Re: [sage-devel] Re: xz/liblzma has been compromised

2024-03-30 Thread Michael Orlitzky 
On 2024-03-30 07:08:45, Marc Culler wrote:
> > Potentially, any tarfile we host may contain an exploit. 
> 
> Potentially, any file may contain an exploit.
> 
> This hack specifically targeted ssh.  When used by ssh to verify keys, the 
> hacked liblzma would validate certain invalid keys, allowing a "back door" 
> for a particular bad actor to login to the system.

The backdoor that was _found_ targeted SSH. The person who put it
there had commit access to the project for a long time.

I've seen many people assume that if they aren't running a patched
sshd, then they're safe by downgrading to an earlier version free of
the sshd hack. If your earlier version was maintained by the same
malicious person, I wouldn't be so sure. This was a coordinated attack
starting in 2021 or earlier.

None of that invalidates your point of course: bundling (or not) is
irrelevant if the person writing your code is untrusted. On the other
hand, this wouldn't be "our code" if we didn't run our own distro.

-- 
You received this message because you are subscribed to the Google Groups 
"sage-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to sage-devel+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/sage-devel/Zggi-KQ_gsPs4RTf%40stitch.

Re: [sage-devel] Re: xz/liblzma has been compromised

2024-03-30 Thread Marc Culler 
According to  Hacker News :
> openssh does not directly use liblzma. However debian and several other 
distributions patch openssh to support systemd notification, and libsystemd 
does depend on lzma.

So this hack was not targeting ssh in general, just ssh on certain linux 
distros.

I would NOT suggest that "for your security" Sage should stop supporting 
linux.

- Marc
On Saturday, March 30, 2024 at 9:08:45 AM UTC-5 Marc Culler wrote:

> > Potentially, any tarfile we host may contain an exploit. 
>
> Potentially, any file may contain an exploit.
>
> This hack specifically targeted ssh.  When used by ssh to verify keys, the 
> hacked liblzma would validate certain invalid keys, allowing a "back door" 
> for a particular bad actor to login to the system.
>
> I don't think that the Sage liblzma  could ever end up being the one used 
> by ssh.
>
> We all know how many things are justified as being "for your security" 
> when in fact they do nothing to increase anyone's security and are really 
> just advancing someone's private agenda.
>
> - Marc
>
> On Saturday, March 30, 2024 at 7:35:20 AM UTC-5 Dima Pasechnik wrote:
>
>> On Fri, Mar 29, 2024 at 7:42 PM Dima Pasechnik  wrote: 
>> > 
>> > On Fri, Mar 29, 2024 at 7:39 PM Matthias Koeppe 
>> >  wrote: 
>> > > 
>> > > Workaround with the Sage distribution: "./configure 
>> --without-system-liblzma --without-system-xz" 
>> > > (Our xz package dates back from before the attackers were born;) 
>> > > 
>> > > Incidentally, the cryptographic protection of the Sage distribution 
>> is wildly insufficient. 
>> > > I've opened https://github.com/sagemath/sage/issues/37691 for this 
>> -- any takers? 
>> > 
>> > I'd switch to sha256. 
>> > And require PGP-signed commits, etc. 
>> > 
>> > well, I can't even comment on that issue :-) 
>>
>> By the way, the essential part of xz backdoor was sneaked in as a 
>> modified copy of a gnulib m4 macros file. 
>> As this is "the" way to use gnulib - just vendor what they provide in 
>> your source code - one may wonder again 
>> about the virtues of vendoring a lot of code. 
>> Potentially, any tarfile we host may contain an exploit. 
>>
>> As well as anything produced on CI, VM, or, real, hosts running 
>> compromised OS (latest unstable versions of Debian and Fedora were 
>> compromised with this xz hack, Homebrew was, as well). So this is 
>> something to review urgently, too. 
>>
>> Dima 
>>
>>
>>
>>
>> > 
>> > 
>> > > 
>> > > 
>> > > On Friday, March 29, 2024 at 12:18:24 PM UTC-7 Dima Pasechnik wrote: 
>> > >> 
>> > >> https://www.openwall.com/lists/oss-security/2024/03/29/4 
>> > >> 
>> > >> if your have xz 5.6.0 or 5.6.1 installed (e.g. Debian 
>> testing/unstable) 
>> > >> you have a backdoored xz. 
>> > > 
>> > > -- 
>> > > You received this message because you are subscribed to the Google 
>> Groups "sage-devel" group. 
>> > > To unsubscribe from this group and stop receiving emails from it, 
>> send an email to sage-devel+...@googlegroups.com. 
>> > > To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/sage-devel/d75e7cc9-9743-4c20-b502-431d400dc5f2n%40googlegroups.com.
>>  
>>
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"sage-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to sage-devel+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/sage-devel/18a03aef-1d90-4e7f-9520-ddb2c17ef18fn%40googlegroups.com.

Re: [sage-devel] Re: xz/liblzma has been compromised

2024-03-30 Thread Marc Culler 
> Potentially, any tarfile we host may contain an exploit. 

Potentially, any file may contain an exploit.

This hack specifically targeted ssh.  When used by ssh to verify keys, the 
hacked liblzma would validate certain invalid keys, allowing a "back door" 
for a particular bad actor to login to the system.

I don't think that the Sage liblzma  could ever end up being the one used 
by ssh.

We all know how many things are justified as being "for your security" when 
in fact they do nothing to increase anyone's security and are really just 
advancing someone's private agenda.

- Marc

On Saturday, March 30, 2024 at 7:35:20 AM UTC-5 Dima Pasechnik wrote:

> On Fri, Mar 29, 2024 at 7:42 PM Dima Pasechnik  wrote:
> >
> > On Fri, Mar 29, 2024 at 7:39 PM Matthias Koeppe
> >  wrote:
> > >
> > > Workaround with the Sage distribution: "./configure 
> --without-system-liblzma --without-system-xz"
> > > (Our xz package dates back from before the attackers were born;)
> > >
> > > Incidentally, the cryptographic protection of the Sage distribution is 
> wildly insufficient.
> > > I've opened https://github.com/sagemath/sage/issues/37691 for this -- 
> any takers?
> >
> > I'd switch to sha256.
> > And require PGP-signed commits, etc.
> >
> > well, I can't even comment on that issue :-)
>
> By the way, the essential part of xz backdoor was sneaked in as a
> modified copy of a gnulib m4 macros file.
> As this is "the" way to use gnulib - just vendor what they provide in
> your source code - one may wonder again
> about the virtues of vendoring a lot of code.
> Potentially, any tarfile we host may contain an exploit.
>
> As well as anything produced on CI, VM, or, real, hosts running
> compromised OS (latest unstable versions of Debian and Fedora were
> compromised with this xz hack, Homebrew was, as well). So this is
> something to review urgently, too.
>
> Dima
>
>
>
>
> >
> >
> > >
> > >
> > > On Friday, March 29, 2024 at 12:18:24 PM UTC-7 Dima Pasechnik wrote:
> > >>
> > >> https://www.openwall.com/lists/oss-security/2024/03/29/4
> > >>
> > >> if your have xz 5.6.0 or 5.6.1 installed (e.g. Debian 
> testing/unstable)
> > >> you have a backdoored xz.
> > >
> > > --
> > > You received this message because you are subscribed to the Google 
> Groups "sage-devel" group.
> > > To unsubscribe from this group and stop receiving emails from it, send 
> an email to sage-devel+...@googlegroups.com.
> > > To view this discussion on the web visit 
> https://groups.google.com/d/msgid/sage-devel/d75e7cc9-9743-4c20-b502-431d400dc5f2n%40googlegroups.com
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"sage-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to sage-devel+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/sage-devel/032d5e0b-815b-4504-9eb5-7fd598a5e2d8n%40googlegroups.com.

Re: [sage-devel] Re: xz/liblzma has been compromised

2024-03-30 Thread Dima Pasechnik 
On Fri, Mar 29, 2024 at 7:42 PM Dima Pasechnik  wrote:
>
> On Fri, Mar 29, 2024 at 7:39 PM Matthias Koeppe
>  wrote:
> >
> > Workaround with the Sage distribution: "./configure 
> > --without-system-liblzma --without-system-xz"
> > (Our xz package dates back from before the attackers were born;)
> >
> > Incidentally, the cryptographic protection of the Sage distribution is 
> > wildly insufficient.
> > I've opened https://github.com/sagemath/sage/issues/37691 for this -- any 
> > takers?
>
> I'd switch to sha256.
> And require PGP-signed commits, etc.
>
> well, I can't even comment on that issue :-)

By the way, the essential part of xz backdoor was sneaked in as a
modified  copy of a gnulib m4 macros file.
As this is "the" way to use gnulib - just vendor what they provide in
your source code - one may wonder again
about the virtues of vendoring a lot of code.
Potentially, any tarfile we host  may contain an exploit.

As well as anything produced on CI, VM, or, real, hosts running
compromised OS (latest unstable versions of Debian and Fedora were
compromised with this xz hack, Homebrew was, as well). So this is
something to review urgently, too.

Dima




>
>
> >
> >
> > On Friday, March 29, 2024 at 12:18:24 PM UTC-7 Dima Pasechnik wrote:
> >>
> >> https://www.openwall.com/lists/oss-security/2024/03/29/4
> >>
> >> if your have xz 5.6.0 or 5.6.1 installed (e.g. Debian testing/unstable)
> >> you have a backdoored xz.
> >
> > --
> > You received this message because you are subscribed to the Google Groups 
> > "sage-devel" group.
> > To unsubscribe from this group and stop receiving emails from it, send an 
> > email to sage-devel+unsubscr...@googlegroups.com.
> > To view this discussion on the web visit 
> > https://groups.google.com/d/msgid/sage-devel/d75e7cc9-9743-4c20-b502-431d400dc5f2n%40googlegroups.com.

-- 
You received this message because you are subscribed to the Google Groups 
"sage-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to sage-devel+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/sage-devel/CAAWYfq1w9X3aZ3z8U%3DC_BFD8Ffh_tE3JfNBGoSV%3DYYiFE2Guxg%40mail.gmail.com.

[sage-devel] testing notebooks with pytest --nbval ?

2024-03-30 Thread Dima Pasechnik 
Is anyone testing their Sage Jupyter notebooks with pytest --nbval ?
I imagine that for collections of notebooks this can be used to set up CI tests.

Dima

-- 
You received this message because you are subscribed to the Google Groups 
"sage-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to sage-devel+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/sage-devel/CAAWYfq3qx3rwqCnUReDknQ7Rn38LwSbZ0LzGnQsvjh7k6EHkxA%40mail.gmail.com.