Consider pausing use of XZ, LZMA and 7z until the fallout settles

Talk about code development, features, specific bugs, enhancements, patches, and similar things.
Forum rules
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.

This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.

Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35771
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Consider pausing use of XZ, LZMA and 7z until the fallout settles

Unread post by Moonchild » 2024-04-13, 16:30

athenian200 wrote:
2024-04-13, 15:41
So it seems that 7zip has existed longer than xz-utils
Yes it has. 7-zip is what put LZMA on the map. eventually Igor open-sourced 7-zip and that's when FOSS implementations of it took off, including XZ. At least that's my understanding of it, and I've used 7-zip since the beginning; pretty sure xz wasn't at all a thing back then.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

vannilla
Moon Magic practitioner
Moon Magic practitioner
Posts: 2199
Joined: 2018-05-05, 13:29

Re: Consider pausing use of XZ, LZMA and 7z until the fallout settles

Unread post by vannilla » 2024-04-13, 22:29

xz's "mainstream" use is actually fairly recent.
I don't know when xz's implementation of LZMA became a systemd dependency (i.e. the target of the attack), but until ten years ago or something very few people actually used xz for compression.
It gained traction because it is legitimately good, but until then it was mostly a niche tool; the library might have had the same fate.

User avatar
Bilbo47
Fanatic
Fanatic
Posts: 242
Joined: 2017-11-18, 04:24

Re: Consider pausing use of XZ, LZMA and 7z until the fallout settles

Unread post by Bilbo47 » 2024-04-23, 22:07

I also got details on how the backdoor exploit worked. On Linux, systemd was mentioned above. Could this particular exploit chain have been possible on Linuxen without systemd? As in, is the systemd hook an example of what the so-called naysayers got worried about back when the push was made to switch all the distros to systemd as a replacement for the previous design for an OS supervisor?

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35771
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Consider pausing use of XZ, LZMA and 7z until the fallout settles

Unread post by Moonchild » 2024-04-23, 23:27

As far as I understood the library hijack could be done on any system that uses a run-time linker to tie together binaries and their libs, since the hijack is done through that linker to point to the malicious RSA functions instead of the actual ones. I'm not sure if that's systemd specific or not; it may be a general ELF thing. My knowledge of Linux binaries falls a bit short here, but I wanted to relay at least that bit.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
ron_1
Moon Magic practitioner
Moon Magic practitioner
Posts: 2870
Joined: 2012-06-28, 01:20

Re: Consider pausing use of XZ, LZMA and 7z until the fallout settles

Unread post by ron_1 » 2024-04-23, 23:51

I'm certainly no expert, but I've been told on another forum that this attack (generally speaking, I think) could have happened without it being linked to systemd. To which I replied, that may be so, but this particular attack wasn't; it was tied to systemd. Since most distros (why?) have switched to the systemd init system, I believe we can expect more attempts at malware via systemd weaknesses.

So in the end I believe my decision to avoid systemd was prudent. That's just my non-expert .02¢ worth.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35771
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Consider pausing use of XZ, LZMA and 7z until the fallout settles

Unread post by Moonchild » 2024-04-24, 00:30

Off-topic:
ron_1 wrote:
2024-04-23, 23:51
That's just my non-expert .02¢ worth.
You do realize that that's not 2 cents, right? ;-)
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
RealityRipple
Astronaut
Astronaut
Posts: 676
Joined: 2018-05-17, 02:34
Location: Los Berros Canyon, California
Contact:

Re: Consider pausing use of XZ, LZMA and 7z until the fallout settles

Unread post by RealityRipple » 2024-04-24, 00:42

Off-topic:
oh god, the Verizon nightmare begins again...

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35771
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Consider pausing use of XZ, LZMA and 7z until the fallout settles

Unread post by Moonchild » 2024-04-24, 11:25

It's already been assessed. There is no uncertainty about the situation - it's been clearly analysed and there has not been more fallout than a word of caution about Open Source development and auditing of code changes.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
ron_1
Moon Magic practitioner
Moon Magic practitioner
Posts: 2870
Joined: 2012-06-28, 01:20

Re: Consider pausing use of XZ, LZMA and 7z until the fallout settles

Unread post by ron_1 » 2024-04-24, 13:28

Off-topic:
Moonchild wrote:
2024-04-24, 00:30
You do realize that that's not 2 cents, right? ;-)
Okay, 2¢. :)

Post Reply