Just a quick heads up for folks that like to stay aware of these things.
https://www.openwall.com/lists/oss-security/2024/03/29/4
The discussion there well explains the situation, and why you're likely not at risk (the code wasn't widely in use yet).
"Luckily xz 5.6.0 and 5.6.1 have not yet widely been integrated by linux
distributions, and where they have, mostly in pre-release versions."
So, if you can benefit from reading a thorough discussion of linux code in upstream tarballs, and have considered running - or have run - some pre-release Debian lately you should have a looksee so you know who to craft a voodoo doll of and torment with pins under their fingernails, or at least which code not to run.
I'm really happy linux is open source, and good honest people forthrightly discuss it.
Just think if the CIA was open source, and anyone good or honest was involved, how much a better place the world would be.
Edit: https://boehs.org/node/everything-i-know-about-the-xz-backdoor
re-Edit: https://hachyderm.io/@danderson/112185746000358589
New discoveries.
re-re-Edit: https://gynvael.coldwind.pl/?lang=en&id=782
Discussion of the obfuscation, which is pretty interesting, and how the sploit functions.
I hope there will be accountability, similar to if an employee at the bank leaves the back door open. Did he accidentally forget to secure it, or was it intentional? Is there a place for law to get involved? You cannot say, "All is good, we caught it this time." Next time it might not be caught as soon or without damage.
Seems deliberate
Folks looking have found several more exploits in Jia Tan's commits, and no one is suggesting these are just bugs. I keep editing the post, and I added a reply with more information that turned up, trying to provide comprehensive notice of the threat, as there may have been some pre-release installations people might be compromised by.
Injecting exploits into oss code is, I believe, a crime. 'Jia Tan' is likely an alias, and one login as 'Jia Cheong Tan' is suspected to be a diversion. There's been speculation that the h4x0r is unlikely to be a state actor, because they are unlikely to create backdoors like this, since when they're found they raise a foul stench that causes great distrust of the state discovered doing it, so they just buy exploits from the ebil h4x0rs that sell them when they need to achieve a particular goal.
I dunno about any of that. It seems to me to be speculation without much basis. One interesting thing about police investigation is jurisdiction. The internet isn't confined to any one jurisdiction, which make crimes committed online sort of outside all jurisdictions. Since no one seems to have been hit by this attempt, most LEA's don't have much motivation to go after this guy.
The more I read about it, however, the more impactful people that know say it would have been if it had been rolled out. Overall, then, the fact a guy investigating a slowdown looking for a random bug in oss code found this instead is a great advertisement for oss software, and a dire warning about blobs like m$, Apple, and etc. sell. If linux was proprietary, this hack would have potentially very severely compromised possibly millions of systems, people, and commercial and government entities, as many have before.
Hurray for oss!
Thanks!
I only use Linux distributions, mainly in the Ubuntu realm. In my student years in my IT-focused university I worked more with Debian. Thanks for this input.
We are really fortunate to have open source software, and the free speech that makes it possible. I try to keep an ear to the ground, just because I can.
Thanks!
Dear @valued-customer !
I assumed you were claiming that Google hacks personal information!
Do you recommend using Linux?
Fakebook does. I bet Goolag does too.
Yes.
Imagine if all government was open source! What a world that would be.
Thanks for this!
They can't stop the signal as long as we keep each other in the loop.
Thanks!
Update: Lietu has taken a closer look at what other things might be affected by the malicious code in the xz package, and it's pretty extensive, so I thought to include it.
Take action as necessary to secure such of these common utilities and features you may be using.