xz-utils backdoored

Mazzspeed said:
They seem pretty open to the problem to me, I don't see anything being kept secret in that article.
Click to expand...
No, they are doing an excellent job. My point was in regard to your comment "With so many eyes pouring over the code, there's no chance a backdoor or malicious actor could be kept secret in the open source community." My quote was meant to show that just because you have source code, there are many ways that a malicious actor can put "malware" into the code, which might not be evident to many/most of the people perusing the code (Hence, Underhanded-C.)
 
YeuEmMaiMai said:
this is why you need computer condoms
Click to expand...
1712177742539.png
 
Interesting.

All my desktops and laptops are still on liblzma 5.2.5

My server is on Liblzma 5.4.1

So looks like I am unaffected.

Looks like this one was caught before it got to mainstream use. Makes you wonder who tried to sneak it in.



The part I don't get is, how do they say that the vulnerability requires liblzma 5.6.0 or 5.6.1, stating that it is pretty rarely in use unless you have a rolling distro and obsessively update, and then go on to say that if you have a public SSH you are likely vulnerable.

These statements seem contradictory.
 
Last edited:
mwroobel said:
No, they are doing an excellent job. My point was in regard to your comment "With so many eyes pouring over the code, there's no chance a backdoor or malicious actor could be kept secret in the open source community." My quote was meant to show that just because you have source code, there are many ways that a malicious actor can put "malware" into the code, which might not be evident to many/most of the people perusing the code (Hence, Underhanded-C.)
Click to expand...
Which is absolutely no different to proprietary code.

The facts as they stand highlight that in this case, another pair of eyes, possibly in another part of the globe the malicious actor operated from - found the payload before it was deployed on large scale.

Could it have been luck? Possibly. Could it have been poor, untested code? Unlikely, this attack had been in planning for a good two years before taking place. Could it highlight a strength regarding OSS software development? Definately
 
Zarathustra[H] said:
I'm not entirely convinced this wasn't a state sponsored attempt to insert an exploitable back door.

Maybe us, maybe Russia, but probably China.
Click to expand...
The level of sophistication make that angle likely, could be one of those Pegasus type semi-private company as well.
 
LukeTbk said:
The level of sophistication make that angle likely, could be one of those Pegasus type semi-private company as well.
Click to expand...

Maybe.

Though it probably wouldn't be too difficult to approach and pay some project maintainer a fuck-ton of money to insert some carefully crafted obfuscated code that results in a difficult to spot backdoor.

Or - you know - just write a national security letter, force them to do it or face the consequences by law, and ban them from telling anyone about it. The NSA loves that shit.
 
Zarathustra[H] said:
Though it probably wouldn't be too difficult to approach and pay some project maintainer a fuck-ton of money to insert some carefully crafted obfuscated code that results in a difficult to spot backdoor.
Click to expand...
Apparently it took a good level of sophistication... it is yet to fully understood from what I understand (compile chain are still quite broken right now, large part of project on vcpkg and other does not work out of the box) and the user account acted for years as if it was planned all along (fake account online, a lot of pressure to get control of the git project and for change to be faster, etc....).

GJ-6mD9aIAARaiY?format=jpg&name=4096x4096.jpg
 
Last edited:
LukeTbk said:
Apparently it took a good level of sophistication... it is yet to fully understood from what I understand and the uses account acted for years as if it was planned all along (fake account online, lot of pressure to get control of the git project, etc....).

View attachment 645855
Click to expand...

Interesting.

I did not know all of this, but it brings my thinking from "might be state sponsored" to "almost definitely is state sponsored".

It's difficult to picture some hacking group or script kiddie putting in all of this long term effort to maybe gain something from it in the future. This kind of long term dedication screams "state sponsored effort" to me.

But what do I know. I'm no expert.

I wonder how this Freund guy at Microsoft stumbled across it. (not suggesting conspiracy or anything, just curious)
 
Zarathustra[H] said:
Interesting.

I did not know all of this, but it brings my thinking from "might be state sponsored" to "almost definitely is state sponsored".

It's difficult to picture some hacking group or script kiddie putting in all of this long term effort to maybe gain something from it in the future. This kind of long term dedication screams "state sponsored effort" to me.

But what do I know. I'm no expert.

I wonder how this Freund guy at Microsoft stumbled across it. (not suggesting conspiracy or anything, just curious)
Click to expand...
He was doing micro-benchmarking to optimize software he was working on and noticed sshd using consistantly more cpu time (~500ms) to do a task that is normally almost instant, and was also causing some errors in valgrind (iirc) after a recent system upgrade. Turns out xz-utils (and some other pkgs) were updated with that upgrade.
 
You must log in or register to reply here.
Back
Top