David Coles

@dcoles

Oddly Specific

They/Them
dcoles.net/

Principal Software Engineer and Systems Architect at Sony Interactive Entertainment (PlayStation)🎮

╌

@fixingtheuniverse is my stash of unread papers and articles 📑

🦘 🌇 🏳️‍🌈

You are visitor number visit counter

posts from @dcoles tagged #computer security

also:

view posts from all pages tagged #computer security

David Coles @dcoles3/31/2024, 1:26 AM

`xz-utils` backdoor

Lasse Collin (long-time maintainer of xz-utils) now has a dediated page on the xz-utils backdoor (CVE-2024-3094):

This page is short for now but it will get updated as I learn more about the incident. Most likely it will be during the first week of April 2024.

The Git repositories of XZ projects are on git.tukaani.org.

xz.tukaani.org DNS name (CNAME) has been removed. The XZ projects currently don’t have a home page. This will be fixed in a few days.

https://tukaani.org/xz-backdoor/

There also exists a FAQ on the xz-utils backdoor by thesamesame.

Thankfully this was caught before the affected xz-utils tarballs (5.6.0 and 5.6.1) were pulled into major distribution releases. If you were running pre-release Fedora Linux 40 beta, Fedora Rawhide, Debian Testing, Arch or similar should immediately downgrade to a stable version until these have been updated to fix the affected versions.

#computer security #xz-utils #CVE-2024-3094

David Coles @dcoles3/31/2024, 1:13 AM

“ A few relevant quotes” [collected by LWN's Jonathan Corbet]

From https://lwn.net/Articles/967420/:

I'm on a holiday and only happened to look at my emails and it seems to be a major mess.
— Lasse Collin

The reality that we are struggling with is that the free software infrastructure on which much of computing runs is massively and painfully underfunded by society as a whole, and is almost entirely dependent on random people maintaining things in their free time because they find it fun, many of whom are close to burnout. This is, in many ways, the true root cause of this entire event.
— Russ Allbery

Incredible work from Andres. The attackers made a serious strategic mistake: they made PostgreSQL slightly slower.
— Thomas Munro

There is no way to discuss this in public without turning a single malicious entity into 10 000 malicious entities once the information is widely known.
Making sure the impact and mitigations are known before posting this publicly so that everyone knows what to do before the 10 000 malicious entities start attacking is just common sense.
— Marc Deslauriers

Again the FOSS world has proven to be vigilant and proactive in finding bugs and backdoors, IMHO. The level of transparency is stellar, especially compared to proprietary software companies. What the FOSS world has accomplished in 24 hours after detection of the backdoor code in #xz deserves a moment of humbleness. Instead we have flamewars and armchair experts shouting that we must change everything NOW. Which would introduce even more risks. Progress is made iteratively. Learn, adapt, repeat.
— Jan Wildeboer

#computer security #LWN #CWE-2024-3094 #xz-utils

Pinned Tags