iarekk

iarekk

Backdoor in the xz library - check your environments

Just seen this on LinkedIn, and didn’t see any threads here. Looks like a severe problem with anything running xz library (brew lists it as a dependency for elixir/erlang).

To determine if you are affected, run the following:

% xz --version
xz (XZ Utils) 5.4.4
liblzma 5.4.4

If you see 5.6.0 or 5.6.1, you are vulnerable and you need to downgrade.

Some more info here:

Most Liked

gregvaughn

gregvaughn

I’ve started using the metaphor of open source libraries as “free as in puppy” (blog) because adopting a dependent library implies ongoing responsibility to feed/vaccinate/walk it.

18
Post #5
sbuttgereit

sbuttgereit

I just read:

Stepping beyond the immediate issue, and assuming that the reporting here is correct (never a sure thing), there’s some greater insight which can be got from this episode which is applicable to open source project management generally.

The following year, JiaT575 submited a patch over the xz Utils mailing list, and almost immediately, a never-before-seen participant named Jigar Kumar joined the discussion and argued that Lasse Collin, the longtime maintainer of xz Utils, hadn’t been updating the software often or fast enough. Kumar, with the support of Dennis Ens and several other people who had never had a presence on the list, pressured Collin to bring on an additional developer to maintain the project.

It’s not uncommon to see open source projects and tools collect complaints that they’re “abandoned” or that the maintainers are somehow not dedicating enough time to the project. We’ll see this sort of thing pop up in these forums from time to time… such and such library hasn’t been updated in too long a time, etc. It’s not unreasonable for such questions or concerns to be raised by the community, but in this case it looks like this was an engineered concern for the purposes of getting malicious individuals into maintainer roles on the project. They weaponized the good intentions of the long time maintainer to get the access they desired.

I think one lesson here is for open source maintainers, or those that would become maintainers. Finding that a framework, library, or application that you’ve open sourced and maintain has found popularity is going to put you into the firing line of both deserved and undeserved public scrutiny. There is a confidence that you must possess to avoid letting unwarranted, but perhaps considerable, peer pressure forcing your hand into foolish actions. I also expect that lone maintainers or very small, ad hoc project maintenance groups will be more vulnerable to this sort of thing compared to better established groups of maintainers with maintenance processes in place.

Another lesson is for those of us that use open source tools in that we can’t just blindly install the most convenient thing and think that we’re done. A sufficiently important, but perhaps obscure, open source project may exist somewhere in the supply chain that you have allowed yourself to rely upon and it may have the kind of well intentioned, but ad hoc maintenance management that is vulnerable to this sort of social engineering attack. Consider how this was found:

Andres Freund, a developer and engineer working on Microsoft’s PostgreSQL offerings, was recently troubleshooting performance problems a Debian system was experiencing with SSH, the most widely used protocol for remotely logging into devices over the Internet. Specifically, SSH logins were consuming too many CPU cycles and were generating errors with valgrind, a utility for monitoring computer memory.

Through a combination of sheer luck and Freund’s careful eye, he eventually discovered the problems were the result of updates that had been made to xz Utils. On Friday, Freund took to the Open Source Security List to disclose the updates were the result of someone intentionally planting a backdoor in the compression software.

Someone using a tool, that included a tool with a maintenance management problem, had to take it upon themselves to figure out what was going wrong and in so doing ultimately found the attack. Andres Freund, a PostgreSQL core team member, isn’t a maintainer of xz, but nonetheless took on the responsibility to understand the root of the problem that he was seeing with a tool that he was using. When we decide to rely upon someone else’s software, we’re in essence making a trade for increased short term productivity at the cost of increased responsibility for making sure our choices pan out and continue to be correct over the lifetime of our software.

Eiji

Eiji

Official note, created by Lasse Collin, with other helpful links is available here: XZ Utils backdoor

In Gentoo there is already an easy workaround. Simply newest ebuild has been masked and the one with for older version that is considered secure has been restored. The downgrade is as easy as regular updates. I have almost not noticed it as it does not causes any problems. :sweat_smile:

Where Next?

Popular in Discussions Top

sashaafm
Piggy backing a bit on @dvcrn topic BEAM optimization for functions with static return type?, I’ve been trying to understand in a deeper ...
New
AlexMcConnell
The reason that Rails is as popular as it is is because it’s very easy for relatively inexperienced developers to get a lot of work done....
588 19652 166
New
Crowdhailer
I’ve been hearing much about the new formatter and it’s something I have been keen to try. I find examples buy far the most illuminating...
248 19327 150
New
New
axelson
Decided against including more info in the title, but the gist is that Plataformatec sponsored projects will continue with the assets bei...
New
marciol
Please, let me know if this kind of discussion already took place in another topic . Hi all, how do you consider if is better to build ...
New
arpan
Hello everyone :wave: Today I am very excited to announce a project that I have been working on for almost 3 months now. The project is...
New
AstonJ
Can you believe the first professionally published Elixir book was published just 8 years ago? Since then I think we’ve seen more books f...
New
cblavier
Hey there, It’s been more than a year since we started using LiveView as our main UI library and building a whole library of UI componen...
New
100phlecs
Are there any downsides, like perf issues, to putting all functional components in CoreComponents as long as you prefix it with the conte...
New

Other popular topics Top

JeremM34
Hello, how can I check the Phoenix version ? Thanks !
New
hariharasudhan94
I would like to know what is the best IDE for elixir development?
New
lanycrost
Hi everyone! I need implement if…else if…else condition from my elixir code, and anymore of this control flow structures not work proper...
New
boundedvariable
I am going through the kafka architecture. All the features what the kafka is providing are already in Erlang. I would like hear your opi...
New
danschultzer
None of the current solutions worked well for me, so I went ahead and built a user management system from scratch. This project took far...
548 29603 241
New
greenz1
I have a phoenix application from which a user can download multiple(5-6) files of size 1MB. I couldn’t find anything related to sending ...
New
shahryarjb
Hello, I have map which I want to convert it to string like this: the map: %{last_name: "tavakkoli", name: "shahryar"} the string I ne...
New
belgoros
I’m not a pro in using Regex and can’t figure out why the following behaviour happens, especially if we take into account the difference ...
New
sorentwo
Hello! tl;dr Announcing Oban, an Ecto based job processing library with a focus on reliability and historical observability. After spen...
985 43487 311
New
siddhant3030
Hi, I have to write a raw query for one of my project. But till now I have used ecto queries and don’t have much experience writing raw ...
New

Latest on Elixir Forum

Elixir Forum

We're in Beta

About us Mission Statement