Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. User
Re: [gentoo-dev] Current unavoidable use of xz utils in Gentoo
rich0 at gentoo
Mar 31, 2024, 5:33 AM
Post #1 of 13 (187 views)
Permalink
(moving this to gentoo-user as this is really getting off-topic for -dev)

On Sun, Mar 31, 2024 at 7:32?AM stefan11111
<stefan11111@shitposting.expert> wrote:
>
> Had I seen someone say that a bad actor would spend years gaining the
> trust of FOSS
> project maintainers in order to gain commit access and introduce such
> sophisticated
> back doors, I would have told them to take their meds.
> This is insane.

It makes quite a bit of sense though. For a low-activity FOSS
project, how much manpower does it take to gain a majority share of
the governance? In this case it is one person, but even for a big
project (such as Gentoo) I suspect that 3-4 people working full time
could probably hit upwards of 50% of the commit volume. That doesn't
have to be 3-4 "Gentoo developers." It could be 3-4 human beings with
1 admin assistant who manages 50 email addresses that the commits get
spread across, and they sign up as 50 Gentoo developers and get 50
votes for the Council (and probably half the positions there if they
want them), the opportunity to peer review "each other's"
contributions, and so on.

I just use Gentoo as an example as we're all familiar with it and
probably assume it couldn't happen here. As you go on, the actual
targets are likely to be other projects...

> If this happened to something like firefox, I don't think anyone would
> have found out.
> No one bats an eye if a website loads 0.5s longer.

It seems likely that something like this has ALREADY happened to firefox.

It might also happen with commercial software, but the challenge there
is HR as you can't just pay 1 person to masquerade as 10 when they all
need to deal with payroll taxes.

We're going on almost 20 years since the Snowden revelations, and back
then the NSA was basically doing intrusion on an industrial scale.
You'd have dev teams building zero days and rootkits, sysadmin teams
who just administrate those back doors to make sure there are always
2-3 ways in just in case one gets closed, SMEs who actually make sense
of the stolen data, rooms full of engineers who receive intercepted
shipments of hardware and install backdoors on them, and so on.

We're looking at what probably only one person can do if they can
dedicate full time to something like this. Imagine what a cube farm
full of supervised developers with a $50M budget could do, and that is
pocket change to most state actors. The US government probably spends
more than that in a year on printer paper.

--
Rich
Re: Re: [gentoo-dev] Current unavoidable use of xz utils in Gentoo [ In reply to ]
confabulate at kintzios
Mar 31, 2024, 7:59 AM
Post #2 of 13 (184 views)
Permalink
On Sunday, 31 March 2024 13:33:20 BST Rich Freeman wrote:
> (moving this to gentoo-user as this is really getting off-topic for -dev)

Thanks for bringing this to our attention Rich.

Is downgrading to app-arch/xz-utils-5.4.2 all that is needed for now, or are
we meant to rebuilding any other/all packages, especially if we rebuilt our
@world only a week ago as part of the move to profile 23.0?

Attached Files:

Re: Re: [gentoo-dev] Current unavoidable use of xz utils in Gentoo [ In reply to ]
djqfrey at gmail
Mar 31, 2024, 8:39 AM
Post #3 of 13 (183 views)
Permalink
On 3/31/24 07:59, Michael wrote:
> On Sunday, 31 March 2024 13:33:20 BST Rich Freeman wrote:
>> (moving this to gentoo-user as this is really getting off-topic for -dev)
>
> Thanks for bringing this to our attention Rich.
>
> Is downgrading to app-arch/xz-utils-5.4.2 all that is needed for now, or are
> we meant to rebuilding any other/all packages, especially if we rebuilt our
> @world only a week ago as part of the move to profile 23.0?

I just ran `glsa-check -l affected` and it came up blank for me.

I ran `emerge --sync` and checked again and it indeed says my machine is
affected.

I then ran `emerge -auDN world` and it automatically downgraded.

So, all we need to do sync and update world. It will downgrade xz-utils
automatically.

If you want to make sure, run `glsa-check -l affected` after the emerge
world, if it comes up blank you are not affected. Or run `glsa-check -l
202403-02` and it will tell you if you are affected:

$ glsa-check -l 202403-04
[A] means this GLSA was marked as applied (injected),
[U] means the system is not affected and
[N] indicates that the system might be affected.

202403-04 [U] XZ utils: Backdoor in release tarballs ( app-arch/xz-utils )


Dan
Re: Re: [gentoo-dev] Current unavoidable use of xz utils in Gentoo [ In reply to ]
rich0 at gentoo
Mar 31, 2024, 9:04 AM
Post #4 of 13 (183 views)
Permalink
On Sun, Mar 31, 2024 at 10:59?AM Michael <confabulate@kintzios.com> wrote:
>
> On Sunday, 31 March 2024 13:33:20 BST Rich Freeman wrote:
> > (moving this to gentoo-user as this is really getting off-topic for -dev)
>
> Thanks for bringing this to our attention Rich.
>
> Is downgrading to app-arch/xz-utils-5.4.2 all that is needed for now, or are
> we meant to rebuilding any other/all packages, especially if we rebuilt our
> @world only a week ago as part of the move to profile 23.0?

It is not necessary to rebuild anything, unless you're doing something
so unusual that you'd already know the answer to the question.

--
Rich
Re: Re: [gentoo-dev] Current unavoidable use of xz utils in Gentoo [ In reply to ]
hakon at alstadheim
Mar 31, 2024, 12:38 PM
Post #5 of 13 (182 views)
Permalink
Den 31.03.2024 14:33, skrev Rich Freeman:
> (moving this to gentoo-user as this is really getting off-topic for -dev)
>
>
> It might also happen with commercial software, but the challenge there
> is HR as you can't just pay 1 person to masquerade as 10 when they all
> need to deal with payroll taxes.

For commercial entities, the government could just contact the company
and apply pressure, no need to sneak the backdoor in. Cf. RSA .
Re: Re: [gentoo-dev] Current unavoidable use of xz utils in Gentoo [ In reply to ]
antlists at youngman
Mar 31, 2024, 2:36 PM
Post #6 of 13 (181 views)
Permalink
On 31/03/2024 20:38, Håkon Alstadheim wrote:
> For commercial entities, the government could just contact the company
> and apply pressure, no need to sneak the backdoor in. Cf. RSA .

Apply pressure to who? At the end of the day, the only people the
government can trust are their own agents.

Serving a "secret compliance" notice on a third party is always fraught
with danger. Okay, I probably can't trust my own government to protect
me, but if the US Government served a compliance notice on me I'd treat
it with the respect it deserved - probably use it as loo paper!

Nobody should trust anybody else more than they have need to - and
especially governments should not trust 3rd-party nationals! It's not
worth it.

Cheers,
Wol
Re: Re: [gentoo-dev] Current unavoidable use of xz utils in Gentoo [ In reply to ]
rich0 at gentoo
Mar 31, 2024, 2:52 PM
Post #7 of 13 (181 views)
Permalink
On Sun, Mar 31, 2024 at 5:36?PM Wol <antlists@youngman.org.uk> wrote:
>
> On 31/03/2024 20:38, Håkon Alstadheim wrote:
> > For commercial entities, the government could just contact the company
> > and apply pressure, no need to sneak the backdoor in. Cf. RSA .
>
> Serving a "secret compliance" notice on a third party is always fraught
> with danger. Okay, I probably can't trust my own government to protect
> me, but if the US Government served a compliance notice on me I'd treat
> it with the respect it deserved - probably use it as loo paper!

I imagine most large companies would just comply with their local
government, but there are some major limitations all the same:

1. It isn't necessarily the local government who wants to plant the
back door. The FBI can't just call up Huawei and get the same results
they would with Google.
2. Even if the company complies, there are going to be more people who
are aware of the back door. Some of those could be foreign agents.
If you infiltrate the company and obfuscate your code, then only your
own agents are aware there is an intrusion.
3. The methods employed in your attack might also be sensitive, and so
that's another reason to not want to disclose them. If you have some
way of subtly compromising some encryption scheme, you might not want
any employees of the company to even know the cryptosystem weakness
even exists, let alone the fact that you're exploiting it. When the
methods are secret in this way it is that much easier to obfuscate a
clandestine attack as well.

When you look at engineer salaries against national defense budgets,
it wouldn't surprise me if a LOT of FOSS (and other) contributors are
being paid to add back doors. On the positive side, that probably
also means that they're getting paid to fix a lot of bugs and add
features just to give them cover.

To bomb a power plant might take the combined efforts of 1-2 dozen
military aircraft in various roles, at $100M+ each (granted, that's
acquisition cost and not operational cost). Installing a trojan that
would cause the plant to blow itself up on command might just require
paying a few developers for a few years, for probably less than $1M
total, and it isn't even that obvious that you were involved if it
gets discovered, or even after the plant blows up.

--
Rich
Re: Re: [gentoo-dev] Current unavoidable use of xz utils in Gentoo [ In reply to ]
mjo at gentoo
Mar 31, 2024, 3:19 PM
Post #8 of 13 (181 views)
Permalink
On Sun, 2024-03-31 at 12:04 -0400, Rich Freeman wrote:
>
> It is not necessary to rebuild anything, unless you're doing something
> so unusual that you'd already know the answer to the question.
>

You should probably reboot afterwards though.

For a more fine-grained approach, you can check for running processes
that still use the old library with something like,

root # grep liblzma /proc/*/maps

The old version will show up as liblzma.so.5.6.1. Restart anything that
uses it.
Re: Re: [gentoo-dev] Current unavoidable use of xz utils in Gentoo [ In reply to ]
mjo at gentoo
Mar 31, 2024, 3:29 PM
Post #9 of 13 (181 views)
Permalink
On Sun, 2024-03-31 at 18:19 -0400, Michael Orlitzky wrote:
>
> The old version will show up as liblzma.so.5.6.1. Restart anything that
> uses it.

Or liblzma.so.5.6.0
Re: Re: [gentoo-dev] Current unavoidable use of xz utils in Gentoo [ In reply to ]
axl at dale
Mar 31, 2024, 3:32 PM
Post #10 of 13 (181 views)
Permalink
https://piaille.fr/@zeno/112185928685603910

There's an ENV var you can set that is a kill switch for the whole thing :)


On 4/1/2024 1:29 AM, Michael Orlitzky wrote:
> On Sun, 2024-03-31 at 18:19 -0400, Michael Orlitzky wrote:
>> The old version will show up as liblzma.so.5.6.1. Restart anything that
>> uses it.
> Or liblzma.so.5.6.0
>
>
Re: Re: [gentoo-dev] Current unavoidable use of xz utils in Gentoo [ In reply to ]
mjo at gentoo
Mar 31, 2024, 3:36 PM
Post #11 of 13 (181 views)
Permalink
On Mon, 2024-04-01 at 01:32 +0300, Alexandru N. Barloiu wrote:
> https://piaille.fr/@zeno/112185928685603910
>
> There's an ENV var you can set that is a kill switch for the whole thing :)
>

For the part that we found :)

The author of the backdoor had commit access to the upstream repository
for a long time:

https://git.tukaani.org/?p=xz.git;a=search;s=Jia+Tan;st=author

Personally I would be skeptical of running any version of any package
that he has touched.
Re: Re: [gentoo-dev] Current unavoidable use of xz utils in Gentoo [ In reply to ]
axl at dale
Mar 31, 2024, 3:41 PM
Post #12 of 13 (181 views)
Permalink
No argument from me. That JiaTan dude had other projects forked he was
looking at. And none of them are good news. zstd. lz4. libarchive.
squashfs-tools. But still, I think its good news if people already
figured how to turn it off in a few days.



On 4/1/2024 1:36 AM, Michael Orlitzky wrote:
> On Mon, 2024-04-01 at 01:32 +0300, Alexandru N. Barloiu wrote:
>> https://piaille.fr/@zeno/112185928685603910
>>
>> There's an ENV var you can set that is a kill switch for the whole thing :)
>>
> For the part that we found :)
>
> The author of the backdoor had commit access to the upstream repository
> for a long time:
>
> https://git.tukaani.org/?p=xz.git;a=search;s=Jia+Tan;st=author
>
> Personally I would be skeptical of running any version of any package
> that he has touched.
>
>
Re: Re: [gentoo-dev] Current unavoidable use of xz utils in Gentoo [ In reply to ]
Warp_7 at gmx
Apr 15, 2024, 6:08 AM
Post #13 of 13 (75 views)
Permalink
Am Sun, Mar 31, 2024 at 08:33:20AM -0400 schrieb Rich Freeman:
> (moving this to gentoo-user as this is really getting off-topic for -dev)
> […]
> We're going on almost 20 years since the Snowden revelations, and back
> then the NSA was basically doing intrusion on an industrial scale.

Weeaalll, it’s been 11 years in fact. Considering that is more than 10
years, one could argue it is approaching 20. ;-)

I can remember the year well because Snowden is the same vintage as I am and
he became 30 about when this all came out.

--
Grüße | Greetings | Salut | Qapla’
Others make mistakes, too -- but we have the most experience in it.

Attached Files:

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal