Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×

Comment Re:Catastrophe potentially averted (Score 1) 83

Exactly. There is already a very informative retrospective of the xz vulnerability and other projects that the backdoor author had access to.

Spoiler: "As of 9:00 PM UTC, GitHub has suspended JiaT75’s account. Thanks? They also banned the repository, meaning people can no longer audit the changes made to it without resorting to mirrors. Immensely helpful, GitHub. They also suspended Lasse Collin’s account, which is completely disgraceful."

:facepalm:

Submission + - xz/liblzma Backdoored, Facilitating ssh Compromise

Submitted by ewhac
ewhac writes: A backdoor has been discovered in the liblzma data compression library, whose purpose is to facilitate a compromise of ssh. liblzma versions 5.6.0 and 5.6.1 are known to be affected. Debian's "unstable" and "testing" repos yesterday rolled back the library by pushing version "5.6.1+really5.4.5-1" to mitigate the exposure. RedHat is also recommending all users roll back to a pre-5.6.0 release.

The backdoor is not in the source code, but rather is in the test suite contained in the distribution tarballs. Hostile payloads masquerading as test data are decompressed during the ./configure phase to modify the Makefile and drop modified versions of liblzma_la-crc32_fast.o and liblzma_la-crc64_fast.o. When the compromised library is loaded by client programs (such as ssh), these in turn install an audit hook in the dynamic linker, allowing them to intercept lookups/calls to RSA_public_decrypt@....plt, which it then replaces with its own code. This compromise appears to have only been discovered in the last few days; study of the precise nature and scope of the compromise is ongoing.

Submission + - Malicious code discovered in popular xz utils (arstechnica.com)

Submitted by Cognitive Dissident
Cognitive Dissident writes: Code designed to compromise SSH connections has been discovered in a widely used compression utility
.

The compression utility, known as xz Utils, introduced the malicious code in versions 5.6.0 and 5.6.1, according to Andres Freund, the developer who discovered it. There are no confirmed reports of those versions being incorporated into any production releases for major Linux distributions, but both Red Hat and Debian reported that recently published beta releases used at least one of the backdoored versions—specifically, in Fedora 40 and Fedora Rawhide and Debian testing, unstable and experimental distributions. Because the backdoor was discovered before the malicious versions of xz Utils were added to production versions of Linux, “it's not really affecting anyone in the real world,” Will Dormann, a senior vulnerability analyst at security firm ANALYGENCE, said in an online interview. “BUT that's only because it was discovered early due to bad actor sloppiness. Had it not been discovered, it would have been catastrophic to the world.”

The really worrying part here is that the developer clearly did it on purpose, and he has been on this project for a solid two years. This raises all sorts of questions about the security of Linux in general. How many other 'deep cover' operatives might be planning or actually in the process of inserting malicious code into the Gnu/Linux code base?

Submission + - Red Hat issues urgent alert for Fedora Linux users due to malicious code (betanews.com)

Submitted by BrianFagioli
BrianFagioli writes: In a recent security announcement, Red Hat’s Information Risk and Security and Product Security teams have identified a critical vulnerability in the latest versions of the “xz” compression tools and libraries. The affected versions, 5.6.0 and 5.6.1, contain malicious code that could potentially allow unauthorized access to systems. Fedora Linux 40 users and those using Fedora Rawhide, the development distribution for future Fedora builds, are at risk.

Submission + - Questions over liblzma/xz security and SSH implications (openwall.com)

Submitted by Anonymous Coward
An anonymous reader writes: Still early in the analysis process — unexplained code has been identified in recent versions of xz by developer, Andres Freund, and reported on the Openwall oss-security list:

This injects an obfuscated script to be executed at the end of configure.

It appears to target SSH. Further detail and recommendations in article.

Submission + - HDMI 2.1 on AMD open source stack? HDMI Forum says No. (phoronix.com)

Submitted by serafean
serafean writes: For three years there has been a bug report around 4K@120Hz being unavailable via HDMI 2.1 on the AMD Linux driver. Similarly, there have been bug reports like 5K @ 240Hz not possible either with the AMD graphics driver on Linux.

As covered back in 2021, the HDMI Forum closing public specification access is hurting open-source support. AMD as well as the X.Org Foundation have been engaged with the HDMI Forum to try to come up with a solution to be able to provide open-source implementations of the now-private HDMI specs.

AMD Linux engineers have spent months working with their legal team and evaluating all HDMI features to determine if/how they can be exposed in their open-source driver. AMD had code working internally and then the past few months were waiting on approval from the HDMI Forum... Sadly, the HDMI Forum has turned down AMD's request for open-source driver support.
https://gitlab.freedesktop.org...

Comment Re:The show wasn't that great (Score 2) 66

by Curupira (#63857198) Attached to: It's the 40th Anniversary of 1983's 'Dungeons & Dragons' Cartoon

TStill, I was pretty happy when I saw the cartoon characters making a cameo in Dungeons & Dragons: Honor Among Thieves. I thought it was a nice little gift to us long-time fans, and they didn't have to do that.

Speaking on gift for fans, maybe you'd like to know that fans have animated and voice acted the original script from the unproduced last episode.

Comment Re:Red herring? (Score 1) 16

by Curupira (#63481234) Attached to: Brazil Court Suspends Telegram

Apeople eventually elect someone like Pinochet

Pinochet wasn't elected, he spearheaded a military coup d'état. In the 1988 plebiscite, the first time Chilenean people could possibly vote for Pinochet, he was rejected by 56% of the voters.

Comment Re:Wasn't that the whole point of Java? (Score 5, Interesting) 118

Sure. But Java's (also used in C#, Go, Python, Javascript and many other modern programming languages) solution, namely Garbage Collection (GC) introduces a non-negligible overhead.

For things like scripting languages, frontend applications, GC is an excellent trade-off because the added security trumps the performance loss. But for use cases that require raw performance, GC doesn't cut it, so C and C++ are still widely used to build operating systems, device drivers, and web browsers (which must run web applications with acceptable performance).

Rust is, I think, the first programming language that started to change this status quo, because even with its memory safeguards (which are not like Garbage Collection at all), Rust can compete with C and C++ on performance.

Comment Re:Sigh. (Score 3, Informative) 153

I think this has always been true. Look at video games. The game engine (where the "serious" performance intensive work happens) is in C/C++, all of the game logic is in a scripting language.

That has definitely NOT been always true. In the past, video games were written completely in assembly for speed and compactness.

You're right, it wasn't always true, but it became true pretty quickly for some genres. The main example is perhaps adventure games: they didn't really need the same speed and responsiveness that action games needed, therefore adventure game programmers quickly learned to detach the game engine from the game logic.

And so Infocom developed Z-machine (a virtual machine for its text adventure games like Zork) in 1979, which was followed by Sierra's AGI in 1984 and by LucasArts's SCUMM in 1987, among many others.

Comment Re:You know your economy is dysfunctional when (Score 1) 156

by Curupira (#61304818) Attached to: Man Sues Apple For Terminating Apple ID With $24K Worth of Content

CyberTuner is $1,400.

$1,400 for a tuning app? That's an expensive FFT.

I thought the same, until I saw it is a PIANO tuning app.

Pianos are notoriously the most fucked-up and complex musical instrument to tune. Piano tuner (as in a piano technician) is an actual profession.

An software that allows a piano owner to do it himself (considering the app does its job well) would be received as having good value, because the alternative is to pay an actual piano tuning professional every now and then.

Slashdot Top Deals

egrep -n '^[a-z].*\(' $ | sort -t':' +2.0

Close