this post was submitted on 30 Mar 2024
73 points (100.0% liked)

technology

22835 readers
1 users here now

On the road to fully automated luxury gay space communism.

Spreading Linux propaganda since 2020

Rules:

founded 4 years ago
MODERATORS
 

If you're running version 5.6.0 or 5.6.1, downgrade immediately.

top 30 comments
sorted by: hot top controversial new old
[–] [email protected] 23 points 7 months ago (2 children)

Do not run xz --version. Instead check the version in your package manager.

[–] [email protected] 12 points 7 months ago* (last edited 7 months ago) (2 children)
debian/ubuntu based distros:
apt show xz-utils
or
dpkg -l | grep xz

redhat/fedora-based:
yum info xz
dnf info xz

arch-based:
pacman -Qi xz

EDIT: correction as suggested below

[–] [email protected] 3 points 7 months ago

On my machine the package name is slightly different:

apt show xz-utils

[–] [email protected] 2 points 7 months ago

5.4.1, my habit of putting off updates pays off again

[–] [email protected] 5 points 7 months ago (1 children)

Why is that? I know the latter gives you more info, but it's still the same thing isn't it?

[–] [email protected] 20 points 7 months ago (1 children)

Because you are running the affected software. It's a bad idea to run something if we are aware that it contains or relies on malicious code.

[–] [email protected] 14 points 7 months ago

Omg obviously. Can't believe I didn't realize that. Thanks for the answer.

[–] [email protected] 16 points 7 months ago (1 children)

Jokes on you; I haven't run a system update since 2006

[–] [email protected] 2 points 7 months ago (1 children)

Ubuntu 6.06 moment (Debian 3.1)

[–] [email protected] 3 points 7 months ago

I'm using arch btw. ... oh no

[–] [email protected] 14 points 7 months ago (1 children)

Wow! This was so close to perhaps being one of the worst security compromises in open source history.

[–] [email protected] 10 points 7 months ago (2 children)

For me I feel like we have not had any big security stuff since the whole log4j thing. While this seems bigger they have caught it relatively early. I feel like more people had to panic patch Minecraft servers with log4j.

[–] [email protected] 7 points 7 months ago (1 children)

maybe the libwebp vulnerability deserves a honorable mention, although i don’t think it has had as big an impact, it could’ve been way worse.

[–] [email protected] 4 points 7 months ago

Good point! I did forget about that one.

[–] [email protected] 5 points 7 months ago (1 children)

My only reservation is that this compromised contributor has been working on the project for a few years. I hope that this is the end of the tunnel and there aren’t more issues to be uncovered with further analysis.

[–] [email protected] 11 points 7 months ago

Its easy to spiral out of control thinking about how the practice that got us this backdoor is something that is used all over the open source community to build code. In the end we can only evaluate what is in front of us and pray the things lurking in the shadows are something we can deal with when they expose themselves.

[–] [email protected] 14 points 7 months ago (1 children)

Mods should sticky this. This is the third post in this comm about the vulnerability.

[–] [email protected] 6 points 7 months ago* (last edited 7 months ago)

The only people who will have this vulnerability AFAIK (and have it be actionable with the ssh backdoor) are folks running Debian unstable on a ssh server. The shitty part about this is a rupture in trust for the maintainers at xz.

Honestly, the attacker picked a really shitty time frame considering their payload isn't in any important point releases where they could have the most effect.

[–] [email protected] 13 points 7 months ago* (last edited 7 months ago) (1 children)

How to check your version without running xz on nixOS, the official OS of trans people:

ls -l $(which xz)

I'm at 5.4.4 thankfully.

[–] [email protected] 6 points 7 months ago

nixos doesn't appear to be vulnerable in general, based on this thread

[–] [email protected] 7 points 7 months ago (2 children)

So I assume the malicious code is being removed and a version 5.6.2 without it will be released soon? Or is it more complex to solve and I’m being naive?

[–] [email protected] 10 points 7 months ago* (last edited 7 months ago)

So the backdoor was not in the source code but in the system used to build the code. Devs for a long time now have swapped over to an automated build system and what happened with this one is in the last step for the xz build process it adds the backdoor to it. You simply have to remove the references to the data in the build config.

EDIT: Rewrote a sentence that sounded stupid

[–] [email protected] 5 points 7 months ago* (last edited 7 months ago)

Something like that. It should be patched shortly. Thank god for smart people and autists.

[–] [email protected] 7 points 7 months ago (1 children)

My repos are only pulling 5.4.1 big-cool

[–] [email protected] 2 points 7 months ago (1 children)

Phew. Same.

So, what do we do in this case to avoid contamination via updating? Just don't "sudo apt upgrade" for a while?

[–] [email protected] 4 points 7 months ago

I'm no expert, but I'd assume the repository maintainers would pull the malicious packages ASAP. check to see if you have any updates available, if the malicious version is not available then you're chilling squidward-chill

[–] [email protected] 5 points 7 months ago (1 children)

Does it spread itself to other parts of the system, or it contained exclusively within locations used by this program?

[–] [email protected] 15 points 7 months ago

People aren't 100% sure yet but preliminary analysis believes it is contained. Look forward to excrutiatingly-detailed levels of analysis to be published in the coming days and weeks, this is like every Foss Discourse topic tossed into a blender all at once.

[–] [email protected] 4 points 7 months ago* (last edited 7 months ago)

goddamn chuds hijacking my linux libraries

[–] [email protected] 2 points 7 months ago

Good thing I disassembled my laptop this week.

Haven't updated since last month, is this a newly released vulnerability?