XZ backdoor

GeekyDeaks

GeekyDeaks

Staff
Premium
TL;DR; if you run a .deb or .rpm disto based server with public ssh, check if you need to update it ASAP

This is one of the craziest things I have seen in a while. Purely by accident, someone stumbled upon a backdoor in the xz compression library that intercepts the calls to certain cryptographic calls done by other applications or libraries linked to it. The way they obfuscated it into the build process as a unit test is pretty cunning. Looks like it's a 'Remote Code Execute' rather than auth bypass, but the worry is if other things like this have been missed before.

FAQ: https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27

Original Details: https://www.openwall.com/lists/oss-security/2024/03/29/4
 
Last edited:
Yeah, crazy is entirely right. I'd add scary to that. I wonder what else will come out of the woodwork now, with people looking with more suspicion at odd-looking commits...
 
The way things ended up sort of reminds me of the heartbleed bug. You have a ubiquitous library maintained by one or two developers, so things can get through the cracks. The deliberate malice behind this one is pretty worrying though. Certainly a lesson that you don't need to just pay close attention to the commits of the end service but also everything it relies on, even indirectly. I suspect the distro maintainers might be less blasé patching security services in future.
 
I am surprised there is not more of it happening, not only do you have a distribution with many apps, each could go rogue but down a layer you have many apps using libraries that you don't look under the hood.

Old languages like common lisp have quicklisp, where you add in your code for the library and it is downloaded behind the scenes and used with the assumption the develop was not malicious or some other actor got malicious code in to that repository. Moving to the modern you have Rust. It has similarities with cargo and crates.io, its package management and repository. As of today it say is has
60,166,690,665 downloads and 141,883 crates in stock. It just requires one popular one to go rogue and the next time many apps rebuild themselves we have a problem.

Open source is good that it is open, but the reality is that there is also a lot of trust going on.
 
You must log in or register to reply here.

Top Stories This Month

Assetto Corsa Evo and the Mod Dilemma
Assetto Corsa Evo
Assetto Corsa Evo and the Mod Dilemma
Luca Munroe
Comments
133
Pimax Crystal Light Giveaway: Win A Freshly-Unveiled High-End VR Headset
Hardware
Sponsored Pimax Crystal Light Giveaway: Win A Freshly-Unveiled High-End VR Headset
Yannik Haustein
Comments
299
Le Mans Ultimate Needs Content - And Fast
  • Poll
Le Mans Ultimate
Le Mans Ultimate Needs Content - And Fast
Angus Martin
Comments
76
Racing Club Schedule: April 28 - 04 May
Misc
Racing Club Schedule: April 28 - 04 May
Yannik Haustein
Updated
Comments
8
Why a Four-Time BTCC Champion Created a Sim Racing Business
Hardware
Why a Four-Time BTCC Champion Created a Sim Racing Business
Thomas Harrison-Lord
Comments
17
GTRevival's Unusually Long Radio Silence - What's Next?
GTRevival
GTRevival's Unusually Long Radio Silence - What's Next?
Yannik Haustein
Comments
57
The BTCC Game May Not Be Dead After All...
rFactor 2
The BTCC Game May Not Be Dead After All...
Thomas Harrison-Lord
Comments
54
How The BTCC and Motorsport Games Reunited
rFactor 2
How The BTCC and Motorsport Games Reunited
Thomas Harrison-Lord
Comments
43
The CSL Cockpit Is Fanatec’s Entry-Level Sim Racing Rig
Hardware
The CSL Cockpit Is Fanatec’s Entry-Level Sim Racing Rig
Thomas Harrison-Lord
Comments
24
MOZA Racing And Lamborghini Join Forces In Sim Racing
Assetto Corsa Competizione
Sponsored MOZA Racing And Lamborghini Join Forces In Sim Racing
OverTake.gg
Comments
1

Latest News

What's needed for simracing in 2024?

  • More games, period

  • Better graphics/visuals

  • Advanced physics and handling

  • More cars and tracks

  • AI improvements

  • AI engineering

  • Cross-platform play

  • New game Modes

  • Other, post your idea

Results are only viewable after voting.
See comments…
Back
Top