• Doombot1@lemmy.one
    link
    fedilink
    arrow-up
    0
    ·
    9 months ago

    ELI5 what does this mean for the average Linux user? I run a few Ubuntu 22.04 systems (yeah yeah, I know, canonical schmanonical) - but they aren’t bleeding edge, so they shouldn’t exhibit this vulnerability, right?

    • rotopenguin@infosec.pub
      link
      fedilink
      English
      arrow-up
      0
      ·
      9 months ago

      apt info xz-utils

      Your version is old as balls. Even if you were on Mantic, it would still be old as balls.

    • kbal@fedia.io
      link
      fedilink
      arrow-up
      0
      ·
      9 months ago

      The average user? Nothing. Mostly it just affects those who get the newest versions of everything.

      • flying_sheep@lemmy.ml
        link
        fedilink
        arrow-up
        0
        ·
        9 months ago

        In this case I think that’s just Fedora and Debian Sid users or so.

        The backdoor only activates during DEB or RPM builds, and was quickly discovered so only rolling release distros using either package format were affected.

  • capt_kafei@lemmy.ca
    link
    fedilink
    English
    arrow-up
    0
    ·
    9 months ago

    Damn, it is actually scary that they managed to pull this off. The backdoor came from the second-largest contributor to xz too, not some random drive-by.

    • Alex@lemmy.ml
      link
      fedilink
      arrow-up
      0
      ·
      9 months ago

      Time to audit all there contributions although it looks like they mostly contribute to xz. I guess we’ll have to wait for comments from the rest of the team or if the whole org needs to be considered comprimised.

        • cjk@feddit.de
          link
          fedilink
          arrow-up
          0
          ·
          9 months ago

          Either that or the attacker was very good at choosing their puppet…

          • Alex@lemmy.ml
            link
            fedilink
            arrow-up
            0
            ·
            9 months ago

            Well the account is focused on one particular project which makes sense if you expect to get burned at some point and don’t want all your other exploits to be detected. It looks like there was a second sock puppet account involved in the original attack vector support code.

            We should certainly audit other projects for similar changes from other psudoanonymous accounts.

  • fireshell@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    9 months ago

    I will laugh out loud if the “fixed” binary contains a second backdoor, but one of better quality. It’s reminiscent of a poorly hidden small joint, which is naturally found, and then bargaining, apologizing and making amends begin. Although now it is generally not clear where the code is more proven.

    • dan@upvote.au
      link
      fedilink
      arrow-up
      0
      ·
      edit-2
      9 months ago

      The malicious code attempts to hook in to libcrypto, so potentially other services that use libcrypto could be affected too. I don’t think extensive research has been done on this yet.

      SSH doesn’t even use liblzma. It’s pulling in the malicious code via libsystemd, which does use liblzma.

      Edit: “crypto” meaning cryptography of course, not cryptocurrency.

    • Atemu@lemmy.mlOP
      link
      fedilink
      arrow-up
      0
      ·
      9 months ago

      We know that sshd is targeted but we don’t know the full extent of the attack yet.

      • tal@lemmy.today
        link
        fedilink
        English
        arrow-up
        0
        ·
        edit-2
        9 months ago

        Also, even aside from the attack code here having unknown implications, the attacker made extensive commits to liblzma over quite a period of time, and added a lot of binary test files to the xz repo that were similar to the one that hid the exploit code here. He also was signing releases for some time prior to this, and could have released a signed tarball that differed from the git repository, as he did here. The 0.6.0 and 0.6.1 releases were contained to this backdoor aimed at sshd, but it’s not impossible that he could have added vulnerabilities prior to this. Xz is used during the Debian packaging process, so code he could change is active during some kind of sensitive points on a lot of systems.

        It is entirely possible that this is the first vulnerability that the attacker added, and that all the prior work was to build trust. But…it’s not impossible that there were prior attacks.

  • fireshell@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    9 months ago

    Some no-name came and without any problems asked to become a maintainer in a project used in almost any distro, took it over, put a backdoor in there and no one had any questions? In this case, everything turned out thanks to pure chance. Noname screwed up his backdoor, which attracted the attention of a guy from Microsoft, and out of boredom, he dug up what was what. And if I hadn’t messed up, or that guy from Microsoft decided to go drink beer instead of poking around in the xz code, then no one would have discovered anything. It’s scary to imagine how many of these nonames are sitting in all these thousands of open source projects, waiting in the wings to roll out a malicious patch.

  • atzanteol@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    9 months ago

    They noticed that some ssh sessions took 0.5 seconds too long under certain circumstances. 😲

    Holy hell that’s good QA.

    • 30p87@feddit.de
      link
      fedilink
      arrow-up
      0
      ·
      9 months ago

      Well half a second delay is pretty noticeable when you ssh into a machine sitting right next to you. It should be instant. And if it isn’t something’s off.

      • krash@lemmy.ml
        link
        fedilink
        arrow-up
        0
        ·
        9 months ago

        Don’t see why you’re being downvoted, the person in question who discovered this is a postgres maintainer employed by Microsoft.

        • ijhoo@lemmy.ml
          link
          fedilink
          arrow-up
          0
          ·
          9 months ago

          Probably people think this is a troll or something.

          I wrote it because I was surprised, especially since I’m not a fan of microsoft and their policies. Lately, I have the feeling Microsoft is better than Google (relative terms) when it comes to oss.

          What is additionally surprising is the breaches of Microsoft services in the last year. There is one every few weeks or so… And then they pick up a backdoor because login took 0.5 instead of 0.1s.

          Anyway, his findings are amazing.

          • Wes_Dev@lemmy.ml
            link
            fedilink
            arrow-up
            0
            ·
            edit-2
            9 months ago

            This isn’t the same thing, but I’m reminded of Minecraft.

            Minecraft is a massively popular game. Notch once said he planned to make it open source when its popularity died down. But now Microsoft owns it.

            Not only that, but Mojang accounts don’t work anymore. You have to have a Microsoft account to play it now. Even trying to download and play an older version of the game offline requires Microsoft to approve it. Microsoft is actively tightening the leash on the game because it makes them money. Open sourcing the game will likely never happen now. The best we can hope for it for versions to fall into public domain after 70-ish years.

            That’s how I see Microsoft. They only care about what its beneficial for them to drive profits. Working on open source projects, and open sourcing a few of their tools to get the benefits of community adoption and code review is great, sure. But they’d sooner try to incorporate Linux into Windows to keep people in their surveillance ecosystem, than to open source Windows.

            Remember when Windows 10 was the last version, until they changed their minds? Remember when they floated the idea of charging a recurring subscription to use Windows, before they silently dropped the idea? Remember when there was credible talk about the next version of Windows being cloud-based where they controlled all your data and you had no privacy? Hell, you have basically no privacy on Windows 10. Trying to reclaim some involves registry edits, special third party tools, and a constant battle with automatic updates reverting your changes.

            I’ll say it again. Microsoft doesn’t care about OSS. It’s just currently beneficial for them to pretend they do.

            Goggle seemed to care a lot about OSS, then started making everything in Android depend on their proprietary ecosystem to function. Now Google is using the dominant position they got by taking advantage of OSS adoption, and have been pushing privacy-invading standards and trying to get rid of ad blockers online, among many other things.

            For these huge companies, OSS is just a tool to get more control and power. The moment it’s no longer useful, they’ll find ways to work around the license and enshitify everything again.

            It keeps happening. I refuse to keep trusting bad actors every time they dangle a shiny trinket over our heads.

            I do appreciate the work this person did in finding the bug. It’s not all doom and gloom.

            • ijhoo@lemmy.ml
              link
              fedilink
              arrow-up
              0
              ·
              9 months ago

              I agree with you sentiment here. That’s why I wrote ‘relative terms’ in my comment.

              Since Nadela took over, Microsoft did some open thing which benefited community. So, Microsoft opened somewhat.

              During the same time, under Pichai, google went the other way: they focus more on monetization and try to control stuff the apple way. Manifest v3? Google also didn’t do anything really worth mentioning in the last 10y in terms of products. Well, except ‘attention’ article. And even this they didn’t believe in and they cannot deliver a decent product. I just tried google advanced Gemini and it’s, to put it politely, shit. Google also had some positive actions like mainlining a lot of stuff in Linux Kernel to more easily upgrade android.

              So, while google is closing down and making mistakes, Microsoft is opening a bit up.

              If you look the state from the last year and the state now. Microsoft improved. Google went the other way.

              Microsoft doesn’t care about open source, they care about the money Cloud Services using open source bring them. I don’t think google cares as well. For reason read this: https://www.joelonsoftware.com/2002/06/12/strategy-letter-v/

  • chameleon@kbin.social
    link
    fedilink
    arrow-up
    0
    ·
    9 months ago

    This is a fun one we’re gonna be hearing about for a while…

    It’s fortunate it was discovered before any major releases of non-rolling-release distros were cut, but damn.

    • rolaulten@startrek.website
      link
      fedilink
      arrow-up
      0
      ·
      9 months ago

      That’s the scary thing. It looks like this narrowly missed getting into Debian and RH. Downstream downstream that is… everything.