GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE

  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

Conversation

Notices

  1. Embed this notice
    Jonathan Wight (schwa@mastodon.social)'s status on Sunday, 31-Mar-2024 00:22:48 JST Jonathan Wight Jonathan Wight

    Well reading about the xz ssh backdoor turned into one heck of a rabbit hole this morning.

    In conversation about 8 months ago from mastodon.social permalink
    • Paul Cantrell repeated this.
    • Embed this notice
      Jonathan Wight (schwa@mastodon.social)'s status on Sunday, 31-Mar-2024 00:22:48 JST Jonathan Wight Jonathan Wight
      in reply to

      My attempt to summarise what happened:

      * xz is an archive file format widely used on various Linux distributions for packaging and other purposes
      * The primary (unpaid hobbyist) maintainer isn't able to maintain it effectively (health issues/frequent internet breaks).
      * A contributor over the course of 2+ years has submitted hundreds of (originally believed legit but now considered sus) patches and gained trust of maintainer.
      * Contributor was given ability to sign releases…

      1/

      In conversation about 8 months ago permalink
    • Embed this notice
      Jonathan Wight (schwa@mastodon.social)'s status on Sunday, 31-Mar-2024 00:42:39 JST Jonathan Wight Jonathan Wight
      in reply to

      * And promptly snuck a backdoor into xz via the release package (*) (backdoor isn't present in code)
      * On some Linux distros sshd is patched for to work with systemd (to allow other services to know when sshd is/isnt running)… and that patch links in xz('s library)…
      * And now sshd is compromised - send a specially crafted xz archive to sshd and you're in…

      (* edited.)

      In conversation about 8 months ago permalink
      Paul Cantrell repeated this.
    • Embed this notice
      Jonathan Wight (schwa@mastodon.social)'s status on Sunday, 31-Mar-2024 00:42:39 JST Jonathan Wight Jonathan Wight
      in reply to

      What's wild about this is…

      … either the contributor was playing the long game - gained the trust of maintainers via legit work just to get to this point…

      … or the legit work wasn't legit and they introduced other vulnerabilities over the course of 2+ years - and this exploit was the first one they got caught doing…

      …or was legitimately contributing until they themselves were compromised (ship this vulnerability or we break your legs…)

      In conversation about 8 months ago permalink
      Paul Cantrell repeated this.
    • Embed this notice
      Paul Goracke (pgor@mastodon.social)'s status on Sunday, 31-Mar-2024 01:29:30 JST Paul Goracke Paul Goracke
      in reply to

      @schwa My concern is that if they were playing such a long game, they weren’t/aren’t just doing it with xz.

      In conversation about 8 months ago permalink

Feeds

  • Activity Streams
  • RSS 2.0
  • Atom
  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.