SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
The Fedora guys are jumping up and down about a backdoor in xz-5.6.0 & 5.6.1 which involves systemd. Current of 2024-03-22 has xz-5.6.1, but not, of course systemd. No sir!
What's the recommended course of action here, or can I go back to sleep?
a/xz-5.6.1-x86_64-2.txz: Rebuilt.
Seems like a good idea to build this from a git pull rather than the signed
release tarballs. :-)
The liblzma in the previous packages were not found to be vulnerable by the
detection script, but I'd rather not carry the bad m4 files in our sources.
Here's a test script for anyone wanting to try it:
if hexdump -ve '1/1 "%.2x"' /lib*/liblzma.so.5 | grep -q f30f1efa554889f54c89ce5389fb81e7000000804883ec28488954241848894c2410 ; then
echo probably vulnerable
else
echo probably not vulnerable
fi
Thanks. I don't get the import of "[Slackware] does not build with cmake."
Could you elaborate?
And if this is a sign of anything, maybe everyone should restrict their open source stuff on github. A bad actor has come along and make commits with evil intent, and opened a backdoor. If it has happened once, it can happen again... and again...etc.
EDIT: Personally, I'm more likely to be affected by python3.9 --> python3.11. We've been on 3.9 for a good while.
Last edited by business_kid; 03-30-2024 at 03:32 PM.
Slackware is not affected by the known liblzma backdoor from ups Thtream source packages and does not build with cmake.
However, there are still more commits made by the bad actor which has to be investigated.
regards Henrik
I understood the problem is with autoconf, not cmake.
Also that the problem is far from beeing fully investigated and github has closed the tukaani xz project.
Some other distribution revert to 5.4 and don't try to use 5.6 even with no systemd and without the binary problematic files. But even 5.4 maybe suspicious. Server Ubuntu 22 distribution is with 5.2 version of xz.
I understood the problem is with autoconf, not cmake.
The new problem is that the saboteur prohibited the use of Landlock sandbox with cmake builds. The sandbox should "help mitigate the security impact of bugs or unexpected/malicious behaviors in user space applications".
The new problem is that the saboteur prohibited the use of Landlock sandbox with cmake builds. The sandbox should "help mitigate the security impact of bugs or unexpected/malicious behaviors in user space applications".
So then this was an oversight - and those in charge of the repo should have perhaps questioned 'why is said feature prohibited' ? Seems to me this is the new way of attack going forward , bits of code that either do not offer any real improvement or stability, and potentially have smaller malicious intent or say the very least questionable intent, yet on its own it does nothing, until another piece of code later on builds on that. So yea, going forward now even every bit of 'changes' needs to be scrutinized even if it is either benign or has no immediate impact - but should still be looked at and questioned: "why was it written this way?" "Why the need of prohibiting this one protective feature to run or compile?"
Slightly off-topic. This backdoor is it logged to check with command
Code:
last
If yes with which user?
I don't think any researchers have been able to observe an unauthorized login, so we don't currently know if it leaves any residue in the logs. I doubt that it would, though.
But for this miscalculation this compromise might never have been noticed (and someone buy Andres Fruend a drink?)?:
"Subsequently the injected code (more about that below) caused valgrind errors
and crashes in some configurations, due the stack layout differing from what
the backdoor was expecting. These issues were attempted to be worked around
in 5.6.1:"
So then this was an oversight - and those in charge of the repo should have perhaps questioned 'why is said feature prohibited' ? Seems to me this is the new way of attack going forward , bits of code that either do not offer any real improvement or stability, and potentially have smaller malicious intent or say the very least questionable intent, yet on its own it does nothing, until another piece of code later on builds on that. So yea, going forward now even every bit of 'changes' needs to be scrutinized even if it is either benign or has no immediate impact - but should still be looked at and questioned: "why was it written this way?" "Why the need of prohibiting this one protective feature to run or compile?"
Last year there was an academic research project (sadly I can't remember who carried it out) to see if it was possible to inject bad code into the Linux kernel. They used precisely this method, offering harmless patches that corrected minor stylistic errors and seemed only pedantic at worst, but one of them created an opening into which something worse could be inserted later.
Of course they immediately informed the kernel team and the world of their success.
Last year there was an academic research project (sadly I can't remember who carried it out) to see if it was possible to inject bad code into the Linux kernel. They used precisely this method, offering harmless patches that corrected minor stylistic errors and seemed only pedantic at worst, but one of them created an opening into which something worse could be inserted later.
Of course they immediately informed the kernel team and the world of their success.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.