Re: [Hampshire] Security compromise in liblzma/OpenSSH daemon

2024-04-01 Thread James Dutton via Hampshire 
On Sat, 30 Mar 2024 at 08:43, Nick Chalk via Hampshire
 wrote:
>
> In case anyone hasn't seen this...
>
> A security compromise has been discovered in
> liblzma, part of the XZ compression utilities.
> This can affect OpenSSH's sshd, due to integration
> with systemd.
>

I guess this is a reminder that every developer of every application
or lib that one installs from a Linux distro effectively has root
access to your system.
Maybe someone needs to write a tool that scans all .deb and .rpm
install bash scripts, and highlights any non-trivial ones.
It was the xz-utils install script that caused all the problems in this case.
For example, any .deb that installs any lib  should only need a very
basic install script.
The install script for xz-utils should have been simple also, it
should only be dumping some files on your filesystem and that is it.
No other activity it needs to do.
Some install scripts are more complex, e.g. postgresql,  that needs to
add postgresql user etc. and maybe auto update the database schema.

Kind Regards

James

-- 
Please post to: Hampshire@mailman.lug.org.uk
Manage subscription: https://mailman.lug.org.uk/mailman/listinfo/hampshire
LUG website: http://www.hantslug.org.uk
--

Re: [Hampshire] Security compromise in liblzma/OpenSSH daemon

2024-04-01 Thread Brad Rogers via Hampshire 
On Mon, 1 Apr 2024 14:21:02 +0100
James Dutton via Hampshire  wrote:

Hello James,

>Maybe someone needs to write a tool that scans all .deb and .rpm
>install bash scripts, and highlights any non-trivial ones.

There's discussion of the issue on the Debian Developers ML.  I read it,
but don't post;

a) not a developer (although it's not required to be one to post there)
b) much of the discussion is too technical for me to fully comprehend or
   make useful contributions.

>The install script for xz-utils should have been simple also, it
>should only be dumping some files on your filesystem and that is it.
>No other activity it needs to do.

From what I've read, it's precisely this that triggered the
investigation;  Person installing xz-utls notices a pause during the
process and investigated why.  I'd have not noticed, I'm sure.

-- 
 Regards  _   "Valid sig separator is {dash}{dash}{space}"
 / )  "The blindingly obvious is never immediately apparent"
/ _)rad   "Is it only me that has a working delete key?"
It's becoming an obsession
Teenage Depression - Eddie & The Hot Rods


pgp9Gg4kuQF9b.pgp
Description: OpenPGP digital signature
-- 
Please post to: Hampshire@mailman.lug.org.uk
Manage subscription: https://mailman.lug.org.uk/mailman/listinfo/hampshire
LUG website: http://www.hantslug.org.uk
--