transcript

Screenshot of github showing part of the commit message of this commit with this text:

Remove the backdoor found in 5.6.0 and 5.6.1 (CVE-2024-3094).

While the backdoor was inactive (and thus harmless) without inserting
a small trigger code into the build system when the source package was
created, it's good to remove this anyway:

  - The executable payloads were embedded as binary blobs in
    the test files. This was a blatant violation of the
    Debian Free Software Guidelines.

  - On machines that see lots bots poking at the SSH port, the backdoor
    noticeably increased CPU load, resulting in degraded user experience
    and thus overwhelmingly negative user feedback.

  - The maintainer who added the backdoor has disappeared.

  - Backdoors are bad for security.

This reverts the following without making any other changes:

The sentence “This was a blatant violation of the Debian Free Software Guidelines” is highlighted.

Below the github screenshot is a frame of the 1998 film The Big Lebowski with the meme caption “What, are you a fucking park ranger now?” from the scene where that line was spoken.

  • Jomosoto@discuss.tchncs.de
    7·
    3 months ago

    Best part to me is “The maintainer who added the backdoor has disappeared.” implying it was removes because there’s nobody left to maintain it

    • flashgnash@lemm.ee
      1·
      3 months ago

      You’ve gotta wonder what else you’d write though

      Especially given the urgency guy’s probably not gonna sit there and ponder

  • RedWeasel@lemmy.worldEnglish
    1·
    3 months ago

    Seriously. If you are going to do it, write in assembly or something else no one understands.

    • Ineocla@lemmy.ml
      2·
      3 months ago

      Tbh jia tan really wasn’t lucky some mf at Microsoft noticed a 500ms delay in ssh. The backdoor was so incredibely clever and Well hidden and ingenious i almost feel bad for him lmao

      • conditional_soup@lemm.ee
        2·
        3 months ago

        A really good point I heard is: this was likely a state actor attack, so how many others just like this are out there, undiscovered?

        • B0rax@feddit.de
          0·
          3 months ago

          Unpopular opinion: what if it was not a state actor and just some bored person somewhere that thought it would be cool to own a bot net?

          What if this is just one of many backdoors and it’s just the only one we found?

          • thisisbutaname@discuss.tchncs.de
            2·
            3 months ago

            I heard that person actively contributed for something like 2 years, providing actually useful contributions, to gain the level of trust needed to plant that backdoor. Feels a bit too much to chalk it up to boredom.

            As for the second part, that’s an interesting question. Are there lots of backdoors and we just happened to notice this one, or are backdoors very rare exactly because we’d have found them out soon like in this case?

            • trolololol@lemmy.world
              11·
              3 months ago

              Another speculation from the suse team was a private company with intent to sell the exploit to state across actors

              I think there’s lots of known backdoors that are not publicly disclosed and privately sold.

              But given the history of cves in inclined to believe most come from well intentioned developers. When you read the blogs from the Google security team for example, it’s interesting to see how you need to chain a couple exploits at least, to get a proper attack going. Not in this case, it would make it very straightforward to accomplish very intrusive actions.

            • B0rax@feddit.de
              1·
              3 months ago

              You forget that a lot of brilliant open source projects are one man shows from geniuses somewhere around the world. They are usually not paid.

              In the other hand, if you get your hands on a powerful botnet, you can rent out its services (like ddos for example) for quite a bit of money.

    • Galli [comrade/them]@hexbear.netEnglish
      4·
      3 months ago

      I can excuse attempting to compromise millions of computer systems worldwide for nefarious purposes but I draw the line at violating the contributor guidelines of an opensource project.

    • lefixxx@lemmy.world
      3·
      3 months ago

      Its like saying bank robbery is against bank’s gun carrying policy.

      Sure its true, but thats not really the problem being addressed. The massive, notorious security vulnerability is.

    • deltapi@lemmy.world
      0·
      3 months ago

      Yep, probably because it’s not funny or clever. My guess is that you look for funny and/or clever in your jokes.

        • computergeek125@lemmy.worldEnglish
          0·
          3 months ago

          I’m still lost… I’ve been following the XZ thing since it broke, so I get the context, but I’m not sure how the meme at the bottom is connected?

          • Boomkop3@reddthat.com
            1·
            3 months ago

            On the photo you see a violation of rules listed as one of the reasons this commit is made. Because it’s at the top the meme creator is presuming that’s their main priority.

            And they disagree with that, so they’re calling them a “park ranger”. I’m guessing they’re alluding to an old but common media presentation of park rangers being childish about rules.

            I get the joke with that it looks a bit odd to put that reason at the top of the list, but their response I find more unkind than funny

            • loutr@sh.itjust.works
              1·
              3 months ago

              It’s a scene from The Big Lebowski, right after The Dude got tortured with a marmot by German nihilists. Walter focuses on the legality of keeping a marmot as a pet, which is obviously not the main issue.