Conversation

Notices

1. Matt Hamilton (eriner@noauthority.social)'s status on Saturday, 30-Mar-2024 09:34:48 JST Matt Hamilton

   in reply to

   • John

   @John The post you're commenting on is a bit in the weeds. At a high level, the xz compression library was intentionally subverted by one of the project maintainers and a backdoor was inserted. This impacted SSH on Debian and Fedora, two very popular linux distros.

   The best high-level writeup I can find is Michael Larabel's: https://www.phoronix.com/news/XZ-CVE-2024-3094

   • † top dog :pedomustdie: (dcc@annihilation.social)'s status on Saturday, 30-Mar-2024 09:34:48 JST † top dog :pedomustdie:

     in reply to

     • John
     @eriner @John (it also requires sys d to work)
   • John (john@noauthority.social)'s status on Saturday, 30-Mar-2024 09:34:49 JST John

     in reply to

     @eriner explain what this means

   • Matt Hamilton (eriner@noauthority.social)'s status on Saturday, 30-Mar-2024 09:34:50 JST Matt Hamilton

     in reply to

     oh yeah, and the guy who submitted the PR supposedly works at 1Password.

     So that's nice.

   • Matt Hamilton (eriner@noauthority.social)'s status on Saturday, 30-Mar-2024 09:34:50 JST Matt Hamilton

     in reply to

     Both of the maintainer accounts for the xz (under the https://github.com/tukaani-project) have been suspended, presumably by Github staff:

     The suspension isn't listed on the account profile, but visible in the Following/Followers list for some reason, ex: https://github.com/JiaT75?tab=following

   • Matt Hamilton (eriner@noauthority.social)'s status on Saturday, 30-Mar-2024 09:34:51 JST Matt Hamilton

     in reply to

     Fear not, xz users, a new developer has stepped up to take over the project:

     Tia Jan <jant1203@proton.me>

   • Matt Hamilton (eriner@noauthority.social)'s status on Saturday, 30-Mar-2024 09:34:51 JST Matt Hamilton

     in reply to

     The backlash thread on GitHub is already well underway: https://github.com/tukaani-project/xz/issues/92

   • Matt Hamilton (eriner@noauthority.social)'s status on Saturday, 30-Mar-2024 09:34:51 JST Matt Hamilton

     in reply to

     Guy has Go project that wraps xz to provide native Go bindings. Project has had no commits for THREE YEARS.

     Suddenly some guy sends a PR to update the version of xz in use to the backdoored version:
     https://github.com/jamespfennell/xz/pull/2

     Then you got some guy in the HN comments astroturfing everyone claiming that he knows the guy who submitted the PR IRL and he's a "cool dude", or something.

     All this shit is so sus.

     CAN THE FUCKING FEDS PLEASE STOP BACKDOORING OPEN SOURCE SOFTWARE PLEASE? K THANKS

   • Matt Hamilton (eriner@noauthority.social)'s status on Saturday, 30-Mar-2024 09:34:52 JST Matt Hamilton

     Oooooooof

     > Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. The tarballs included extra .m4 files, which contained instructions for building with automake that did not exist in the repository.

     https://security.archlinux.org/CVE-2024-3094