Debian Bug report logs - #1068024
revert to version that does not contain changes by bad actor

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Joey Hess <id@joeyh.name>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: revert to version that does not contain changes by bad actor

Date: Fri, 29 Mar 2024 16:25:26 -0400

[Message part 1 (text/plain, inline)]

Package: xz-utils
Version: 5.6.1+really5.4.5-1
Severity: important
Tags: security

I count a minimum of 750 commits or contributions to xz by Jia Tan, who
backdoored it.

This includes all 700 commits made after they merged a pull request in Jan 7
2023, at which point they appear to have already had direct push access, which
would have also let them push commits with forged authors. Probably a number of
other commits before that point as well.

Reverting the backdoored version to a previous version is not sufficient to
know that Jia Tan has not hidden other backdoors in it. Version 5.4.5 still
contains the majority of those commits.

Commits by them such as 18d7facd3802b55c287581405c4d49c98708c136 
and ae5c07b22a6b3766b84f409f1b6b5c100469068a show that they were deep
into analyzing the security of xz. They were well placed to insert a buffer
overflow that could allow eg, a targeted xz file to cause arbitrary code
execution. The impact of such a security hole could be much more stealthy and
bad than the known backdoor since it would allow chaining xz with other
unrelated software releases on an ongoing basis.

The package should be reverted to a version before their involvement,
which started with commit 6468f7e41a8e9c611e4ba8d34e2175c5dacdbeb4.
Or their early commits vetted and revert to a later point, but any arbitrary 
commit by a known bad and malicious actor almost certainly has less value
than the risk that a subtle change go unnoticed.

I'd suggest reverting to 5.3.1. Bearing in mind that there were security
fixes after that point for ZDI-CAN-16587 that would need to be reapplied.

-- 
see shy jo

[signature.asc (application/pgp-signature, inline)]

Message #10 received at submit@bugs.debian.org (full text, mbox, reply):

From: Aurelien Jarno <aurelien@aurel32.net>

To: Joey Hess <id@joeyh.name>, 1068024@bugs.debian.org

Cc: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Re: Bug#1068024: revert to version that does not contain changes by bad actor

Date: Fri, 29 Mar 2024 22:32:23 +0100

[Message part 1 (text/plain, inline)]

On 2024-03-29 16:25, Joey Hess wrote:
> I'd suggest reverting to 5.3.1. Bearing in mind that there were security
> fixes after that point for ZDI-CAN-16587 that would need to be reapplied.

Note that reverted to such an old version will break packages that use
new symbols introduced since then. From a quick look, this is at least:
- dpkg
- erofs-utils
- kmod

Having dpkg in that list means that such downgrade has to be planned
carefully.

Regards
Aurelien

-- 
Aurelien Jarno                          GPG: 4096R/1DDD8C9B
aurelien@aurel32.net                     http://aurel32.net

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 1068024@bugs.debian.org (full text, mbox, reply):

From: Thorsten Glaser <tg@mirbsd.de>

To: Aurelien Jarno <aurelien@aurel32.net>, 1068024@bugs.debian.org

Cc: Joey Hess <id@joeyh.name>

Subject: Re: Bug#1068024: revert to version that does not contain changes by bad actor

Date: Fri, 29 Mar 2024 22:47:48 +0000 (UTC)

Aurelien Jarno dixit:

>Having dpkg in that list means that such downgrade has to be planned
>carefully.

Right. Not an argument against, though.
Instead, this is a very good idea.

What symbols are new? Can we somehow stub them, or at least where
those are used? Or change the soname, so that the old and new-older
versions are coïnstallable for during the upgrade?

bye,
//mirabilos
-- 
<igli> exceptions: a truly awful implementation of quite a nice idea.
<igli> just about the worst way you could do something like that, afaic.
<igli> it's like anti-design.  <mirabilos> that too… may I quote you on that?
<igli> sure, tho i doubt anyone will listen ;)

Message #25 received at 1068024@bugs.debian.org (full text, mbox, reply):

From: Stephan Verbücheln <verbuecheln@posteo.de>

To: 1068024@bugs.debian.org

Subject: Or remove xz altogether?

Date: Sat, 30 Mar 2024 00:48:34 +0000

Maybe the people who criticized xz back in the day for being an amateur
project implementing a defective file format were right all along?

https://www.nongnu.org/lzip/xz_inadequate.html

Regards
Stephan

Message #30 received at 1068024@bugs.debian.org (full text, mbox, reply):

From: Mark-Oliver Wolter <mow@mowny.de>

To: 1068024@bugs.debian.org, Aurelien Jarno <aurelien@aurel32.net>

Subject: Re: Bug#1068024: revert to version that does not contain changes by bad actor

Date: Sat, 30 Mar 2024 03:38:39 +0100

On Fri, 29 Mar 2024 22:32:23 +0100 Aurelien Jarno <aurelien@aurel32.net> 
wrote:
> Having dpkg in that list means that such downgrade has to be planned
> carefully.

Might be easier overall to spend that effort on a hard switch to zstd 
instead.

mfG mow

Message #35 received at 1068024@bugs.debian.org (full text, mbox, reply):

From: Guillem Jover <guillem@debian.org>

To: Stephan Verbücheln <verbuecheln@posteo.de>, 1068024@bugs.debian.org

Subject: Re: Bug#1068024: Or remove xz altogether?

Date: Sat, 30 Mar 2024 03:49:12 +0100

On Sat, 2024-03-30 at 00:48:34 +0000, Stephan Verbücheln wrote:
> Maybe the people who criticized xz back in the day for being an amateur
> project implementing a defective file format were right all along?
> 
> https://www.nongnu.org/lzip/xz_inadequate.html

*Sigh*, the current situation is bad enough, and has nothing to do
with the xz format or design, or the FUD and propaganda from that
link. Please drop it…

Thanks,
Guillem

Send a report that this bug log contains spam.