Linux @lemmy.ml mFat @lemdro.id 7 mo. ago

Unveiling the xz Utils Backdoor which deliberately opens our SSH connections for RCAs

15 comments

Anyone got a link for this topic that isn’t a video?
- https://tukaani.org/xz-backdoor/
  
  Check the links on that page.
Good explainer, if you need to catch up like I did:

https://en.m.wikipedia.org/wiki/XZ_Utils

Read the supply chain attack section.

Also, from the video...

X is losing its action! We LIKE!

Hell yeah we like.
Thanks for the pointer.

This is really huge, but people don't quite understand that yet.

If this wasn't caught, every system -running public sshd- could be hacked or abused/misused.

And I completely agree with the last words, corporate should pay foss projects!
- Even paid it might be hard to find maintainers with knowledge of the code
  
  https://imgs.xkcd.com/comics/dependency_2x.png
For all those wanting to know what version of the xz package you have, DO NOT use xz -V or xz --version. Ask your package manager instead; e.g. apt info xz-utils. Executing a potentially malicious binary IS NOT a good idea, so ask your package manager instead.
So if I have been using arch with infected xz library to connect to a Debian LTS server, am I compromised?
- Assume yes until you can prove otherwise.
- From what I've read both arch and debian stable aren't vulnerable to this. It targeted mostly debian-testing.
  
  Arch put out a statement saying users should update to a non infected binary even though it doesn’t appear to affect Arch https://archlinux.org/news/the-xz-package-has-been-backdoored/
  
  However, out of an abundance of caution, we advise users to remove the malicious code from their system by upgrading either way. This is because other yet-to-be discovered methods to exploit the backdoor could exist.
  
  Arch stable had it apprently, but thats not the commonly used version of arch.
  
  As I heard it - the (naughty) build tooling looked for rpm and deb, and bailed out if they were absent.
- I would pay attention to the news. You definitely want to upgrade immediately if you have not already
I need the IASIP meme for this thumbnail
Here is an alternative Piped link(s):

https://piped.video/watch?v=gyOz9s4ydho

Piped is a privacy-respecting open-source alternative frontend to YouTube.

I'm open-source; check me out at GitHub.
That thumbnail is something else

You've viewed 15 comments.