forum.opennet.ru

Составление сообщения

Исходное сообщение

"В библиотеке xz/liblzma выявлен бэкдор, организующий вход че..."
Отправлено Bonbon, 30-Мрт-24 08:04

> Почти все дистрибутивы, за исключением, может быть, RHEL, торопятся выложить пакеты из upstream, никогда не проверяя, что исходный код не был затроянен.
К вопросу о RHEL:
(1) We built 5.6.0 for Fedora 40 & 41.  Jia Tan was very insistent in
emails that we should update.
(2) We got reports later of a valgrind test failure.  I also saw it
myself in my own projects that use liblzma.  We notified Jia Tan of
this.
(3) Since the valgrind failure pointed to something with ifuncs, using
'./configure --disable-ifuncs' was used to fix this in F40 & F41.
(4) xz 5.6.1 was released with a fix for the valgrind failure.
(5) Fedora 40 was now in beta so we kept 5.6.0 + --disable-ifuncs.
Fedora 41 was updated to 5.6.1 (enabling ifuncs again).
And now with the benefit of hindsight ...
In step (1) we worked in good faith with upstream.  Given how
obfuscated the injection is, it's very unlikely we would have found
the problem even if we'd spent days inspecting the tarball.  (And the
initial step of injection is *not* in git, so forget about reviewing
git commits.)
The valgrind failure (2) was caused by a bug in the back door.
Disabling ifuncs in (3) disabled the back door, because I think it
relies on ifuncs to do its malware, but in any case the obfuscated
injection script explicitly skips injection if ifuncs are disabled.
Step (4) fixed the back door valgrind failure.
The Fedora 40 beta freeze in (5) meant we got lucky for F40, not so
much for F41.
https://lists.fedoraproject.org/archives/list/devel@lis.../

Исходное сообщение
"В библиотеке xz/liblzma выявлен бэкдор, организующий вход че..." Отправлено Bonbon, 30-Мрт-24 08:04
> Почти все дистрибутивы, за исключением, может быть, RHEL, торопятся выложить пакеты из upstream, никогда не проверяя, что исходный код не был затроянен. К вопросу о RHEL: (1) We built 5.6.0 for Fedora 40 & 41. Jia Tan was very insistent in emails that we should update. (2) We got reports later of a valgrind test failure. I also saw it myself in my own projects that use liblzma. We notified Jia Tan of this. (3) Since the valgrind failure pointed to something with ifuncs, using './configure --disable-ifuncs' was used to fix this in F40 & F41. (4) xz 5.6.1 was released with a fix for the valgrind failure. (5) Fedora 40 was now in beta so we kept 5.6.0 + --disable-ifuncs. Fedora 41 was updated to 5.6.1 (enabling ifuncs again). And now with the benefit of hindsight ... In step (1) we worked in good faith with upstream. Given how obfuscated the injection is, it's very unlikely we would have found the problem even if we'd spent days inspecting the tarball. (And the initial step of injection is not in git, so forget about reviewing git commits.) The valgrind failure (2) was caused by a bug in the back door. Disabling ifuncs in (3) disabled the back door, because I think it relies on ifuncs to do its malware, but in any case the obfuscated injection script explicitly skips injection if ifuncs are disabled. Step (4) fixed the back door valgrind failure. The Fedora 40 beta freeze in (5) meant we got lucky for F40, not so much for F41. https://lists.fedoraproject.org/archives/list/devel@lis.../

Ваше сообщение
Имя*:
EMail:	Для отправки ответов на email укажите знак ! перед адресом, например, !user@host.ru (!! - не показывать email). Более тонкая настройка отправки ответов производится в профиле зарегистрированного участника форума.
Заголовок*:
Сообщение*:	>> Почти все дистрибутивы, за исключением, может быть, RHEL, торопятся выложить пакеты из upstream, никогда не проверяя, что исходный код не был затроянен. > К вопросу о RHEL: > (1) We built 5.6.0 for Fedora 40 & 41. Jia Tan > was very insistent in > emails that we should update. > (2) We got reports later of a valgrind test failure. I > also saw it > myself in my own projects that use liblzma. We notified Jia > Tan of > this. > (3) Since the valgrind failure pointed to something with ifuncs, using > './configure --disable-ifuncs' was used to fix this in F40 & F41. > (4) xz 5.6.1 was released with a fix for the valgrind failure. > (5) Fedora 40 was now in beta so we kept 5.6.0 + > --disable-ifuncs. > Fedora 41 was updated to 5.6.1 (enabling ifuncs again). > And now with the benefit of hindsight ... > In step (1) we worked in good faith with upstream. Given > how > obfuscated the injection is, it's very unlikely we would have found > the problem even if we'd spent days inspecting the tarball. (And > the > initial step of injection is not in git, so forget about reviewing > git commits.) > The valgrind failure (2) was caused by a bug in the back > door. > Disabling ifuncs in (3) disabled the back door, because I think it > relies on ifuncs to do its malware, but in any case the > obfuscated > injection script explicitly skips injection if ifuncs are disabled. > Step (4) fixed the back door valgrind failure. > The Fedora 40 beta freeze in (5) meant we got lucky for > F40, not so > much for F41. > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/YTOGJVBNOSW7FSEE7B35GETS25KFPKBO/
	Введите код, изображенный на картинке:

При общении не допускается: неуважительное отношение к собеседнику, хамство, унизительное обращение, ненормативная лексика, переход на личности, агрессивное поведение, обесценивание собеседника, провоцирование флейма голословными и заведомо ложными заявлениями. Не отвечайте на сообщения, явно нарушающие правила - удаляются не только сами нарушения, но и все ответы на них. Лог модерирования.

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру