Re: Switching away from XZ

To: Jonathan Schleifer <js%netbsd.org@localhost>
Subject: Re: Switching away from XZ
From: "Jonathan A. Kollasch" <jakllsch%kollasch.net@localhost>
Date: Wed, 3 Apr 2024 21:24:18 -0500

On Mon, Apr 01, 2024 at 09:00:12PM +0200, Jonathan Schleifer wrote:
> We all know about the XZ backdoor by now. But there is another interesting
> thing that I think we should discuss:
> 
> * There was an attempt to sabotage the Landlock sandbox on Linux.
> * Capsicum support was outright removed from autotools-based builds.
> 
> It seems that the same entity who put the backdoor in XZ has a very high
> interest in making sure that the XZ utility runs without a sandbox.
> 
> I know this is all speculation, but to me, this is a very strong indicator
> that the same entity is sitting on a 0day against XZ that they would like to
> use, so they want to get rid of the sandbox before doing so.

Whoever it was wanted it out of the sandbox(s) so that whatever nefarious
commands they wanted to invoke remotely wouldn't get restricted as easily.

There's been no indication that everyone at xz upstream is malicious,
just the few personas of the attacker.  I think we could all succumb to
social engineering attacks such as what let this happen.  It's very premature
to jump ship from xz at this point.

	Jonathan Kollasch

Follow-Ups:
- Re: Switching away from XZ
  - From: Jonathan Schleifer

References:
- Switching away from XZ
  - From: Jonathan Schleifer

Prev by Date: daily pkgsrc CVS update output
Next by Date: Re: Switching away from XZ
Previous by Thread: Re: Switching away from XZ
Next by Thread: Re: Switching away from XZ
Indexes:

Home | Main Index | Thread Index | Old Index