backdoors directly in the git code. The chain of trust involving Jia Tan is broken.
The whole codebase needs to be audited, and any commit made by Jia or Hans needs to be scrutinized.
>HOWEVER: This is a supply chain attack.
Not just here. People are finding suspicious code in a new "ifunc" feature of glibc added by mysterious contributors that only showed up recently.
tbh I think this only the tip of the iceberg. There's way more to come.
ifunc is just automatic sse/avx function interpositioning.
2 months ago
Anonymous
that's a use case for it, it's not just that
>GNU indirect function (ifunc) is a mechanism making a direct function call resolve to an implementation picked by a resolver. It is mainly used in glibc but has adoption in FreeBSD. >For some performance critical functions, e.g. memcpy/memset/strcpy, glibc provides multiple implementations optimized for different architecture levels. The application just uses memcpy(...) which compiles to call memcpy. The linker will create a PLT for memcpy and produce an associated special dynamic relocation referencing the resolver symbol/address. During relocation resolving at runtime, the return value of the resolver will be placed in the GOT entry and the PLT entry will load the address.
IMO this is a sign that not only should builds all be sandboxed, offline, and reproducable, but also the binaries should have strict omnidirectional access control. OpenSSH should ONLY EVER use the libraries it was compiled with, which are in a read-only store that is invalidated if its hash changes. It wouldn't help debian and redhat, since they are the ones applying patches that allow the vulnerability. But in general, it would make it hard for exploits to target more than one very specific combination of distro + binary versions. For something like ssh, we also shouldn't need someone debugging performance to know something fricked up is happening. Testing should have been more vigorous, especially for ssh, and should have failed somewhere, blocking this version without a packager rewriting a test
>IMO this is a sign that not only should builds all be sandboxed
This is a social problem not a technical problem. Please either stop being moronic or stop posting.
2 months ago
Anonymous
>bad engineering is a social problem
somewhat true
>unreleased beta software
It's from an officially released version though? The past 2 versions in fact at the very least. It's mostly affecting debian testing/unstable users but if debian's stable release cycle happened to be right now then it would have been present in stable as well.
Testing is frozen for a couple of months before it turns into Stable. I don't know the packaging policies by heart but a new release might not have made it into Stable in this timeframe no matter how it lines up
(5.6.0 was released one month ago)
It would definitely have entered debian stable if the backdoor wasn't found. The fact that the package was already in testing proves this. Debian doesn't hold packages back based on age, it's only a matter of wether or not it managed to enter testing before the last freeze.
>some discussion: >Ubuntu still ships 5.4.5 on 24.03 (atm). >I did a quick diff of the source (.orig file from packages.ubuntu.com) and the content mostly matched the 5.4.5 github tag except for Changelog and some translation files. It does match the tarball content, though. >So for 5.4.5 the tagged release and download on github differ. >It does change format strings, e.g. >[...] >There is no second argument to that printf for example. I think there is at least a format string injection in the older tarballs.
So everyone updates immediately...and they're probably still compromised.
how would updooting **now** help if all their packages are built with xz ? it's not like all the shit you have is already rebuilt even if some is accidentally
It's better to have an open-source code, that anyone (good or evil) can contribute to it, and can be revised by **YOU**, than having a closed source software that can't be revised, and maintained by "evil" people. This "problem" is why I use FOSS in the first place because even if something bad happens, it will get discovered, because having a backdoor in your system isn't a normal thing in the FOSS community, the opposite of the closed source compromised software, that you can be sure that they are spying on you and they have installed multiple backdoors so glowBlack folk can see you jerk off on e-girl porn, homosexual. And that is the normal.
Why do you proprietrannies make everything about open source?
You think supply chain attacks are impossible if the source is closed? Stupid troony.
>AnYoNe CaN CoNtRiBuTe To ThE CoDeBaSe aNd tHiS iS a gOoD tHiNg
it is
accepting any moron's contribution isn't
>wat is security by obscurity
also security holes in linux go undiscovered for years because no real programmers look at or give a shit about the code. linux is just a learning ground/hobby project for fat moronic manchildren
https://sourceware.org/glibc/wiki/GNU_IFUNC
I never knew about this til today. Why is there a gnu extension for indirect function calls and why would anyone use it to lose portability? It sounds like another mess of preprocessor macros just to use an unnecessary feature.
Time to recompile everything with ifunc blocked and see what happens.
Meanwhile linux packet filtering is being exploited just like we said it would be.
it's been a thing for a long time
it's the same infrastructure involved in architecture specific function dispatch
also every relevant compiler (i.e. clang) supports it
Never EVER let a person with Chinese-sounding name become a maintainer in an important project like this. How many fricking times do people have to get burned until they learn? It's not racism, it's common fricking sense.
No thanks, I want to keep contributing shit pseudonymously. Policing people just burns out legit contributors. Big Corp should run more independent reviews instead.
One man hobbyist projects can provide software as-is, it's the companies job to make sure that they get what they want.
If you're running a spice import comany sourcing curry from india you need to check it for lead and other toxins. Or are you going to trust the pajeets? Same with shit you download stuff from github.
Although only the last 2 releases are known to be malware, the author of the malware has been the project maintainer for 2 years. Unless you're running debian oldstable, I wouldn't say you're safe either.
>the resulting malicious build interferes with authentication in sshd via systemd
I told you about the systemd being potential glowBlack person backdoor. I told you and you all laughed.
The malicious code path does not exist in the arch version of sshd, as
it does not link to liblzma.
However, out of an abundance of caution, we advise users to avoid the
vulnerable code in their system as it is possible it could be triggered
from other, un-identified vectors.
Tell me in turn how I can see what links to it, my system shouldn't be affected for multiple reasons but I want to understand the extend it could have been
>I don't think using Rust would have saved anybody here. The attack is a level deeper than what the compiler controls. Exploits like this can happen to a Rust project too.
was he wrong?
Nothing in the language itself would have helped.
But this is an autogenerated autotools file that nobody wants to read but is still checked into source control for reasons. Rust doesn't need that so there are fewer places to hide this.
crev (distributed manual code review) could also conceivably have caught this but it isn't very popular so eh.
Check back in five years and maybe they'll have implemented build script sandboxing. They bring it up every now and then.
Most of the malicious code was hidden in the tests files.
The autotools stuff was just the thing that pulled the trigger.
Test driven development is a mistake.
2 months ago
Anonymous
Maybe we can ditch testing and start using proof oriented languages in 20 years when AI is good enough to autogenerate proofs for common algorithms.
2 months ago
Anonymous
AI helping review PRs might actually be a good use for the technology.
2 months ago
Anonymous
Chatbot reviews will be the most infuriating shit.
https://github.com/getgrit/gritql/pull/85#discussion_r1541059034
2 months ago
Anonymous
Only shifts the problem. "AI" is already being jail broken (read: exploited) like nothing, figuring out how to obfuscate for AI is all it takes for overconfident morons to then accept anything that gets a "100% safu" ChatGPT seal of approval. Would probably make things even worse.
2 months ago
Anonymous
AI helping review PRs might actually be a good use for the technology.
AI will confidently give you incorrect proofs, and confidently tell you everything is safe go back to sleep.
2 months ago
Anonymous
Proof oriented languages have a verified proof checker, moron.
I was wondering if microsoft adds backdoor to github's binaries since they own github now but I guess they don't have to when the chinese will do it for free.
>Affected Systems >These conditions include targeting only x86-64 linux >Building with gcc and the gnu linker >Running as part of a debian or RPM package build >it is likely the backdoor can only work on glibc based systems. >openssh does not directly use liblzma. However debian and several other distributions patch openssh to support systemd notification, and libsystemd does depend on lzma.
>Jia Tan is still there
seriously, they missed this obvious line? wow archies are dumber than i thought. someone outta send Tan an email letting him know he still has the power to compromise every arch box online before the archies find out, it would be hella funny to finally see their meme distro kick the bucket
Yes. In fact, Arch now seems like a better target for this type of attack, because updoot == don't have beg package maintainers to push your backdoor.
Artix having multiple options for init systems makes it a much harder target at the init system level.
isn't part of the problem dumbass maintainers patching openssh? it actually makes the openbsd people made when people do this because it always ends up causing problems like this.
>I am a professional software developer being paid cash money to keep bad code out of the codebase >I have not read a pull request before approving it in years >Foss devs read and scrutinize pull requests FOR FREE though
We need to stop believing this. We need a version of contributing code that admits reviewing code is miserable and humans won't do it to the extent they can get away with it
Yes but state-sponsored actors operating from within the timezone of that state? That would be an insane rookie mistake I refuse to believe a state as powerful as China would make. Also putting literal Chinese text into your suspicious files and using the chinkiest name one can fathom while also communicating and contributing in English.
Way more likely someone knows exactly that everyone will gobble the chong flavored red herrings up. Bless /ourtism/ regardless though.
isn't part of the problem dumbass maintainers patching openssh? it actually makes the openbsd people made when people do this because it always ends up causing problems like this.
Yes. That's part of the reason Arch isn't affected, other part is that the backdoor itself deliberately only targeted rpm and deb via a check when built on those systems from the release tarball.
2 months ago
Anonymous
almost like they knew that debian maintainers always molest packages
2 months ago
Anonymous
I mean yeah. If you want to break into a shed window there's no point practicing on a house door
Yes but state-sponsored actors operating from within the timezone of that state? That would be an insane rookie mistake I refuse to believe a state as powerful as China would make. Also putting literal Chinese text into your suspicious files and using the chinkiest name one can fathom while also communicating and contributing in English.
Way more likely someone knows exactly that everyone will gobble the chong flavored red herrings up. Bless /ourtism/ regardless though.
[...]
Yes. That's part of the reason Arch isn't affected, other part is that the backdoor itself deliberately only targeted rpm and deb via a check when built on those systems from the release tarball.
All Chinese and Israeli open source contributions should be audited.
2 months ago
Anonymous
>All [...] open source contributions should be audited.
FTFY. Yes, that's the point Anon.
2 months ago
Anonymous
Yes but Chinese and Israeli contributions should be prioritized.
2 months ago
Anonymous
>only post UTC >call fake account Filfrelm Eurobble
System: beaten
They also have international students wandering into offices at Berkeley and scanning everything they can
This is example number 1,000 of American institutions trying to treat China and Chinese citizens as normal individuals from another, normal country and getting owned
I have no idea how things will change. You saw that guy get 100 downboats for using a bad word for Chinese. Our suicidal society is allergic to thinking about this kind of thing or preventing it. We're lucky this Chinese citizen contributed to FOSS instead of just getting a job at Microsoft and backdooring W11 >tldr glory to the ccp
there was/used to be a phd student in ee at berkeley who had the equivalent of "glory to the ccp" as part of his personal homepage. No idea why we invite them by the boatload and teach them EE.
Well it's not like their existence in academia matters much anyhow, nothing cutting edge has come out of there in the past two decades. But if they're in universities they're obviously in every company as well. And yet somehow despite explicit attacks like operation aurora companies go and open up branches in china. Really, china knows that the west's biggest weakness is the thirst for money, and they'll throw everything under the bus chasing profits.
Look closer and it's written on the wall
Qin Xianglian sued the dynasty when she was thirty-two years old
Consort Ma Lang deceived the king and concealed it from the emperor
The regretful man recruits the east bed
Look closer and it's written on the wall
Qin Xianglian sued the dynasty when she was thirty-two years old
Consort Ma Lang deceived the king and concealed it from the emperor
The regretful man recruits the east bed
What the frick were you thinking anon? Yes, it's fricked. Official recommendation from the openSUSE team is to wipe that puppy clean and change all your credentials. Next time keep it behind a VPN.
Not much you can do at this point, but detection tools are probably on the way within the week (assuming it was exploited in the wild). Also, make sure you actually had one of the bad releases on your system. If you're not super religious about updating you may have avoided it.
2 months ago
Anonymous
nah, i have the thing. i fear about leaking passwords and stuff. checked the atimes of some files and didnt find anything.
2 months ago
Anonymous
I know the thing you're talking about. detect.sh isn't enough in this case, all it tells you is if you're vulnerable. If it told you that you're vulnerable, either nuke the system and change your passwords, or wait until more comprehensive detection tools release.
Realistically, where is the fault here? You can't expect the upstream devs to check on one another, because competency can vary and you have no guarantee that there aren't multiple bad actors on the maintainer team. You can't expect downstream repository maintainers to check every possible build permutation for potentially obfuscated code hiding in there. You can't expect code to not have dependencies on other libraries.
So what's the solution? Run-time modification of symbols and whatever else is fairly frequently used, but is it worth kernel-mandated logging so that end users can notice it faster? Is there a security-related piece of kernel-level design that should be rethought? Where is the weak point that vulnerabilities like this should be targeted at?
You're right, that's the low-hanging fruit to take away. Trusting the upstream packages was a surprisingly naive move, and I wonder if the costs of avoiding them was really so significant to have created this situation.
But I am not sure if avoiding that would permanently solve the issue. Would this have been found any faster if the malicious binary file was visible in the repo? I am not sure if people would have noticed it and become suspicious.
It’s pretty much guaranteed it’d be noticed sooner. If it’s in the source tree it’s not going to take long for someone to notice the code doing odd shit. The commits that added the back door were non-description archive files ostensibly intended for testing. Nobody looks at binary files used for testing very often.
The actual execution was implemented only in the release tarball. If it’d been committed to the main repo there’d be a far higher change of it being caught.
Think this will stop the snap/flatpak "one true build" bullshit? Because i have a feeling we'll get just the opposite
2 months ago
Anonymous
I'm not sure what, exactly, you're referring to
They used an m4 macro to pull code into the binary at build time. That part is pretty irrelevant because if m4 wasn't used theyd just obfuscate it a different way. The crux of it is that they modified openssh behavior by abusing the fact that moron distros patch it to require systemd which then requires xz.
The crux is deeper than that though, because openssh is just as interchangeable as m4. If they couldn't backdoor via xz -> openssh they'd have used Y -> Z with some other packages. At the most this is a fundamental issue with the nature of dependencies in the current Linux kernel. If not going that far, it's an issue with blindly trusting package tarball contents instead of some sort of third-party verified contents.
By which I mean, git* could run the builds, and anyone could audit the files/hashes used in the build and wrapped in the tarball, to verify that they match what's in the repo. Really, pulling down a package from upstream like this should automate that, like checking a repo hash against the hash in the architecture-appropriate build report and then alerting the distro maintainer if there's ever a mismatch.
To Updoot or Downdoot
I had really thought the updooter was purely a meme character until I saw that post
2 months ago
Anonymous
This also somewhat relied on autotools being a giant piece of shit. It is normal for release tarballs from autotools projects to be different/modified from the actual committed tag because of how the build system works. So a simple hash check wouldn't have happened in this case because a mismatch is expected. Other build systems don't have this problem of course.
2 months ago
Anonymous
>happened
helped*
2 months ago
Anonymous
Most distros were already checking hashes and signatures.
That's the problem.
It's a supply chain attack.
There is no way to mitigate this unless you manually audit every diff.
The solution to this problem is called: https://suckless.org/
Didn't the affected tarballs contain entire binaries and autotool scripts not even found in the repo in the first place? That seems more significant than "expected variation". >suckless
They're still getting their C compiler, OS tools, kernel, and whatever else from the supply side, aren't they?
2 months ago
Anonymous
>contain entire binaries
No. The test binaries were in the original repo. >autotool scripts
It was literally a one line difference.
2 months ago
Anonymous
The malicious binaries were in the test/ directory of the git repo, disguised as corrupted archives for testing
2 months ago
Anonymous
Most distros were already checking hashes and signatures.
That's the problem.
It's a supply chain attack.
There is no way to mitigate this unless you manually audit every diff.
The solution to this problem is called: https://suckless.org/
IMO upstream devs ARE AT FAULT. but there is no way to check for all the cases and all the patches.
IMO devs IN GENERAL should simplify their processes and, most importantly, THEIR TOOLS.
this is why I like Go: there is no need for external tools or too many files, and you are forced to write code in a very clear and concise way
Kinda sad they didn't even get him with "here's your cute co-maintainer fresh from China, she plays the piano and likes fat emotional pieces of shit"
All it took was him collapsing on his own and handing off the repo without much scrutiny
>on his own
We don't know what intelligence agencies may do against people in their private lives. The "gangstalking" people feel a bit like poisoning the well to me.
we also don't know if this guy got paid to give control of the project, and if the "chinese" guy is actually chinese or someone working for the NSA or some other intelligence agency.
Kinda sad they didn't even get him with "here's your cute co-maintainer fresh from China, she plays the piano and likes fat emotional pieces of shit"
All it took was him collapsing on his own and handing off the repo without much scrutiny
>on his own
We don't know what intelligence agencies may do against people in their private lives. The "gangstalking" people feel a bit like poisoning the well to me.
2 months ago
Anonymous
I'd read your thriller Anon. In this particular case though dangling a reward would likely be cheaper and easier than manufacturing a mental illness. But he gave the keys to the kingdom away for free regardless so why bother.
2 months ago
Anonymous
>The "gangstalking" people feel a bit like poisoning the well to me.
The gangstalking people are suffering from paranoid schizophrenia.
2 months ago
Anonymous
gangstalking is literally just schizos
it's never once been real, that's not how three letters work
they don't need to send people to you house
except this one guy in LA who had some beef with the LAPD/a government agency and they killed him
i think he was still a schizo though
>maintain some critical piece of infra for years for free >get busy and a bit burned out >take a break >cutie chinese gf shows up out of nowhere and offers to maintain your software if you just let her sniff your bwc
frick this is scary
the whole thing was premeditated and they didn't mind it taking several years
there's no doubt this is a state action but probably will never know
doesn't google use debian testing but with their own spin and testing suite? i'd be incredibly interested to see what they think about this and how they're handling it
When Microsoft controls the update server, they can push compromised updates to select users. Why bother implementing a backdoor for everyone only to make it more likely to be discovered.
>Vulnerabilty hidden in M4 macro
No shit, there's no one alive that knows how to use or read that shit. Every codebase with M4 macros becomes spagetti real fast
https://www.openwall.com/lists/oss-security/2024/03/29/4
Download attachment "liblzma_la-crc64-fast.o.gz" of type "application/gzip" (36487 bytes)
an anon said its 10k lines of assembly
considering it's been around 12h since the original announcement, its only a single hooked function and nobody has properly reversed the payload yet other than "it seems to allow authentication bypass somehow", it seems to be quite advanced
>openssh does not directly use liblzma. However debian and several other >distributions patch openssh to support systemd notification, and libsystemd >does depend on lzma.
once again, systemd is the loser of the show
They used an m4 macro to pull code into the binary at build time. That part is pretty irrelevant because if m4 wasn't used theyd just obfuscate it a different way. The crux of it is that they modified openssh behavior by abusing the fact that moron distros patch it to require systemd which then requires xz.
So how exactly does malicious code in a compression library bypass my router and get to my non-existence ssh server?
Nothingburget techlets not like this...
>I'm afraid it's a lot more sinister than that. This exploit code has been gradually introduced and refined in the repository over the course of at least a year.
stable bros...
So how at risk is the average linux user, assuming they had this version of the package at some point? Is the average moron that just uses linux on their laptop to browse the web affected, or is it only people running servers? Yeah, I'm dumb which is why I'm asking.
it's perfectly okay to be racist against mainland chinse
why would anyone ever defend mainland china
you realize the only way this ends is literally genocide
like we're going to have to kill them all or humanity is doomed
It's okay to be racist against russians. Unfortunately this time it had to be a heccin good boi chinkerino who probably just accidentally included a few symbols that made it look like a backdoor.
When a PR is opened that originates from an IP located in China, autoclose it.
2 months ago
Anonymous
yea and?
literally ban chinese people and audit every single author to make sure they aren't from mainland china or descended from mainland chinese
taiwanese might be okay but they should be
this is a matter of geopolitics
Why shouldn't USians be banned from open source projects?
2 months ago
Anonymous
No you should ban us too. We're all glowBlack folk.
yea and?
literally ban chinese people and audit every single author to make sure they aren't from mainland china or descended from mainland chinese
taiwanese might be okay but they should be
this is a matter of geopolitics
All commits needs to be linked to a real personal identity. No making sockpuppet accounts to create commits, you need to be a real actual human being.
Distributing closed source software should only be done though highly trusted channels which build from source. Building from source should be the default.
Highly critical pieces of infrastructure should receive government funding and maintainers should receive state appointed GFs and other mental health aids.
you morons arguing "muh closed source this!" and "muh open source that!"
Black folk, it's all fricked. at least open source gives you a chance to do something about it
Man, it must suck to work years for this one backdoor that gets immediately patched because some autist couldn't help but notice sshd authentication taking a fraction of a second longer than usual on their system.
can we get official sources on who and who found out about the backdoor? supposedly it was only freund, yet anons say that a security specialist already called it out by then
Debian and Slackware do it right.
All Linux systems should be running upstream code that is AT LEAST two years old when installed.
This is only a problem if you have a system with a version of xz that is like 2 months old, which is way way too new to be running on anything. Code is like a fine Port, you need to let it age first before popping the cork.
not updating
debian stable doesn't have this problem
I knew downgrading was the right move. Never doing bleeding edge rolling release ever again, Stable for life.
Remember, when using stable, don't update immediately. Give it a few weeks each time
I don't even know what XY is and I've been using linux for over 15 years. Literally a nothingburger.
Ricing Arch desktops is not "using Linux."
>Does symbolic link mean infected?
Sorry to destroy your delusions but I run a small enterprise using only linux. I earn more than your entire family.
Ilead five Fortune 500 companies and routinely receive 7-figure donations from dozens of government agencies throughout the world, so...
that's exactly why it makes a perfect target
unknown to most but exists in pretty much every system
Lolno. Any secure system won't have a dozen different compression libraries.
Hahha updooters get fricked.
>let's allow any random fricker to make changes to our codebase. What could possible go wrong?
Lmao freetards get fricked again. When will they ever learn?
>any random fricker
The strawman doesn't work as you intended. How do you come up with such pathetic bait?
by having a job in the pipeline that checks for shit like this. freecucks are moronic
ms fired their testers before w10
If it's a strawman then why did it happen 1:1?
so you know the name of the person who dun did it?
>Chink
As expected. Every single large OSS project has probably been compromised at this point.
There's also a "Hans" that was pushing for the malicious change to be included. Despite being maintainers of important open source software, they use [email protected] mail addresses. Spoiler: None of these people exist.
>Chink
It's glowies you idiot
Which distro is 100% made in America?
I'd expect Alpine is, if not entirely White very close, but the incompatibility with GNU user space can be a real b***h sometimes.
Unironically TempleOS, and it's very likely to be the only one.
The more appropriate term is "Oriental"
Sorry.
>Commit history shows timezone to be oriental, so likely a sliteyed dogmunching pandafellating chink.
H*ck yeah fellow patriots. Let's all use NSASpywareOS where there is no place for foreign interests, only the interests of patriots like YOU.
Q
Who said anything about liking Americans.
If you're not american then you should fear foreign american agencies as much as foreign chinese agencies
Fear is a strong word because I am beneath their notice. I strongly dislike both of them and a whole bunch more though!
Ah, Github drama. The best kind of drama.
It's anyone's chance to add it!
https://github.com/neodrama/github-drama
Fat guy can't be calling anyone names.
Ok, racism... Not cool. There's literally nothing wrong with letting completely anonymous chinese accounts maintain widely used packages
Remember kids: Racism saves lives. Don't let your guard down, be racist.
>Don't let your guard down, be racist.
way ahead of you mate
Racism should be an essential part any threat model using layered security.
That's a good point. Good security isn't about any single layer but defense in depth and racism adds just a little more depth.
>Racism
Isn't weird that every time someone calls an "inferior race" by his race, it is considered racist? Calling a black person black is considered an insult, is like they're seeing them as inferior by just being themselves, so they need to act like the "superior race" -> white people and to be treated like them, to be considered "humans", anything else is an insult. People fighting racism are the most racist people on earth because to fight racism, you acknowledge that there is a difference between races. They treat every "inferior race" as disabled people, and white people as the "Complete race without flaws." You don't see "inferior races" being called racist to the "superior race."
I still think that both of them are morons, it's just stupid how they act ¯_(ツ)_/¯
>UEFA suspends Romanian referee after calling a player "The black one" https://www.aljazeera.com/news/2021/3/9/uefa-suspends-romanian-referee-after-racial-slur-claim
yes, people who complain about racism are usually the most racist people because they subconsciously know that other races are inferior. it's like fatties getting angry when you say something negative about fast food
i'm going to be racist as frick if it means even slightly lower chances of contracting an ssh backdoor on my system
CHINKS DON'T BELONG IN OPEN SOURCE
#ChinkBackdoor
>didn't even edit the image
#ChinaVirus
link?
my fricking sides
github was a mistake
>Fedora 41 is scheduled to release in late October
nothingburger
FUD article
it's still unclear what it does
On a system with ssh patched to support xz, it adds a backdoor to openssh via the xz binaries. It basically affects anything downstream of debian or fedora. Afaik the specific method of entering thru the backdoor is not published, because thousands of systems will be compromised for quite a while. The developer that added the backdoor has been working on the code base for 2+ years so older versions may also be compromised in other ways. It was discovered after his update was causing issues with valgrind and making openssh run slower.
>adds a backdoor to openssh via the xz binaries
meaning? let me guess.
>durr
see?
> JUST POST THE EXE SIR PLEASE!!!!
>On a system with ssh patched to support xz, it adds a backdoor to openssh via the xz binaries. It basically affects anything downstream of debian or fedora.
Does that affect personal use, or it will be more harmful to the enterprises? and why do you think that happened anon? is it some china attack or it's just some idiot?
>it's still unclear what it does
See
https://www.openwall.com/lists/oss-security/2024/03/29/4
The current lead dev on this project is Jia Tan, probably chinese.
The message on the security mailing list suggests this was an intentional addition from the maintainer.
https://www.openwall.com/lists/oss-security/2024/03/29/4
>openssh does not directly use liblzma. However debian and several other distributions patch openssh to support systemd notification, and libsystemd does depend on lzma.
thanks, systemd
>systemd having a huge codebase doesn't effect yo-
>the Git distribution lacks the M4 macro that triggers the build of the malicious code
i wonder how many distros could actually get hit by this, for example gentoo uses the git repo directly.
I'd expect most binary distros to use git directly too in their build scripts?
No. Most distros use release tarballs.
The script targets deb and rpm, with glibc and systemd.
Arch and Gentoo unaffected.
HOWEVER: This is a supply chain attack.
There could be backdoors directly in the git code. The chain of trust involving Jia Tan is broken.
The whole codebase needs to be audited, and any commit made by Jia or Hans needs to be scrutinized.
>HOWEVER: This is a supply chain attack.
Not just here. People are finding suspicious code in a new "ifunc" feature of glibc added by mysterious contributors that only showed up recently.
tbh I think this only the tip of the iceberg. There's way more to come.
ifunc is just automatic sse/avx function interpositioning.
that's a use case for it, it's not just that
>GNU indirect function (ifunc) is a mechanism making a direct function call resolve to an implementation picked by a resolver. It is mainly used in glibc but has adoption in FreeBSD.
>For some performance critical functions, e.g. memcpy/memset/strcpy, glibc provides multiple implementations optimized for different architecture levels. The application just uses memcpy(...) which compiles to call memcpy. The linker will create a PLT for memcpy and produce an associated special dynamic relocation referencing the resolver symbol/address. During relocation resolving at runtime, the return value of the resolver will be placed in the GOT entry and the PLT entry will load the address.
IMO this is a sign that not only should builds all be sandboxed, offline, and reproducable, but also the binaries should have strict omnidirectional access control. OpenSSH should ONLY EVER use the libraries it was compiled with, which are in a read-only store that is invalidated if its hash changes. It wouldn't help debian and redhat, since they are the ones applying patches that allow the vulnerability. But in general, it would make it hard for exploits to target more than one very specific combination of distro + binary versions. For something like ssh, we also shouldn't need someone debugging performance to know something fricked up is happening. Testing should have been more vigorous, especially for ssh, and should have failed somewhere, blocking this version without a packager rewriting a test
>builds all be sandboxed, offline, and reproducable
this so much this
not being able to produce the same binary output is a sign of a bad design
>OpenSSH should ONLY EVER use the libraries it was compiled with
were the dynamically loaded libraries a mistake?
>IMO this is a sign that not only should builds all be sandboxed
This is a social problem not a technical problem. Please either stop being moronic or stop posting.
>bad engineering is a social problem
somewhat true
Should I build openssh with static libs then?
>unreleased beta software has issues
Who would have guessed?
Its not a bug, its an intentional backdoor, the dev even revised it an spun up a new release because the first version was causing noticable problems.
>unreleased beta software
It's from an officially released version though? The past 2 versions in fact at the very least. It's mostly affecting debian testing/unstable users but if debian's stable release cycle happened to be right now then it would have been present in stable as well.
Testing is frozen for a couple of months before it turns into Stable. I don't know the packaging policies by heart but a new release might not have made it into Stable in this timeframe no matter how it lines up
(5.6.0 was released one month ago)
It would definitely have entered debian stable if the backdoor wasn't found. The fact that the package was already in testing proves this. Debian doesn't hold packages back based on age, it's only a matter of wether or not it managed to enter testing before the last freeze.
technical analysis of the backdoor:
https://www.openwall.com/lists/oss-security/2024/03/29/4
some discussion:
https://news.ycombinator.com/item?id=39865810
>some discussion:
>Ubuntu still ships 5.4.5 on 24.03 (atm).
>I did a quick diff of the source (.orig file from packages.ubuntu.com) and the content mostly matched the 5.4.5 github tag except for Changelog and some translation files. It does match the tarball content, though.
>So for 5.4.5 the tagged release and download on github differ.
>It does change format strings, e.g.
>[...]
>There is no second argument to that printf for example. I think there is at least a format string injection in the older tarballs.
So everyone updates immediately...and they're probably still compromised.
Rollback to at least 5.2.11 (before Jia Tan was signing) is safer, but still not 100% safe.
MOOOOOOOOMMMMMM
how would updooting **now** help if all their packages are built with xz ? it's not like all the shit you have is already rebuilt even if some is accidentally
They're not. Arch Linux switched to zstd years ago
Ah yes, they depend on a Facebook rootkit instead. Much better.
>OpEn SoReS iS sO GoOd AnYoNe CaN CoNtRiBuTe To ThE CoDeBaSe aNd tHiS iS a gOoD tHiNg
-/g/
>AnYoNe CaN CoNtRiBuTe To ThE CoDeBaSe aNd tHiS iS a gOoD tHiNg
it is
accepting any moron's contribution isn't
Why do you proprietrannies make everything about open source?
You think supply chain attacks are impossible if the source is closed? Stupid troony.
It's better to have an open-source code, that anyone (good or evil) can contribute to it, and can be revised by **YOU**, than having a closed source software that can't be revised, and maintained by "evil" people. This "problem" is why I use FOSS in the first place because even if something bad happens, it will get discovered, because having a backdoor in your system isn't a normal thing in the FOSS community, the opposite of the closed source compromised software, that you can be sure that they are spying on you and they have installed multiple backdoors so glowBlack folk can see you jerk off on e-girl porn, homosexual. And that is the normal.
>wat is security by obscurity
also security holes in linux go undiscovered for years because no real programmers look at or give a shit about the code. linux is just a learning ground/hobby project for fat moronic manchildren
40% of developers use desktop linux
That got to be wrong.
why
Too high. I don't buy that they actually use desktop Linux as their main system.
too bad
At work I use windows... to start WSL.
At home I drink linux straight from the tap.
Because 40% of developers look like this
https://sourceware.org/glibc/wiki/GNU_IFUNC
I never knew about this til today. Why is there a gnu extension for indirect function calls and why would anyone use it to lose portability? It sounds like another mess of preprocessor macros just to use an unnecessary feature.
Time to recompile everything with ifunc blocked and see what happens.
Meanwhile linux packet filtering is being exploited just like we said it would be.
That feature is glowing so hard. It needs to be removed.
it's been a thing for a long time
it's the same infrastructure involved in architecture specific function dispatch
also every relevant compiler (i.e. clang) supports it
sir, do not disclose
the only people against immediate disclosure of security issues are themselves malicious hackers
Never EVER let a person with Chinese-sounding name become a maintainer in an important project like this. How many fricking times do people have to get burned until they learn? It's not racism, it's common fricking sense.
WHO
It's not
coomer.
She's not worth it. She's a CCP spy.
>She's a CCP spy.
i'd still frick her. there's nothing you can say that would stop me from wanting to frick a hot chink
"She has aids"
guess i have AIDs because i fricked her
whooooooooooooooooooo
doesn't help. the chinks would just name themselves Adam Smith. Or Emu Wrangler to match the timezone.
Just require proof of ID for code contributions.
No thanks, I want to keep contributing shit pseudonymously. Policing people just burns out legit contributors. Big Corp should run more independent reviews instead.
One man hobbyist projects can provide software as-is, it's the companies job to make sure that they get what they want.
If you're running a spice import comany sourcing curry from india you need to check it for lead and other toxins. Or are you going to trust the pajeets? Same with shit you download stuff from github.
>updooters problems
>Using anything newer than Debian stable/RHEL
You get what you fricking deserve
Although only the last 2 releases are known to be malware, the author of the malware has been the project maintainer for 2 years. Unless you're running debian oldstable, I wouldn't say you're safe either.
>the resulting malicious build interferes with authentication in sshd via systemd
I told you about the systemd being potential glowBlack person backdoor. I told you and you all laughed.
Impact
======
The malicious code path does not exist in the arch version of sshd, as
it does not link to liblzma.
However, out of an abundance of caution, we advise users to avoid the
vulnerable code in their system as it is possible it could be triggered
from other, un-identified vectors.
If you're a desktop user you're probably using software that links to xz so its not exactly an easy task to simply uninstall it
Also does anyone know if this is x86 exclusive or does it also extend to ARM builds
Only x86, ARMs are safu.
Tell me in turn how I can see what links to it, my system shouldn't be affected for multiple reasons but I want to understand the extend it could have been
>one random chink killed all of lunis
>bros
foss xisters....
>I don't think using Rust would have saved anybody here. The attack is a level deeper than what the compiler controls. Exploits like this can happen to a Rust project too.
was he wrong?
No. This is like if dtolnay pushed a backdoor to his crates.
no
you can easily embed obfuscated malicious code in a build.rs script
Nothing in the language itself would have helped.
But this is an autogenerated autotools file that nobody wants to read but is still checked into source control for reasons. Rust doesn't need that so there are fewer places to hide this.
crev (distributed manual code review) could also conceivably have caught this but it isn't very popular so eh.
Check back in five years and maybe they'll have implemented build script sandboxing. They bring it up every now and then.
Most of the malicious code was hidden in the tests files.
The autotools stuff was just the thing that pulled the trigger.
Test driven development is a mistake.
Maybe we can ditch testing and start using proof oriented languages in 20 years when AI is good enough to autogenerate proofs for common algorithms.
AI helping review PRs might actually be a good use for the technology.
Chatbot reviews will be the most infuriating shit.
https://github.com/getgrit/gritql/pull/85#discussion_r1541059034
Only shifts the problem. "AI" is already being jail broken (read: exploited) like nothing, figuring out how to obfuscate for AI is all it takes for overconfident morons to then accept anything that gets a "100% safu" ChatGPT seal of approval. Would probably make things even worse.
AI will confidently give you incorrect proofs, and confidently tell you everything is safe go back to sleep.
Proof oriented languages have a verified proof checker, moron.
Redditors found the github page. No surprises there, since this story is blowing up. Not all of us are like this.
>estr0gen
LOOOOOOOOOOOOL
>TransDeveloper
AYYYYLMAAAAAAAAAAAOOOOO
don't forget
>GnomedDev
you don't know what ayy lmao means, newhomosexual
suika banner is from https://fluffycat.gay/
i hate when people use github like a social media site
liblzma balls
Systemd strikes again.
With the discovery of compromised software, proprietarygays pretend software you can't KNOW is compromised is better
>proprietarygays pretend software you can't KNOW is compromised is better
Windows also uses libarchive to open .rars
yea, windows has been including a lot of unix/bsd tools these past years
it wouldn't surprise me if it were compromised in multiple ways as well
>check Raspberry Pi os for updates
>nothing
That's cool I guess I'll wait another week for a device I use exclusively over ssh.
I dont think it affects Raspberry Pi anyway does it? Are you even using debian or redhat on a raspberry pi?
ARM not affected
Should have been running Devuan or Alpine.
I was wondering if microsoft adds backdoor to github's binaries since they own github now but I guess they don't have to when the chinese will do it for free.
> tfw the whole "post the exe" thing is astroturfing from microsoft so they can backdoor github-compiled binaries
>Affected Systems
>These conditions include targeting only x86-64 linux
>Building with gcc and the gnu linker
>Running as part of a debian or RPM package build
>it is likely the backdoor can only work on glibc based systems.
>openssh does not directly use liblzma. However debian and several other distributions patch openssh to support systemd notification, and libsystemd does depend on lzma.
Does $build refer to the target or the thing doing the building?
>push backdoor
>use your own pc/ip
it's mossad, microsoft or cia
What's the point of updating on Arch if the update pulls from the same repo?
Also note the validpgpkeys lel. Jia Tan is still there.
The only security model Arch devs know is updoot.
>tfw anytime I install something from AUR I change the source to a git tag
>Jia Tan is still there
seriously, they missed this obvious line? wow archies are dumber than i thought. someone outta send Tan an email letting him know he still has the power to compromise every arch box online before the archies find out, it would be hella funny to finally see their meme distro kick the bucket
Does he have github maintainer permissions, or was he just a contributor?
aren't you safe if the package was built from git sources?
But you see, if Arch were to revoke the validpgpkey of Jia Tan, then they would have to do the opposite of an updoot, unthinkable!
backdoor was included in the tarball, but not in the source
if you use linux, probably you
type in 'which xz' and if you get an output like '/usr/bin/xz' you have it
would installing artix fix the problem?
Arch isn't affected in the first place, but as systemd was part of the vector you would have a case that Artix is a slight improvement.
Yes. In fact, Arch now seems like a better target for this type of attack, because updoot == don't have beg package maintainers to push your backdoor.
Artix having multiple options for init systems makes it a much harder target at the init system level.
isn't part of the problem dumbass maintainers patching openssh? it actually makes the openbsd people made when people do this because it always ends up causing problems like this.
Who the frick uses XZ and why?
everyone
it's a standard compression library
It's linked by many things to make it available as optional feature and to be able to process it. It's there even if you don't want to use it.
People who didn't read GNU tar regretting adding it and compressing a lot of their tarballs with it.
>I am a professional software developer being paid cash money to keep bad code out of the codebase
>I have not read a pull request before approving it in years
>Foss devs read and scrutinize pull requests FOR FREE though
We need to stop believing this. We need a version of contributing code that admits reviewing code is miserable and humans won't do it to the extent they can get away with it
70% of FOSS devs are employed by one of the big Linux companies like Red Hat, independent projects like xz are in fact not common
This just proves that China has legit looking sleeper agents hijacking important FOSS projects.
They could be hiding behind any innocent looking anime avatar!
I doubt China would be that obvious about it
My dude this was a fluke discovery. One lone Postgres optimization autist caught it.
Yes but state-sponsored actors operating from within the timezone of that state? That would be an insane rookie mistake I refuse to believe a state as powerful as China would make. Also putting literal Chinese text into your suspicious files and using the chinkiest name one can fathom while also communicating and contributing in English.
Way more likely someone knows exactly that everyone will gobble the chong flavored red herrings up. Bless /ourtism/ regardless though.
Yes. That's part of the reason Arch isn't affected, other part is that the backdoor itself deliberately only targeted rpm and deb via a check when built on those systems from the release tarball.
almost like they knew that debian maintainers always molest packages
I mean yeah. If you want to break into a shed window there's no point practicing on a house door
All Chinese and Israeli open source contributions should be audited.
>All [...] open source contributions should be audited.
FTFY. Yes, that's the point Anon.
Yes but Chinese and Israeli contributions should be prioritized.
>only post UTC
>call fake account Filfrelm Eurobble
System: beaten
They also have international students wandering into offices at Berkeley and scanning everything they can
This is example number 1,000 of American institutions trying to treat China and Chinese citizens as normal individuals from another, normal country and getting owned
I have no idea how things will change. You saw that guy get 100 downboats for using a bad word for Chinese. Our suicidal society is allergic to thinking about this kind of thing or preventing it. We're lucky this Chinese citizen contributed to FOSS instead of just getting a job at Microsoft and backdooring W11
>tldr glory to the ccp
there was/used to be a phd student in ee at berkeley who had the equivalent of "glory to the ccp" as part of his personal homepage. No idea why we invite them by the boatload and teach them EE.
Well it's not like their existence in academia matters much anyhow, nothing cutting edge has come out of there in the past two decades. But if they're in universities they're obviously in every company as well. And yet somehow despite explicit attacks like operation aurora companies go and open up branches in china. Really, china knows that the west's biggest weakness is the thirst for money, and they'll throw everything under the bus chasing profits.
Don't forget that they did inject malicious code for trolling purposes
hello
https://github.com/JiaT75/STest/assets/37901668/a6d9ae84-17e5-42ba-9fb7-13654053f43c
ccp chads i kneel
what does it say?
近前看其牆上寫著
秦香蓮年三十二歲那狀告當朝
駙馬郎欺君王瞞皇上
那悔婚男兒招東床
近前看其牆上寫著
秦香蓮年三十二歲那狀告當朝
駙馬郎欺君王瞞皇上
那悔婚男兒招東床
Look closer and it's written on the wall
Qin Xianglian sued the dynasty when she was thirty-two years old
Consort Ma Lang deceived the king and concealed it from the emperor
The regretful man recruits the east bed
Look closer and it's written on the wall
Qin Xianglian sued the dynasty when she was thirty-two years old
Consort Ma Lang deceived the king and concealed it from the emperor
The regretful man recruits the east bed
>only affects fedora morons
>thread gets racist
Who cares.
You're the yellowest, smartest panda I've ever seen.
lzip chads, we won. xz trannies on suicide watch.
>zstd has entered the building
they call me z-STD because I rawdogged your mom
some phronix user discovered that "Jia Tan" has made patches to the linux kernel
>https://lore.kernel.org/lkml/[email protected]/t/
...frick
guys I feel like we're living in a movie..
Yeah this some Fast and Furious shit...
Solid MCU vibes redditbros
i have an opensuse tw desktop box with sshd running on the internet 24/7. am im fricked
>Putting a systemd box on the internet
Yes.
What the frick were you thinking anon? Yes, it's fricked. Official recommendation from the openSUSE team is to wipe that puppy clean and change all your credentials. Next time keep it behind a VPN.
any tips to check if my data got leaked? like parsing atimes of important stuff
Not much you can do at this point, but detection tools are probably on the way within the week (assuming it was exploited in the wild). Also, make sure you actually had one of the bad releases on your system. If you're not super religious about updating you may have avoided it.
nah, i have the thing. i fear about leaking passwords and stuff. checked the atimes of some files and didnt find anything.
I know the thing you're talking about. detect.sh isn't enough in this case, all it tells you is if you're vulnerable. If it told you that you're vulnerable, either nuke the system and change your passwords, or wait until more comprehensive detection tools release.
Imagine not using Debian STABLE.
dpkg -l | grep xz-util
check version
>am i fricked
Yes.
>i have an opensuse tw desktop box with sshd running on the internet 24/7.
I don't know what any of those words mean.
wtf is sshd?
absolute state of IQfy
The ssh server daemon
It's oh so quiet
sshd, shhd
It's oh so still
sshd, shhd
When you're all alone
sshd, sshd
And so peaceful until
*fanfarre*
>open source
>nobody checks the code
What's the fricking point?
it was hidden pretty well
https://www.nongnu.org/lzip/xz_inadequate.html
He warned you bros.... You didn't listen.
metamask bros...
https://github.com/JiaT75/STest/assets/37901668/7037498b-d998-4d40-b395-7f8fe5255d60
>webp vulnerability
>exiftool vulnerability
>now xz backdoor
i'm gonna go full schizo and only use uncompressed data from now on
just don't updoot. simple as. glowies can't get you unless they travel back in time.
what if they already have a backdoor that is very old?
If Anon doesn't know about it it doesn't exist
They can just use a normal vulnerability lmao
>but I can patch the old version!
And what if those patches are backdoored?
read it to make sure it isn't
Fedora? More like Peedora!
Realistically, where is the fault here? You can't expect the upstream devs to check on one another, because competency can vary and you have no guarantee that there aren't multiple bad actors on the maintainer team. You can't expect downstream repository maintainers to check every possible build permutation for potentially obfuscated code hiding in there. You can't expect code to not have dependencies on other libraries.
So what's the solution? Run-time modification of symbols and whatever else is fairly frequently used, but is it worth kernel-mandated logging so that end users can notice it faster? Is there a security-related piece of kernel-level design that should be rethought? Where is the weak point that vulnerabilities like this should be targeted at?
Seems like using prepackaged tars was part of the issue. Seems like an easy if minor takeaway.
You're right, that's the low-hanging fruit to take away. Trusting the upstream packages was a surprisingly naive move, and I wonder if the costs of avoiding them was really so significant to have created this situation.
But I am not sure if avoiding that would permanently solve the issue. Would this have been found any faster if the malicious binary file was visible in the repo? I am not sure if people would have noticed it and become suspicious.
It’s pretty much guaranteed it’d be noticed sooner. If it’s in the source tree it’s not going to take long for someone to notice the code doing odd shit. The commits that added the back door were non-description archive files ostensibly intended for testing. Nobody looks at binary files used for testing very often.
The actual execution was implemented only in the release tarball. If it’d been committed to the main repo there’d be a far higher change of it being caught.
Think this will stop the snap/flatpak "one true build" bullshit? Because i have a feeling we'll get just the opposite
I'm not sure what, exactly, you're referring to
The crux is deeper than that though, because openssh is just as interchangeable as m4. If they couldn't backdoor via xz -> openssh they'd have used Y -> Z with some other packages. At the most this is a fundamental issue with the nature of dependencies in the current Linux kernel. If not going that far, it's an issue with blindly trusting package tarball contents instead of some sort of third-party verified contents.
By which I mean, git* could run the builds, and anyone could audit the files/hashes used in the build and wrapped in the tarball, to verify that they match what's in the repo. Really, pulling down a package from upstream like this should automate that, like checking a repo hash against the hash in the architecture-appropriate build report and then alerting the distro maintainer if there's ever a mismatch.
I had really thought the updooter was purely a meme character until I saw that post
This also somewhat relied on autotools being a giant piece of shit. It is normal for release tarballs from autotools projects to be different/modified from the actual committed tag because of how the build system works. So a simple hash check wouldn't have happened in this case because a mismatch is expected. Other build systems don't have this problem of course.
>happened
helped*
Didn't the affected tarballs contain entire binaries and autotool scripts not even found in the repo in the first place? That seems more significant than "expected variation".
>suckless
They're still getting their C compiler, OS tools, kernel, and whatever else from the supply side, aren't they?
>contain entire binaries
No. The test binaries were in the original repo.
>autotool scripts
It was literally a one line difference.
The malicious binaries were in the test/ directory of the git repo, disguised as corrupted archives for testing
Most distros were already checking hashes and signatures.
That's the problem.
It's a supply chain attack.
There is no way to mitigate this unless you manually audit every diff.
The solution to this problem is called: https://suckless.org/
IMO upstream devs ARE AT FAULT. but there is no way to check for all the cases and all the patches.
IMO devs IN GENERAL should simplify their processes and, most importantly, THEIR TOOLS.
this is why I like Go: there is no need for external tools or too many files, and you are forced to write code in a very clear and concise way
we also don't know if this guy got paid to give control of the project, and if the "chinese" guy is actually chinese or someone working for the NSA or some other intelligence agency.
c**t's fricked
>muh mental health
jfc we're fricked because some butthole can't handle his emotions
Kinda sad they didn't even get him with "here's your cute co-maintainer fresh from China, she plays the piano and likes fat emotional pieces of shit"
All it took was him collapsing on his own and handing off the repo without much scrutiny
>on his own
We don't know what intelligence agencies may do against people in their private lives. The "gangstalking" people feel a bit like poisoning the well to me.
I'd read your thriller Anon. In this particular case though dangling a reward would likely be cheaper and easier than manufacturing a mental illness. But he gave the keys to the kingdom away for free regardless so why bother.
>The "gangstalking" people feel a bit like poisoning the well to me.
The gangstalking people are suffering from paranoid schizophrenia.
gangstalking is literally just schizos
it's never once been real, that's not how three letters work
they don't need to send people to you house
except this one guy in LA who had some beef with the LAPD/a government agency and they killed him
i think he was still a schizo though
>maintain some critical piece of infra for years for free
>get busy and a bit burned out
>take a break
>cutie chinese gf shows up out of nowhere and offers to maintain your software if you just let her sniff your bwc
What I don't understand is... How is xz not feature complete by now?
is he trooning out?
Pshh, what? Nah, probably stepped on a lego real hard.
frick this is scary
the whole thing was premeditated and they didn't mind it taking several years
there's no doubt this is a state action but probably will never know
i ran my update command and i don't see any updates for xz
>Yet another Systemd integration oopsie
Kek
this is safe, right? using ubuntu 22.04
yeah
It's my first time, I am so excited bros
god bless ubuntu and it's outdated packages
Linux Mint CHAD can't stop winning.
At this point, only OpenBSD is safe.
>only OpenBaSeD is safe
Always has been, always will be
>libligma
Who's Steve Jobs?
He said "just werks" while thinking about debian
Now that's what I call a spicy distro!
linux trannies about to find out hundreds of their packages are backdoored
I only update Tumbleweed once a month. I will jump slow-roll as soon as possible
Don't recall the last time I manually updated my Debian stable boxes. They all install patches themselves without babysitting. Debian just works.
>foss know about their vulns right away
>winblows and igays be like: no one knows
>right away
It's been there for months, who knows how many systems were compromised.
right away is a relatively short time compared to never knowing, friend
since it never made it into stable, no systems that matter are affected.
doesn't google use debian testing but with their own spin and testing suite? i'd be incredibly interested to see what they think about this and how they're handling it
the OS itself is a vulnerability with those two.
This is a frick-up, but it alarms people because it's public.
I wonder how much of those Windows has.
When Microsoft controls the update server, they can push compromised updates to select users. Why bother implementing a backdoor for everyone only to make it more likely to be discovered.
>Vulnerabilty hidden in M4 macro
No shit, there's no one alive that knows how to use or read that shit. Every codebase with M4 macros becomes spagetti real fast
>xz --version
>5.2.4
LTS chads, i am getting tired of winning
where my STABLE chads at
>Verification not required.
reporting in
>5.4.1 was already maintained by Jia Tan
OH N-
I don't think we're safe, bros... I'm worried the PRC might get me.
If it wasn't foss, we would never have known. Fricking moron. Isn't IQfy suppesed to be literate in tech?
sucky sucky five backdoors
China wins again, white boys BTFO
What Timmy gon do? Travel all the way to China to complain?
Range ban all of China from github and remove all repositories os chinese users.
Why did I upgrade a few days ago...
Start-Date: 2024-03-27 15:26:38
Commandline: apt upgrade
Requested-By: $USER (1000)
Install:
...
xz-utils:amd64 (5.4.5-0.3, 5.6.0-0.2)
guys... am i safu? the test script doesn't work because there's no sshd executable
preliminary analysis only found sshd is effected, but nobody knows for sure until the blob is fully analyzed.
post link to blob, ill analize it myself
https://www.openwall.com/lists/oss-security/2024/03/29/4
Download attachment "liblzma_la-crc64-fast.o.gz" of type "application/gzip" (36487 bytes)
an anon said its 10k lines of assembly
I heard china released an antivirus you can install.
Perfect for gorgeous security, can push asap.
riddle my this Black folk, is downgrading on arch a viable option? I sense this package is capable of breaking a lot of things.
Arch pushed an updoot that uses the repo instead of the infected tar. Arch is also not open to the attack vector in the first place.
good to know, I was reading about it.
https://archlinux.org/news/the-xz-package-has-been-backdoored/
Now you see me, now you don't! Hahahaha!
Oh wait that's GLA...
considering it's been around 12h since the original announcement, its only a single hooked function and nobody has properly reversed the payload yet other than "it seems to allow authentication bypass somehow", it seems to be quite advanced
I wonder if my poorly coded Nintendo64 emulator has a Chinese backdoor.
BAZOOKA
Project64 did contain malware at some point.
Yeah, I bet it was Nintendo's, used to gather data for a lawsuit...
>openssh does not directly use liblzma. However debian and several other
>distributions patch openssh to support systemd notification, and libsystemd
>does depend on lzma.
once again, systemd is the loser of the show
It's the nigg*r of the show, you means.
go back
>xz --version
>xz (XZ Utils) 5.4.1
>liblzma 5.4.1
kek, nice try chinamen
What would Confucius say!
ching-ching, therefore ping-pong.
A chink in your armor today may well be a hole tomorrow.
wait so how did this exploit work? did they put bad bytes into a compressed test binary that somehow gets executed during testing?
They used an m4 macro to pull code into the binary at build time. That part is pretty irrelevant because if m4 wasn't used theyd just obfuscate it a different way. The crux of it is that they modified openssh behavior by abusing the fact that moron distros patch it to require systemd which then requires xz.
So how exactly does malicious code in a compression library bypass my router and get to my non-existence ssh server?
Nothingburget techlets not like this...
Nothingburger
Fixed before most of IQfy heard it, no restart required. Wincucks seething
>I'm afraid it's a lot more sinister than that. This exploit code has been gradually introduced and refined in the repository over the course of at least a year.
stable bros...
>latest version on my distro is from 2019
sigh.... LTS bros, when will we stop winning?
What are you quoting from
So how at risk is the average linux user, assuming they had this version of the package at some point? Is the average moron that just uses linux on their laptop to browse the web affected, or is it only people running servers? Yeah, I'm dumb which is why I'm asking.
according to opensuse if you've got an SSH server open to the internet you need to wipe otherwise all you need to do is update
Thanks, anon.
here's their actual press release and their recs for source
https://news.opensuse.org/2024/03/29/xz-backdoor/
I am not sure how many distros init sshd out of the box, mine dont. So maybe you are safu. Also it only builds on debian and fed ora
>guy who disclosed the xz backdoor is a literal paid microsoft employee doing sql bullshit
fricking lmao
Well he humiliated his fellow MSFT employee Lennart Poettering
Wait this is the guy? Shit he reviewed one of my PRs before no joke lol
More like Andres Friend! Thank you for your service!
Take my upvote sir
>More like Andres Friend!
That's exactly what freund means in german so name fits.
Unironically a good DB.
Reminder libarchive and thus bsdtar and shit is probably botnetted as well.
If you want lzma, use lzip.
Oh no one malicious or vs windows which is literally just spyware
Pr*
>inb4 this is an elaborate troll to prove how insecure open source is
>A single solitary intentional backdoor is discovered
>Freetards automatically assume that it must be the only one
what are you talking about? i'm seeing witch hunts about a bunch of other people related now lol
https://news.ycombinator.com/item?id=39868682
>vcpkg is botnetted too
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
if anything this will get people to create more rigorous contribution procedures in other projects, literally nobody is assuming that you brainlet
No one said it was the only one but this is hilariously bad straw grasping from windows forks desperate to maintain hegemony on their toy os
https://github.com/JiaT75/STest/commit/9a83d912631bbfb029e5ea86eb31a31185c1e165
>it was a IQfyentooman all along
Almost certainly a typo but that's hilarious and I'm going to use that in the future.
jej
God dang it! I didn't kill fifty koreans during the war to get my Linux hacked by commies!
Oh great here comes the ractst backdoor witchhunt.
it's perfectly okay to be racist against mainland chinse
why would anyone ever defend mainland china
you realize the only way this ends is literally genocide
like we're going to have to kill them all or humanity is doomed
It's okay to be racist against russians. Unfortunately this time it had to be a heccin good boi chinkerino who probably just accidentally included a few symbols that made it look like a backdoor.
i've seen so many shitty prs from indians, russians, central asians, and chinese that every pr should be considered a threat
Does IQfy care more when China or a Chinese person does it?
last night I chinese backdoored your sister
How would you limit things like this from happening?
Ban chinese people
This is IQfy give me a technical answer you c**t
When a PR is opened that originates from an IP located in China, autoclose it.
Why shouldn't USians be banned from open source projects?
No you should ban us too. We're all glowBlack folk.
yea and?
literally ban chinese people and audit every single author to make sure they aren't from mainland china or descended from mainland chinese
taiwanese might be okay but they should be
this is a matter of geopolitics
*but they should be under heavy scrutiny
All commits needs to be linked to a real personal identity. No making sockpuppet accounts to create commits, you need to be a real actual human being.
Distributing closed source software should only be done though highly trusted channels which build from source. Building from source should be the default.
Highly critical pieces of infrastructure should receive government funding and maintainers should receive state appointed GFs and other mental health aids.
And things like this need to have criminal consequences.
Install Kaspersky
Use closed source software.
I'm unironically going to install Gentoo
you morons arguing "muh closed source this!" and "muh open source that!"
Black folk, it's all fricked. at least open source gives you a chance to do something about it
Github needs to IP range ban India and China immediately.
closed source software doesnt have this problem
Microjeets discreetly backdoor your closed source software while chinks publicly backdoor your open source software, humiliation ritual.
>nobody knows yet what vulnerability the payload was hoping to exploit
rip
https://xz.tukaani.org/
>404
xkcd was right again
Glowies are acting so fast... Suspicious.
These gays should use libre licenses to forces corpos support the package or paid him to support it.
>exploit hidden in build system shipped with project
Linux really had it coming.
Hidden in the build system of a transitive dependency of a downstream patch.
Stop using autotools. Stop using systemd.
I never liked autoshit. Now I have an even better reason to hate it.
Man, it must suck to work years for this one backdoor that gets immediately patched because some autist couldn't help but notice sshd authentication taking a fraction of a second longer than usual on their system.
How many backdoors made it in and escaped detection though?
Multiple people noticed that shit was wrong.
The freund guy is the only person I've seen that noticed it
can we get official sources on who and who found out about the backdoor? supposedly it was only freund, yet anons say that a security specialist already called it out by then
Debian and Slackware do it right.
All Linux systems should be running upstream code that is AT LEAST two years old when installed.
This is only a problem if you have a system with a version of xz that is like 2 months old, which is way way too new to be running on anything. Code is like a fine Port, you need to let it age first before popping the cork.
One of the attacker's accomplice(?) tried backdooring another big package too FYI
https://github.com/microsoft/vcpkg/pull/37841
To Updoot or Downdoot
>I heard the latest updoot just dropped. I need to updoooot so bad.