[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next date => thread => ]
It rather shows the benefit of open source development. This was caught before it got onto my machine and, I would suggest, practically all others. More to the point it was detectable. I don't see it could have been on any of the playstore models other platforms have adopted. I'd also suggest that if this developer did it to so pervasive an aspect of linux then associates will have been doing it more widely where they can't be watched. My own archiving scripts employ zstd and I'm sure I did that for a reason (probably related to elapsed time), but any compression library could have been targetted and still could be. Simply using an environment where public vigilance is an option is sensible. I also note that there is considerable potential for AI background scanning of all maintainers' release patterns, to bring edge cases to the attention of security checking teams. On Fri, 29 Mar 2024 at 23:00, Simon Waters <simon@xxxxxxxxxxxxxx> wrote: > > This is currently being heavily investigated so comments are provisional. > > Looks like the tarballs of the "xz" utility were backdoored in at least > versions 5.6.0 and 5.6.1 (goes back at least a month, possibly two). > > At this point it is unclear to me the scope of the security impact of this. > > > It was found by people looking at Debian Sid resource consumption for ssh, and > Redhat have a security advisory telling them to stop using systems using > Fedora Rawhide. > > https://access.redhat.com/security/cve/CVE-2024-3094 > > https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users > > Debian bug to possibly revert (it appears Debian Sid and Testing may be > affected). Not sure this adds much light, but the people who found it do > suspect one of the (two) XZ maintainers of being involved. > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024 > > Post noting Debian testing and sid users can upgrade 5.5/5.6 versions of xz- > utils to get a cleaned package based on 5.4.5 called imaginatively: > > 5.6.1+really5.4.5-1 > > https://lists.debian.org/debian-security-announce/2024/msg00057.html > > Of course fixing a backdoor doesn't mean the system is safe, if it was > exploited whilst malicious code was present, but that is why you have a > security team right?! > > Apologies if this spoils anyone's Easter but you probably wanted to know > sooner rather than later. Well done to Andres Freund, and Florian Weimar, for > finding this before it got out of testing distros (at least for Debian and > Redhat). > > > > > -- > The Mailing List for the Devon & Cornwall LUG > FAQ: https://www.dcglug.org.uk/faq/ -- The Mailing List for the Devon & Cornwall LUG FAQ: https://www.dcglug.org.uk/faq/