Conversation

Notices

1. Embed this notice
   bronze (bronze@pl.kitsunemimi.club)'s status on Saturday, 30-Mar-2024 03:35:20 JST bronze
   blatant chink backdoor in xz / lzma LMAO
   https://news.ycombinator.com/item?id=39865810 orange reddit link
   https://www.openwall.com/lists/oss-security/2024/03/29/4 discovery
   • ロミンちゃん and Pleroma-tan like this.
   • Embed this notice
     bronze (bronze@pl.kitsunemimi.club)'s status on Saturday, 30-Mar-2024 03:43:46 JST bronze

     in reply to
     >soystemd dependent vulnerability
     gentoobros take a giant breather, we're somewhat safe here
     also
     >.deb and .rpm file injection
     its literally the linux virus meme holy shit :kirsche_pointlaugh: :kagerou_laugh:
     ロミンちゃん likes this.
   • Embed this notice
     ロミンちゃん (romin@shitposter.club)'s status on Saturday, 30-Mar-2024 03:45:19 JST ロミンちゃん

     in reply to

     • Mona
     @bronze @mona
     >Version: 5.2.4-1
     procrastination wins again :l_heh:
   • Embed this notice
     bronze (bronze@pl.kitsunemimi.club)'s status on Saturday, 30-Mar-2024 03:45:20 JST bronze

     in reply to

     • Mona

     @mona neither do I :blobfoxthinksmart:

     Also I haven't updated in like a month so I avoided it by pure lazyness:

     [U] app-arch/xz-utils Available versions: 5.4.5 5.4.6-r1 5.6.1 **9999*l {doc +extra-filters nls pgo split-usr static-libs verify-sig ABI_MIPS="n32 n64 o32" ABI_S390="32 64" ABI_X86="32 64 x32" CPU_FLAGS_ARM="crc32"} Installed versions: 5.4.6-r1(11:40:20 AM 03/05/2024)(extra-filters nls -doc -pgo -static-libs -verify-sig ABI_MIPS="-n32 -n64 -o32" ABI_S390="-32 -64" ABI_X86="32 64 -x32") Homepage: https://tukaani.org/xz/ Description: Utils for managing LZMA compressed files
   • Embed this notice
     Mona (mona@frennet.xyz)'s status on Saturday, 30-Mar-2024 03:45:21 JST Mona

     in reply to

     @bronze@pl.kitsunemimi.club wsl2 doesn't use systemd :3

   • Embed this notice
     bronze (bronze@pl.kitsunemimi.club)'s status on Saturday, 30-Mar-2024 04:27:21 JST bronze

     in reply to

     • Phantom Palladium

     @hazlin from what I understood, it affects the distros that patch lzma support into openssh for soystemd notification. From that mailing list:

     openssh does not directly use liblzma. However debian and several other distributions patch openssh to support systemd notification, and libsystemd does depend on lzma.

     So whichever distros (including debian) doing this are fucked.

     >MX-Linux only provides 5.2.5

     You're safe lol

     ロミンちゃん likes this.
   • Embed this notice
     Phantom Palladium (hazlin@amala.schwartzwelt.xyz)'s status on Saturday, 30-Mar-2024 04:27:22 JST Phantom Palladium

     in reply to

     • Phantom Palladium
     @bronze
     Quick search says
     
     > malicious code being embedded in XZ Utils versions 5.6.0 and 5.6.1.
     
     MX-Linux only provides 5.2.5 as the latest version so, safe as well? xD
   • Embed this notice
     Phantom Palladium (hazlin@amala.schwartzwelt.xyz)'s status on Saturday, 30-Mar-2024 04:27:23 JST Phantom Palladium

     in reply to
     @bronze any idea if this is effecting all SSH or just debian's implementation?
   • Embed this notice
     ロミンちゃん (romin@shitposter.club)'s status on Saturday, 30-Mar-2024 04:44:13 JST ロミンちゃん

     in reply to

     • Mona
     • :marseyloadingneon: m0xEE :marseyloading:
     @bronze @m0xEE @mona updating besides patching secvulns or major bugs is a waste of time
   • Embed this notice
     bronze (bronze@pl.kitsunemimi.club)'s status on Saturday, 30-Mar-2024 04:44:14 JST bronze

     in reply to

     • Mona
     • ロミンちゃん
     • :marseyloadingneon: m0xEE :marseyloading:
     @m0xEE @mona @romin im just too lazy to update, especially if the gentoo box in question is a POWER/PowerPC or ARM or SPARC
   • Embed this notice
     :marseyloadingneon: m0xEE :marseyloading: (m0xee@breloma.m0xee.net)'s status on Saturday, 30-Mar-2024 04:44:16 JST :marseyloadingneon: m0xEE :marseyloading:

     in reply to

     • Mona
     • ロミンちゃん
     @romin @mona @bronze
     I won't be so sure: https://news.ycombinator.com/item?id=39867431
     According to this comment on hnews, this person was with the project long before 5.4.5 that Debian maintainers consider safe. We still can't be sure.
     
     And how do you guys stay on old versions for so long while using mainstream architectures? :marseyemojismilemouthtighteyes:
     Even PowerPC machine this instance runs on has xz-5.6.0 — and I not only have to build it myself, mainline Void maintainers don't even longer patch software to remain buildable for PowerPC :marseylaugh:
     Well, I probably have too much free time :marseyshy2:
   • Embed this notice
     The Forbidden Dreamer (forbiddendreamer@poa.st)'s status on Saturday, 30-Mar-2024 04:47:02 JST The Forbidden Dreamer

     in reply to

     • Mona
     • ロミンちゃん
     @romin @bronze @mona >xz-utils/stable,now 5.4.1-0.2 amd64 [installed,automatic]
     LFG
     ロミンちゃん likes this.
   • Embed this notice
     :marseyloadingneon: m0xEE :marseyloading: (m0xee@breloma.m0xee.net)'s status on Saturday, 30-Mar-2024 05:00:31 JST :marseyloadingneon: m0xEE :marseyloading:

     in reply to

     • Mona
     • ロミンちゃん
     @romin
     I agree, but on more obscure architectures it often does make sense — gcc and llvm often introduce critical bugs which get fixed in later releases, but never get backported, e.g. clang from llvm15 was segfaulting randomly on my PPC machine — I tried a few patches, including the one that looked very much like it symptoms-wise — all to no success. But with llvm17 it works perfectly again :marseyshrug:
     Now Python3.12.2 segfaults right on being launched — I thought it's some weird endian-ness problem due to cross compilcation, so I've built it natively — and it's just as broken. 3.12.1 works fine — I'm simply out of ideas what could've introduced such a bug with a patchlevel update.
     With marginal architectures — it's often weird shit like this :marseysigh:
     @mona @bronze