unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* xz backdoor
@ 2024-04-01 19:46 Reza Housseini
  2024-04-01 20:39 ` Kaelyn
                   ` (2 more replies)
  0 siblings, 3 replies; 8+ messages in thread
From: Reza Housseini @ 2024-04-01 19:46 UTC (permalink / raw)
  To: guix-devel

Hi Guixers

Just stumbled upon this recently discovered supply chain attack on xz, 
inserting a backdoor via test files [1, 2]. And it made me wondering, 
what would have been the effects on guix and how can we potentially 
avoid it?

Stay safe!
Reza

[1] https://www.openwall.com/lists/oss-security/2024/03/29/4
[2] https://access.redhat.com/security/cve/cve-2024-3094#cve-cvss-v3

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: xz backdoor
  2024-04-01 19:46 xz backdoor Reza Housseini
@ 2024-04-01 20:39 ` Kaelyn
  2024-04-01 20:52   ` Attila Lendvai
  2024-04-01 20:44 ` jbranso
  2024-04-01 23:27 ` Leo Famulari
  2 siblings, 1 reply; 8+ messages in thread
From: Kaelyn @ 2024-04-01 20:39 UTC (permalink / raw)
  To: Reza Housseini; +Cc: guix-devel

Hi Reza,

On Monday, April 1st, 2024 at 12:46 PM, Reza Housseini <reza.housseini@gmail.com> wrote:

> 
> 
> Hi Guixers
> 
> Just stumbled upon this recently discovered supply chain attack on xz,
> inserting a backdoor via test files [1, 2]. And it made me wondering,
> what would have been the effects on guix and how can we potentially
> avoid it?

Thank you for your email about the xz backdoor! To hopefully help with your questions, there has already been some discussion on guix-devel about the backdoor and how it should be handled now and in the future:

https://lists.gnu.org/archive/html/guix-devel/2024-03/msg00281.html
https://lists.gnu.org/archive/html/guix-devel/2024-03/msg00292.html

The quick summary is that Guix currently shouldn't be affected because a) Guix currently packages xz 5.2.8, which predates the backdoor, and b) the backdoor includes checks based on absolute paths e.g. under /usr and Guix executable paths generally don't match the patterns checked for.

Cheers,
Kaelyn

> Stay safe!
> Reza
> 
> [1] https://www.openwall.com/lists/oss-security/2024/03/29/4
> [2] https://access.redhat.com/security/cve/cve-2024-3094#cve-cvss-v3


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: xz backdoor
  2024-04-01 19:46 xz backdoor Reza Housseini
  2024-04-01 20:39 ` Kaelyn
@ 2024-04-01 20:44 ` jbranso
  2024-04-01 23:27 ` Leo Famulari
  2 siblings, 0 replies; 8+ messages in thread
From: jbranso @ 2024-04-01 20:44 UTC (permalink / raw)
  To: Reza Housseini, guix-devel

April 1, 2024 at 3:46 PM, "Reza Housseini" <reza.housseini@gmail.com> wrote:



> 
> Hi Guixers
> 
> Just stumbled upon this recently discovered supply chain attack on xz, 
> 
> inserting a backdoor via test files [1, 2]. And it made me wondering, 
> 
> what would have been the effects on guix and how can we potentially 
> 
> avoid it?

It looks like the affected version is XZ XZ 5.6.0/5.6.1, and guix is
currently on 5.2.8.  The git repo is apparently not affected.  So we
could use the git repo and not the tarball.  Also it mainly seems to 
target systemd.  I'm basically reading phoronix's coverage:



The malicious injection present in the xz versions 5.6.0 and 5.6.1
libraries is obfuscated and only included in full in the download package
- the Git distribution lacks the M4 macro that triggers the build 
of the malicious code. The second-stage artifacts are present in 
the Git repository for the injection during the build time, in 
case the malicious M4 macro is present.

The resulting malicious build interferes with authentication in sshd via systemd. SSH is a commonly used protocol for connecting remotely to systems, and sshd is the service that allows access. Under the right circumstances this interference could potentially enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely.

Joshua

P.S. Here's guix's xz source code:

https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/compression.scm#n494

And the phoronix link:

https://www.phoronix.com/news/XZ-CVE-2024-3094

> 
> Stay safe!
> 
> Reza
> 
> [1] https://www.openwall.com/lists/oss-security/2024/03/29/4
> 
> [2] https://access.redhat.com/security/cve/cve-2024-3094#cve-cvss-v3
>


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: xz backdoor
  2024-04-01 20:39 ` Kaelyn
@ 2024-04-01 20:52   ` Attila Lendvai
  0 siblings, 0 replies; 8+ messages in thread
From: Attila Lendvai @ 2024-04-01 20:52 UTC (permalink / raw)
  To: Kaelyn; +Cc: Reza Housseini, guix-devel

> The quick summary is that Guix currently shouldn't be affected
> because a) Guix currently packages xz 5.2.8, which predates the
> backdoor, and b) the backdoor includes checks based on absolute
> paths e.g. under /usr and Guix executable paths generally don't
> match the patterns checked for.


and guix doesn't use systemd that patches sshd -- a critical piece of security -- in a way that made the backdoor possible...

-- 
• attila lendvai
• PGP: 963F 5D5F 45C7 DFCD 0A39
--
“War is a moral contest that is won in the temples before it is ever fought.”
	— Sun Tzu (c. 6th century BC), author of 'The Art of War' (as paraphrased by Jack Kennedy)



^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: xz backdoor
  2024-04-01 19:46 xz backdoor Reza Housseini
  2024-04-01 20:39 ` Kaelyn
  2024-04-01 20:44 ` jbranso
@ 2024-04-01 23:27 ` Leo Famulari
  2024-04-02  8:23   ` Attila Lendvai
  2 siblings, 1 reply; 8+ messages in thread
From: Leo Famulari @ 2024-04-01 23:27 UTC (permalink / raw)
  To: Reza Housseini; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 449 bytes --]

On Mon, Apr 01, 2024 at 09:46:12PM +0200, Reza Housseini wrote:
> Just stumbled upon this recently discovered supply chain attack on xz,
> inserting a backdoor via test files [1, 2]. And it made me wondering, what
> would have been the effects on guix and how can we potentially avoid it?

There's actually suspicious code by the xz attacker in one of our
packages right now:

https://issues.guix.gnu.org/issue/70113

Please help review that patch!

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: xz backdoor
  2024-04-01 23:27 ` Leo Famulari
@ 2024-04-02  8:23   ` Attila Lendvai
  2024-04-02  8:29     ` adanskana
  2024-04-02 22:35     ` Ryan Prior
  0 siblings, 2 replies; 8+ messages in thread
From: Attila Lendvai @ 2024-04-02  8:23 UTC (permalink / raw)
  To: Leo Famulari; +Cc: Reza Housseini, guix-devel

> There's actually suspicious code by the xz attacker in one of our
> packages right now:
> 
> https://issues.guix.gnu.org/issue/70113
> 
> Please help review that patch!


as for gpaste (one of the dependees of libarchive):

it doesn't build since the recent gnome merge. i've filed a patch for the necessary version bump:

https://issues.guix.gnu.org/70133

which also gets rid of the libarchive dependency.

it would be nice to get this fast tracked. although, judging from the (lack of) complaints, i might be the only user of it.

PS: and meanwhile we're packaging an alternative, namely gnome-shell-extension-clipboard-indicator, with an enormous security flaw: by default it saves the clipboard history in clear text, and calls the feature "cache only favorites", so that even if you look for it, you still don't realize it:

https://github.com/Tudmotu/gnome-shell-extension-clipboard-indicator/issues/138#issuecomment-904689439

...and its author actively defends this situation.

-- 
• attila lendvai
• PGP: 963F 5D5F 45C7 DFCD 0A39
--
“The noble-minded are calm and steady. Little people are forever fussing and fretting.”
	— Confucius (551–479 BC), 'Analects of Confucius'



^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: xz backdoor
  2024-04-02  8:23   ` Attila Lendvai
@ 2024-04-02  8:29     ` adanskana
  2024-04-02 22:35     ` Ryan Prior
  1 sibling, 0 replies; 8+ messages in thread
From: adanskana @ 2024-04-02  8:29 UTC (permalink / raw)
  To: Attila Lendvai; +Cc: Leo Famulari, Reza Housseini, guix-devel

[-- Attachment #1: Type: text/plain, Size: 1715 bytes --]

Hi all,

On Tue, Apr 2 2024 at 08:23:40 AM +0000, Attila Lendvai 
<attila@lendvai.name> wrote:
>>  There's actually suspicious code by the xz attacker in one of our
>>  packages right now:
>> 
>>  <https://issues.guix.gnu.org/issue/70113>
>> 
>>  Please help review that patch!
> 
> 
> as for gpaste (one of the dependees of libarchive):
> 
> it doesn't build since the recent gnome merge. i've filed a patch for 
> the necessary version bump:
> 
> <https://issues.guix.gnu.org/70133>
> 
> which also gets rid of the libarchive dependency.
I mentioned this on the guix XMPP server. Thanks for fixing this!
> 
> it would be nice to get this fast tracked. although, judging from the 
> (lack of) complaints, i might be the only user of it.
> 
> PS: and meanwhile we're packaging an alternative, namely 
> gnome-shell-extension-clipboard-indicator, with an enormous security 
> flaw: by default it saves the clipboard history in clear text, and 
> calls the feature "cache only favorites", so that even if you look 
> for it, you still don't realize it:
> 
> <https://github.com/Tudmotu/gnome-shell-extension-clipboard-indicator/issues/138#issuecomment-904689439>
> 
> ...and its author actively defends this situation.
I used gpaste up until the merge and went to use the extension. I had 
absolutely no idea this was the state of things; that is very worrying. 
I'm keen to see your patch fasttracked - you're not the only user, haha!
> 
> --
> • attila lendvai
> • PGP: 963F 5D5F 45C7 DFCD 0A39
> --
> “The noble-minded are calm and steady. Little people are forever 
> fussing and fretting.”
> 	— Confucius (551–479 BC), 'Analects of Confucius'

Thanks,
Ada





[-- Attachment #2: Type: text/html, Size: 2529 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: xz backdoor
  2024-04-02  8:23   ` Attila Lendvai
  2024-04-02  8:29     ` adanskana
@ 2024-04-02 22:35     ` Ryan Prior
  1 sibling, 0 replies; 8+ messages in thread
From: Ryan Prior @ 2024-04-02 22:35 UTC (permalink / raw)
  To: Attila Lendvai; +Cc: Leo Famulari, Reza Housseini, guix-devel


On Tuesday, April 2nd, 2024 at 3:23 AM, Attila Lendvai <attila@lendvai.name> wrote:

> https://github.com/Tudmotu/gnome-shell-extension-clipboard-indicator/issues/138#issuecomment-904689439
> 
> ...and its author actively defends this situation.

Yikes. This sounds like a great reason to fork. The author can prefer it his way but it's irresponsible to make that the default.

Ryan


^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2024-04-02 22:36 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-04-01 19:46 xz backdoor Reza Housseini
2024-04-01 20:39 ` Kaelyn
2024-04-01 20:52   ` Attila Lendvai
2024-04-01 20:44 ` jbranso
2024-04-01 23:27 ` Leo Famulari
2024-04-02  8:23   ` Attila Lendvai
2024-04-02  8:29     ` adanskana
2024-04-02 22:35     ` Ryan Prior

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).