Posts about the xz attack

Not_OlesNot_Oles Hosting ProviderContent Writer
in Industry News

Timeline: https://research.swtch.com/xz-timeline

Attack shell script: https://research.swtch.com/xz-script

Thanked by (3)nullnothere wankel mfs

Comments

  • nullnotherenullnothere OG

    https://github.com/amlweems/xzbot is good (also referenced via "Further Reading" section in Timeline URL above).

    Thanked by (1)Not_Oles
  • Not_OlesNot_Oles Hosting ProviderContent Writer

    Took a quick look! Wow! Seems very good! Now I am going to have to look at all the links in the "Further Reading" section. :)

    Thanked by (1)nullnothere
  • wankelwankel OG

    Wow, it may not be enough for a movie script, but it sure is an interesting read!

    If the Internet had better enforcement of the "don't be a dick"-rule, the maintainer may not have gotten pressured into sharing maintainership after abusive language from 'the community'.

    On the other hand: given a goal and a long enough timeline, also without getting abusive, any organization (or private person) could create a persona to implement this kind of attacks (as, I guess, has crossed many of our minds even before this came to light)

    Thanks for sharing!

    Thanked by (2)Not_Oles IAmNix
  • somiksomik OG
    edited April 2024

    LTS FTW!

    Back when I first started (20+ years ago?) I never understood why people do not use latest packages and stick to older packages. I guess there are pitfalls like the above other then the usual older packages being more stable.

    @Not_Oles not sure where you found the research and to be honest, most of it went over my head. But one thing is clear. This is an attempt by someone (or a group) who knows what they are doing and how to prevent from being found out.

    Thanked by (1)Not_Oles

    I speak fluent sarcasm and broken logic. | I would agree with you, but thæn we’d both be wrong.

  • JabJab Senpai

    Does this really need new topic, what is wrong with the one we already have?
    https://lowendspirit.com/discussion/7588/backdoor-in-upstream-xz-liblzma-leading-to-ssh-server-compromise-openwall-com-via-hacker-news#latest

    Haven't bought a single service in VirMach Great Ryzen 2022 - 2023 Flash Sale.
    https://lowendspirit.com/uploads/editor/gi/ippw0lcmqowk.png

  • Not_OlesNot_Oles Hosting ProviderContent Writer

    @somik said: @Not_Oles not sure where you found the research

    HN

    and to be honest, most of it went over my head.

    Me too.

    But one thing is clear. This is an attempt by someone (or a group) who knows what they are doing and how to prevent from being found out.

    Yes, and even more:

    "giving the attacker the ability to run an arbitrary command on the target system without logging in: unauthenticated, targeted remote code execution."

    "The attack . . . appears to be the first serious known supply chain attack on widely used open source software. It marks a watershed moment. . . ."

       -- https://research.swtch.com/xz-timeline

  • Not_OlesNot_Oles Hosting ProviderContent Writer

    From: https://joeyh.name/blog/entry/reflections_on_distrusting_xz/

    See also: https://news.ycombinator.com/item?id=39914981

    And then there's the matter of the disabling of the Landlock sandbox. This was not necessary for the ssh backdoor, because the sandbox is only used by the xz command, not by liblzma. So why did they potentially tip their hand by adding that rogue "." that disables the sandbox?

    A sandbox would not prevent the kind of attack I discuss above, where xz is just modifying code that it decompresses. Disabling the sandbox suggests that they were going to make xz run arbitrary code, that perhaps wrote to files it shouldn't be touching, to install a backdoor in the system.

    Both deb and rpm use xz compression, and with the sandbox disabled, whether they link with liblzma or run the xz command, a backdoored xz can write to any file on the system while dpkg or rpm is running and noone is likely to notice, because that's the kind of thing a package manager does.

  • somiksomik OG

    Also the way he "fixed" (breaks) the landlock package... Damn...

    So, what are your guesses on who this is?

    • Random guy sitting in moms basement
    • Hacker group targeting linux servers
    • Government agency (chinese/us/russia/others)
    • Others?

    I speak fluent sarcasm and broken logic. | I would agree with you, but thæn we’d both be wrong.

  • AuroraZeroAuroraZero Retired

    @somik said:
    Also the way he "fixed" (breaks) the landlock package... Damn...

    So, what are your guesses on who this is?

    • Random guy sitting in moms basement
    • Hacker group targeting linux servers
    • Government agency (chinese/us/russia/others)
    • Others?

    It's all me baby

    The Yeti has left the building.

  • somiksomik OG

    @AuroraZero said:

    @somik said:
    Also the way he "fixed" (breaks) the landlock package... Damn...

    So, what are your guesses on who this is?

    • Random guy sitting in moms basement
    • Hacker group targeting linux servers
    • Government agency (chinese/us/russia/others)
    • Others?

    It's all me baby

    So the butler yeti did it....

    I speak fluent sarcasm and broken logic. | I would agree with you, but thæn we’d both be wrong.

  • AuroraZeroAuroraZero Retired

    @somik said:

    @AuroraZero said:

    @somik said:
    Also the way he "fixed" (breaks) the landlock package... Damn...

    So, what are your guesses on who this is?

    • Random guy sitting in moms basement
    • Hacker group targeting linux servers
    • Government agency (chinese/us/russia/others)
    • Others?

    It's all me baby

    So the butler yeti did it....

    Always

    The Yeti has left the building.

Sign In or Register to comment.

© LowEndSpirit 2026