From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms8.migadu.com with LMTPS id EGJWMoMrB2bM8gAAe85BDQ:P1 (envelope-from ) for ; Fri, 29 Mar 2024 21:58:44 +0100 Received: from aspmx1.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2.migadu.com with LMTPS id EGJWMoMrB2bM8gAAe85BDQ (envelope-from ) for ; Fri, 29 Mar 2024 21:58:43 +0100 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=protonmail.com header.s=protonmail3 header.b=N+QFoT70; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=quarantine) header.from=protonmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1711745923; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=sFG0+H+yeToi5t8A4IyIA/ohzhTVZqw6KeXHWhpzT8E=; b=o3b2nlz6uTuYHzupUkwrmMYXkHQkJE7IUkWYiZJWxBonOsXVRqDy8dSmx10K8RXhQNB9+Q AJ5jzYAu2FNrUT4d/5tN2vfA6KjJkISRvC4AyX8/9u+20If5MS3rcuPPblZHqIegKdy5Mb pykdKqvOPo/FMIXmTvk2jRz6Mk/Y7hTnlArN58fLVnBzFowwWWWObekGj5kWtITog27wre 72wNuSxudXDuIEn41niG4wNlQRTB5kp70UuMcDj9nZybHPJrIYeLPzbUJmvR5FCNa2oeBi ph/iTz7UcB1OzgmcF3x2okYHB0CMZrADCFNGnB2J9QLB+ToQUHTM+dV9z5Crxw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=protonmail.com header.s=protonmail3 header.b=N+QFoT70; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=quarantine) header.from=protonmail.com ARC-Seal: i=1; s=key1; d=yhetil.org; t=1711745923; a=rsa-sha256; cv=none; b=Wcx/qhV81h6Sn1n2z8ALFziJ+RQY/kTj2/Vu0knjqRaOyDU7D0OYcNWzhTKRGo19IXFiXE ResiKemJid65RTBXwJBVUGv6yI1p0Qy2XqDcy4QVFTuGcMIDDxHpONYlSJGp3g5iBTk78A DS/GRKCFAfjTuoGZK/1K3lPaeFhuDv2pbtkdpxa7KEg2o9J3ogFyGANQamhu4VroGKS1EI c6ASqi+sXXNp/8jJ/VvLCQLFguCq5qHfjCZRGuDAmogaAyXs0GMtJDY0jOEuwMWBfs37Rv tZNhjp9SzRl9pTOTH8gAF14wy2yUvsgjUn6JH2GwkH7H1Xm9uvFDhvsoDngdQg== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 8DC4360BD3 for ; Fri, 29 Mar 2024 21:58:43 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rqJIi-0002Pt-Ui; Fri, 29 Mar 2024 16:58:12 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rqJIh-0002PY-Gg for guix-devel@gnu.org; Fri, 29 Mar 2024 16:58:11 -0400 Received: from mail-40134.protonmail.ch ([185.70.40.134]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rqJIf-0001hL-5H for guix-devel@gnu.org; Fri, 29 Mar 2024 16:58:11 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1711745885; x=1712005085; bh=sFG0+H+yeToi5t8A4IyIA/ohzhTVZqw6KeXHWhpzT8E=; h=Date:To:From:Cc:Subject:Message-ID:Feedback-ID:From:To:Cc:Date: Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector; b=N+QFoT70n2x2M9f6wAf7Viw37AM6lIXgp+9uEESwwfau3jjxE7627ljTMBQQrkxnk xVMPLf0gxuZ+QwWjCdAdydvtpPxfDFXpZfQ1iY6DO2qeglFf1e+7jxvUZ2hW9A9MV9 tqqa297NmGoDggtJxEnwIamVOUv0yumcsSGYPOeL4HFzSITeEPKm2GWOL0Jl3OS6I1 fFu+tI+G9bkbRfc0aG8ff8gleyrAEhtEAHM47CqxicOW64Grw3h+y8G5ZU0nz5WL8I ROXiUKvG8RyywwK/V04dn3TcXyo48gYM8CVzqhM1aPDfjsfbFs5ism3Nm11mGUietN FDFIUxVSaamWw== Date: Fri, 29 Mar 2024 20:57:58 +0000 To: Felix Lechner From: John Kehayias Cc: Ryan Prior , Guix Devel , guix-security@gnu.org Subject: Re: Backdoor in upstream xz-utils Message-ID: <87ttkon4c4.fsf@protonmail.com> Feedback-ID: 7805494:user:proton MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=185.70.40.134; envelope-from=john.kehayias@protonmail.com; helo=mail-40134.protonmail.ch X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Queue-Id: 8DC4360BD3 X-Migadu-Scanner: mx11.migadu.com X-Migadu-Spam-Score: -8.73 X-Spam-Score: -8.73 X-TUID: mtEbq665nbtX -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -----BEGIN PGP SIGNATURE----- iQJRBAEBCgA7FiEEpCB7VsJVEJ8ssxV+SZCXrl6oFdkFAmYHK0sdHGpvaG4ua2Vo YXlpYXNAcHJvdG9ubWFpbC5jb20ACgkQSZCXrl6oFdkFRA//WaJMegtHd88wlq0V QovAYD7+d6zj5DxgVTiGKXckyKWx7AceVJ0WVp9MB+WxU8dEXepEnd9AHOA4v/Fb HLy4prms+noIpXqHW5y6EDgbMiBUX2rk6UVq7qnLCPujfv3hrJl4S7B5fJxjLSM/ M++F40YKc6PNSjQHi9BH5+Vl70jGCIzXNcomvEanu4SAsXLSlEwvOlnAPD57mb4k n4Tg4d7ExXjdi7/qdq/OnF2RGQjiLQ4qX7AeSu8kIaEaK3WdMy1JO1fy9vaZNuSg oCuUGJYCFj60BEYDQdUM8NiNe76zVzXvP/wKrR1XpqsnK9keKKEZpuZCQmJApgCJ dvVbrU8OfKPJ/B7CwNJu32FyrdgQt53ytYjNxs/cNNjB2ciDeIGszCzxwytRZz4k JEbE8VZrUACNvQXCdRbr1Jse1+FuM2hjTwILdia/A8GcWn9tfmfGdqlqOuw6c8qG hYX7l3+3t0c7VzLhgs2iE/BEKtUAYCrwRf+10J9dOm4TzmbEbg7+1j7FJcYhmIgJ qeEXistWXx7FY2Yl0UjrNtxi3UGR5rnx2hAb3zEcMoqcHHKuKz/X8aeMfIHryn23 rQms/cVwAPeR908xwbJgqkzQhY5A9DrU+0VGssILyXKvMYp6xTXJ6cf2gGLyhAFF VerlLVFCEHunNyWr94ZTeXr3p00=3D =3DdUKI -----END PGP SIGNATURE----- Hi Ryan, Felix, and guix-devel, On Fri, Mar 29, 2024 at 01:39 PM, Felix Lechner via Reports of security iss= ues in Guix itself and in packages provided by Guix wrote: > Hi Ryan, > > On Fri, Mar 29 2024, Ryan Prior wrote: > >> I'm reading today that a backdoor is present in xz's upstream tarball >> (but not in git), starting at version 5.6.0. Source: >> > > Thanks for sending this! This is an extremely serious vulnerability > with criminal intent. I cc'd guix-security@gnu.org just in case you > haven't. > At least me (as part of guix-security) is aware and have been reading the analysis and further investigation. Both clever and interesting, but also worrisome. I think we were rather lucky this was found relatively quickly, though it seems to point to a bad actor and throws into question other projects (like libarchive) which have contributions from the same identity. Likely other accounts are involved too, so maybe on a positive side this unravels other issues. The discussion on Hacker News has also been informative (though rather long now): >> Guix currently packages xz-utils 5.2.8 as "xz" using the upstream >> tarball. [...] Should we switch from using upstream tarballs to some >> fork with more responsible maintainers? > > Guix's habit of building from tarballs is a poor idea because tarballs > often differ. For example, maintainers may choose to ship a ./configure > script that is otherwise not present in Git (although a configure.ac > might be). Guix should build from Git. > We discussed a bit on #guix today about this. A movement to sourcing more directly from Git in general has been discussed before, though has some hurdles. I will let someone more knowledgeable about the details chime in, but yes, something we should do. Unfortunately in this case, while it seems the older versions don't have *this* exploit, given the perpetrator either is or has control over a maintainer account, it throws into question a lot more than the most recent version. We will have to keep a careful eye on this. I'm not currently aware of anything untoward for our current version, so far. >> Is there a way we can blacklist known bad versions? > I'm not sure what you mean, but I don't think so. The main danger is in guix time-machine to the past, as you are (purposefully) going to older versions of software. This is warned in the manual though we should perhaps do this at runtime as well. Even better would be if we can warn about known bad versions. Such a tool was started (guix health) here: Anyone up for reviving it, now that we have some changes that should make this more doable (based on a quick glance of more recent messages)? > Having said all that, I am not sure Guix is affected. > > On my systems, the 'detect.sh' script shows no referece to liblzma in > sshd. Everyone, please send additional reports. > Pretty sure we are not affected, at least with what is known: the exploit targets particular systems and things like argv[0] being /usr/sbin/sshd. A combination perhaps of who or what was being targeted as well as trying to make this harder to discover. Still, we should have an abundance of caution and pay close attention, as there is much we don't know and a history of commits to go through. As well as being suspicious in general of things like binary files added to a release tarball (as a project we always try to make sure there are no binary files anyway), this is a clear example of a clever/malicious way of causing harm. Please do feel free to report privately any concerns or potential affected packages to guix-security@gnu.org as well. And if you are interested in helping with these things, I'm sure we could rotate in some people for that team. Thanks all! An action-packed Friday. John