I suspect distros probably want to roll XZ back to around January 2024, stop bundling updates until the developer is removed in GitHub or a logical explanation can be given, and somebody needs to fund a code review of it.
Top-level
I suspect distros probably want to roll XZ back to around January 2024, stop bundling updates until the developer is removed in GitHub or a logical explanation can be given, and somebody needs to fund a code review of it. 25 comments
As I said, the impact here will be very limited due to how quick it was caught. Everybody owes the finder a beer. @GossiTheDog I'm sure the FBI will thank him in their traditional fashion for cyber security saviours @GossiTheDog indeed we do. This exploit was carefully aimed at Linux using systemd launched SSH. We non Linux folks can breathe a hair easier but who knows what else is going on. Don't panic but definitely be cautious. @GossiTheDog That specific dev contributed to wasmtime etc too. So more projects need audits. Postgre developer @AndresFreundTec saving Linux security from backdoors as a side of desk activity "Oops, I just stopped a massive operation that could have brought down everything under the sun, accidentally." *flexes* CISA advisory: Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library, CVE-2024-3094 https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094 The person/account on XZ repo also altered the security disclosure policy on that and other repos they author in months prior. @GossiTheDog That's interesting. So basically removed all of the requests for specific information, and left reporting as: "send us an email or something"? @jbaggs yeah. So they changed one to βIf you discover a security vulnerability in this project please report it privately. Do not disclose it as a public issue.β as an example. Looks like a long game attack. @GossiTheDog @jbaggs bugs.launchpad.net/ubuntu/+source/xz-utils/+bug/2059417 this is also interesting, they signed up yesterday on ubuntu How long before the numpties begin combining this with their Baltimore bridge cyber conspiracy theories? Interesting find by @fuomag9 - the XZ repo person tried getting Ubuntu to update yesterday by filing a bug report https://bugs.launchpad.net/bugs/2059417 The Twilight zone time - a bug from 2015 comes back around in XZ incident, it appears https://github.com/google/sanitizers/issues/342 @GossiTheDog wait, are we at "implementing features to get plausible deniability for evading vuln scanning?" Because if so this feels quite novel. At the very least I can't remember a comparable supply chain attack of this sophistication from the top of my head @uoxc @GossiTheDog Doesn't need to be that sophisticated.. Either (a) developer continues submitting other work whilst compromising at least one project. or (b) the account is in use by two people - the real developer and a hacker. So the question becomes compromised account or compromised developer. In the first case it's not that unbelievable that someone who was up to no good would try to cover their tracks by doing other unrelated things. @GossiTheDog @fuomag9 Interesting that Debian and other distros already knew about the issue (on embargo) and were already reverting, but Ubuntu didnβt seem to know about it yet from these comments Also, reading these comments apparently 5.6.0 was already on ubuntu? |
@GossiTheDog
LOL, Wikipedia has already been updated
https://en.wikipedia.org/wiki/XZ_Utils