this post was submitted on 29 Mar 2024
269 points (99.3% liked)

Linux

48624 readers
1462 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

openSUSE maintainers received notification of a supply chain attack against the “xz” compression tool and “liblzma5” library.

Background

Security Researcher Andres Freund reported to Debian that the xz / liblzma library had been backdoored.

This backdoor was introduced in the upstream github xz project with release 5.6.0 in February 2024.

Our rolling release distribution openSUSE Tumbleweed and openSUSE MicroOS included this version between March 7th and March 28th.

SUSE Linux Enterprise and Leap are built in isolation from openSUSE. Code, functionality and characteristics of Tumbleweed are not automatically introduced in SUSE Linux Enterprise and/or Leap. It has been established that the malicious file introduced into Tumbleweed is not present in SUSE Linux Enterprise and/or Leap.

Impact

Current research indicates that the backdoor is active in the SSH Daemon, allowing malicious actors to access systems where SSH is exposed to the internet.

As of March 29th reverse engineering of the backdoor is still ongoing.

Mitigations

openSUSE Maintainers have rolled back the version of xz on Tumbleweed on March 28th and have released a new Tumbleweed snapshot (20240328 or later) that was built from a safe backup.

The reversed version is versioned 5.6.1.revertto5.4 and can be queried with rpm -q liblzma5.

User recommendation

For our openSUSE Tumbleweed users where SSH is exposed to the internet we recommend installing fresh, as it’s unknown if the backdoor has been exploited. Due to the sophisticated nature of the backdoor an on-system detection of a breach is likely not possible. Also rotation of any credentials that could have been fetched from the system is highly recommended. Otherwise, simply update to openSUSE Tumbleweed 20240328 or later and reboot the system.

More Information about openSUSE:

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 6 points 8 months ago* (last edited 8 months ago) (1 children)

So this is what happens when package maintainers fail to find the problematic bits during package updates. I'll be honest, after seeing how Linux package management is done (automation and semi-automation galore) and by whom (people who often don't know the programming language of the source and who don't have much time either), I am more surprised that it took this long.

[–] baru 7 points 8 months ago (1 children)

In this case the upstream maintainer heavily obfuscated the code to be able to compromise ssh. Package maintainers aren't responsible for vetting for that.

[–] [email protected] 4 points 8 months ago* (last edited 8 months ago) (1 children)

The original email talks about a line that is in the release tar balls but not the repository itself that actually arms the exploit. This seems like something a maintainer should be able to verify.

Not saying that they should have immediately seen that that is an exploit, the exploit is obfuscated very well. But this should be a big red flag right?

[–] SMillerNL 3 points 8 months ago (1 children)

As a Homebrew maintainer, what is there to red flag about a project providing tarballs of their source?

We would have to red flag pretty much every project that uses autoconf (since those usually provide a tarball where the user doesn’t have to run autoreconf)

[–] [email protected] 1 points 8 months ago

I have to admit I have no practical experience as a package maintainer, but this case sounds like there is a diff between files checked into the repo and the ones provided by the tarball.

If the tarball contains new files that contain executable code that's still weird tbh, but I guess you have to trust the upstream maintainers to some degree. But a diff in a checked in file seems different to me.