Jordi Mon CompanysMar 20, 2025
How #NixOS and reproducible builds could have detected the #xz utils (#liblzma) backdoor for the benefit of all by @luj https://luj.fr/blog/how-nixos-could-have-detected-xz.html
How NixOS and reproducible builds could have detected the xz backdoor for the benefit of all

Julien Malka homepage

Show threadJdeBPApr 13, 2024

@3v1n0 @novaTopFlex

What code did they use instead?

I know of two fairly simple implementations of the notify protocol client, which have been around for years. I'm interested in knowing whether it was either of those, a third one, or just a quick nonce implementation.

#systemd #liblzma #xz #Debian

https://jdebp.uk/FGA/unix-daemon-readiness-protocol-problems.html#CrippledAdoption

FGA: Readiness protocol problems with Unix dæmons

Show threadChristian Pietsch 🍑Apr 12, 2024

@jrt @ph0lk3r @hisolutions @HonkHase

Vielen Dank für den Aufschrieb. Ich hoffe, dass jemand aus dieser Vorlage einen Krimi macht.

Hättet ihr Lust, das als szenische Lesung oder (Socken-)Puppentheater beim #38c3 aufzuführen?

#CVE20243094 #xz #liblzma #Hintertür

David SandilandsApr 8, 2024

Happy to see http://rubygems.org update https://blog.rubygems.org/2024/03/31/rubygems-and-xz.html that they have done an internal audit not just of the software used to run RubyGems.org itself, but also every gem that has ever been published.
RubyGems.org is not vulnerable to this issue and no gem currently published on RubyGems.org contains the vulnerable liblzma library.

#liblzma #security #vulnerability #ruby #XZLZMA #XZ

RubyGems.org | your community gem host

𝗣𝗠𝗝 ⚫Apr 6, 2024
also ich muss zugeben, ich bin echt fan von der art und weise wie #liblzma / #xz / #xzutils gehackt wurde
den exploit nicht in das eigentliche programm sondern in die tests zu programmieren ist echt genial
Juan LoboApr 5, 2024

Me tiene loco que la backdoor en la DLL #liblzma de #xzutils la descubriera un pavo porque al conectarse por SSH la conexión tardaba un cuarto de segundo más de lo habitual. I mean, quién se fija y se da cuenta de algo así, y cómo lo relaciona con una vulnerabilidad en #xz. Es de locos, me sigue dejando perplejo.

Parece bastante claro que el autor es alguna agencia de inteligencia por la planificación, el nivel y los recursos. Cuentas falsas contribuyendo con código en Github durante años y ganándose reputación como contributors y la confianza del creador de XZ, y con un grado de conocimiento técnico a bajo nivel al alcance de pocos. Una verdadera operación encubierta sostenida en el tiempo, con una duración de años, para instalar una puerta trasera en equipos a nivel planetario.

Viendo las características poco creíbles de la cuenta falsa principal, aparentemente china, yo me decanto por los servicios secretos rusos o estadounidenses, pero es mera especulación.

#ciberseguridad

Frederic Branczyk Apr 4, 2024

Now I have to wonder if this bug report I did ~1 year ago could have already lead to discovering part of the attack. The linked binary is liblzma5.

#security #xz #liblzma #liblzma5
https://github.com/golang/go/issues/59208

debug/elf: Incorrectly double-decompressing ELF section · Issue #59208 · golang/go

What version of Go are you using (go version)? $ go version go version go1.20.1 darwin/arm64 Does this issue reproduce with the latest release? Yes. What operating system and processor architecture...

GitHub
𝗣𝗠𝗝 ⚫Apr 4, 2024
um so zeugs wie bei #liblzma / #xz zu verhindern muss #opensource software die so tief in der supplychain verwoben ist staatlich finanziert werden bzw. proprietäre/kommerzielle software die diese libs und tools nutzen muss einen teil ihrer einnahmen zur finanzierung abliefern, die dependency lösen oder eine busse bezahlen
Neustradamus :xmpp: :linux:Apr 3, 2024
#Ubuntu 24.04 Beta "#NobleNumbat" (#LTS) has been delayed #XZ / #liblzma (#Linux / #Canonical / #UbuntuLTS / #UbuntuDesktop / #UbuntuServer / #UbuntuCloud / #UbuntuCore / #UbuntuBase / #Kubuntu / #Lubuntu / #UbuntuBudgie / #UbuntuKylin / #UbuntuMate / #UbuntuStudio / #Xubuntu / #Debian) https://discourse.ubuntu.com/t/noble-numbat-beta-delayed-xz-liblzma-security-update/43827
Noble Numbat Beta delayed (xz/liblzma security update)

Canonical never stops working to keep Ubuntu at the forefront of safety, security, and reliability. As a result of CVE-2024-3094, Canonical made the decision to remove and rebuild all binary packages that had been built for Noble Numbat after the CVE-2024-3094 code was committed to xz-utils (February 26th), on newly provisioned build environments. This provides us with confidence that no binary in our builds could have been affected by this emerging threat. As a result of this, the Beta release ...

Ubuntu Community Hub
Andreas ScherbaumApr 3, 2024

Oh, look, the #OpenSSF is placing the #xz #xzutils problem on the sole #liblzma maintainer.

Instead of "remaining vigilant" they could help directing more resources to open source projects. None of this is to be seen in the article.

https://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/

xz Backdoor CVE-2024-3094 – Open Source Security Foundation