xz backdoor

xz backdoor

[Reza Housseini]

Hi Guixers

Just stumbled upon this recently discovered supply chain attack on xz, 
inserting a backdoor via test files [1, 2]. And it made me wondering, 
what would have been the effects on guix and how can we potentially 
avoid it?

Stay safe!
Reza

[1] https://www.openwall.com/lists/oss-security/2024/03/29/4
[2] https://access.redhat.com/security/cve/cve-2024-3094#cve-cvss-v3

Re: xz backdoor

[Kaelyn]

Hi Reza,

On Monday, April 1st, 2024 at 12:46 PM, Reza Housseini <reza.housseini@gmail.com> wrote:

> 
> 
> Hi Guixers
> 
> Just stumbled upon this recently discovered supply chain attack on xz,
> inserting a backdoor via test files [1, 2]. And it made me wondering,
> what would have been the effects on guix and how can we potentially
> avoid it?

Thank you for your email about the xz backdoor! To hopefully help with your questions, there has already been some discussion on guix-devel about the backdoor and how it should be handled now and in the future:

https://lists.gnu.org/archive/html/guix-devel/2024-03/msg00281.html
https://lists.gnu.org/archive/html/guix-devel/2024-03/msg00292.html

The quick summary is that Guix currently shouldn't be affected because a) Guix currently packages xz 5.2.8, which predates the backdoor, and b) the backdoor includes checks based on absolute paths e.g. under /usr and Guix executable paths generally don't match the patterns checked for.

Cheers,
Kaelyn

> Stay safe!
> Reza
> 
> [1] https://www.openwall.com/lists/oss-security/2024/03/29/4
> [2] https://access.redhat.com/security/cve/cve-2024-3094#cve-cvss-v3

Re: xz backdoor

[jbranso]

April 1, 2024 at 3:46 PM, "Reza Housseini" <reza.housseini@gmail.com> wrote:



> 
> Hi Guixers
> 
> Just stumbled upon this recently discovered supply chain attack on xz, 
> 
> inserting a backdoor via test files [1, 2]. And it made me wondering, 
> 
> what would have been the effects on guix and how can we potentially 
> 
> avoid it?

It looks like the affected version is XZ XZ 5.6.0/5.6.1, and guix is
currently on 5.2.8.  The git repo is apparently not affected.  So we
could use the git repo and not the tarball.  Also it mainly seems to 
target systemd.  I'm basically reading phoronix's coverage:



The malicious injection present in the xz versions 5.6.0 and 5.6.1
libraries is obfuscated and only included in full in the download package
- the Git distribution lacks the M4 macro that triggers the build 
of the malicious code. The second-stage artifacts are present in 
the Git repository for the injection during the build time, in 
case the malicious M4 macro is present.

The resulting malicious build interferes with authentication in sshd via systemd. SSH is a commonly used protocol for connecting remotely to systems, and sshd is the service that allows access. Under the right circumstances this interference could potentially enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely.

Joshua

P.S. Here's guix's xz source code:

https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/compression.scm#n494

And the phoronix link:

https://www.phoronix.com/news/XZ-CVE-2024-3094

> 
> Stay safe!
> 
> Reza
> 
> [1] https://www.openwall.com/lists/oss-security/2024/03/29/4
> 
> [2] https://access.redhat.com/security/cve/cve-2024-3094#cve-cvss-v3
>

Re: xz backdoor

[Attila Lendvai]

> The quick summary is that Guix currently shouldn't be affected
> because a) Guix currently packages xz 5.2.8, which predates the
> backdoor, and b) the backdoor includes checks based on absolute
> paths e.g. under /usr and Guix executable paths generally don't
> match the patterns checked for.


and guix doesn't use systemd that patches sshd -- a critical piece of security -- in a way that made the backdoor possible...

-- 
• attila lendvai
• PGP: 963F 5D5F 45C7 DFCD 0A39
--
“War is a moral contest that is won in the temples before it is ever fought.”
	— Sun Tzu (c. 6th century BC), author of 'The Art of War' (as paraphrased by Jack Kennedy)

Re: xz backdoor

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 449 bytes --]

On Mon, Apr 01, 2024 at 09:46:12PM +0200, Reza Housseini wrote:
> Just stumbled upon this recently discovered supply chain attack on xz,
> inserting a backdoor via test files [1, 2]. And it made me wondering, what
> would have been the effects on guix and how can we potentially avoid it?

There's actually suspicious code by the xz attacker in one of our
packages right now:

https://issues.guix.gnu.org/issue/70113

Please help review that patch!

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: xz backdoor

[Attila Lendvai]

> There's actually suspicious code by the xz attacker in one of our
> packages right now:
> 
> https://issues.guix.gnu.org/issue/70113
> 
> Please help review that patch!


as for gpaste (one of the dependees of libarchive):

it doesn't build since the recent gnome merge. i've filed a patch for the necessary version bump:

https://issues.guix.gnu.org/70133

which also gets rid of the libarchive dependency.

it would be nice to get this fast tracked. although, judging from the (lack of) complaints, i might be the only user of it.

PS: and meanwhile we're packaging an alternative, namely gnome-shell-extension-clipboard-indicator, with an enormous security flaw: by default it saves the clipboard history in clear text, and calls the feature "cache only favorites", so that even if you look for it, you still don't realize it:

https://github.com/Tudmotu/gnome-shell-extension-clipboard-indicator/issues/138#issuecomment-904689439

...and its author actively defends this situation.

-- 
• attila lendvai
• PGP: 963F 5D5F 45C7 DFCD 0A39
--
“The noble-minded are calm and steady. Little people are forever fussing and fretting.”
	— Confucius (551–479 BC), 'Analects of Confucius'

Re: xz backdoor

[adanskana]

[-- Attachment #1: Type: text/plain, Size: 1715 bytes --]

Hi all,

On Tue, Apr 2 2024 at 08:23:40 AM +0000, Attila Lendvai 
<attila@lendvai.name> wrote:
>>  There's actually suspicious code by the xz attacker in one of our
>>  packages right now:
>> 
>>  <https://issues.guix.gnu.org/issue/70113>
>> 
>>  Please help review that patch!
> 
> 
> as for gpaste (one of the dependees of libarchive):
> 
> it doesn't build since the recent gnome merge. i've filed a patch for 
> the necessary version bump:
> 
> <https://issues.guix.gnu.org/70133>
> 
> which also gets rid of the libarchive dependency.
I mentioned this on the guix XMPP server. Thanks for fixing this!
> 
> it would be nice to get this fast tracked. although, judging from the 
> (lack of) complaints, i might be the only user of it.
> 
> PS: and meanwhile we're packaging an alternative, namely 
> gnome-shell-extension-clipboard-indicator, with an enormous security 
> flaw: by default it saves the clipboard history in clear text, and 
> calls the feature "cache only favorites", so that even if you look 
> for it, you still don't realize it:
> 
> <https://github.com/Tudmotu/gnome-shell-extension-clipboard-indicator/issues/138#issuecomment-904689439>
> 
> ...and its author actively defends this situation.
I used gpaste up until the merge and went to use the extension. I had 
absolutely no idea this was the state of things; that is very worrying. 
I'm keen to see your patch fasttracked - you're not the only user, haha!
> 
> --
> • attila lendvai
> • PGP: 963F 5D5F 45C7 DFCD 0A39
> --
> “The noble-minded are calm and steady. Little people are forever 
> fussing and fretting.”
> 	— Confucius (551–479 BC), 'Analects of Confucius'

Thanks,
Ada





[-- Attachment #2: Type: text/html, Size: 2529 bytes --]

Re: xz backdoor

[Ryan Prior]

On Tuesday, April 2nd, 2024 at 3:23 AM, Attila Lendvai <attila@lendvai.name> wrote:

> https://github.com/Tudmotu/gnome-shell-extension-clipboard-indicator/issues/138#issuecomment-904689439
> 
> ...and its author actively defends this situation.

Yikes. This sounds like a great reason to fork. The author can prefer it his way but it's irresponsible to make that the default.

Ryan