I also appreciate the heads-up on this as I literally do have better things to do than spend an hour every day reviewing security exploit mailing lists. 😉
Coming from a FreeBSD background this is why I have never liked the "yum install" and apt-get" things that the Linux userbase take for granted. Under FreeBSD you have ports and you install Unix software the way God intended Unix software to be installed, "make install" Then you actually get CHOICES on how to build. Why does xz need to run the test sets anyway during building? How stupid! 90% of what it's being built on ix s86 it's going to result in the same binary. Note that this has happened before: https://lwn.net/Articles/853717/ The most troubling aspect is that there's too little supervision of changes in projects. Ted -----Original Message----- From: PLUG <plug-boun...@lists.pdxlinux.org> On Behalf Of MC_Sequoia Sent: Friday, April 5, 2024 3:21 PM To: Portland Linux/Unix Group <plug@lists.pdxlinux.org> Subject: Re: [PLUG] - attack on sshd via xz => More XZ Libs malware info Firstly, thank you for making me aware of this! "It also helps that it really only made it to the public through Debian unstable and testing." According to this article, https://thenewstack.io/malicious-code-in-linux-xz-libraries-endangers-ssh/, xz is a "core Linux compression utility". I wasn't aware. So any unstable/testing distro is vulnerable. "Red Hat was first to break the news of the boobytrap." Here's the pkg & version info for those who want to do a quick system check. Package: xz-utils Version: 5.6.1+really5.4.5-1 Refer to full Debian bug report => https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024&utm_source=the+new+stack&utm_medium=referral&utm_content=inline-mention&utm_campaign=tns+platform The most troubling aspect of this malware is this: "I count a minimum of 750 commits or contributions to xz by Jia Tan, who backdoored it. This includes all 700 commits made after they merged a pull request in Jan 2023, at which point they appear to have already had direct push access, which would have also let them push commits with forged authors. Probably a number of other commits before that point as well." So there might be more malware lurking and there might be more security fallout.
