<mrkiko>
Is OpenWrt affected by the reported xz security issues?
<mrkiko>
huf - unfortunately seems so, didn't read the backlog
rua has quit [Quit: Leaving.]
<ynezz>
mrkiko: why do you think, that OpenWrt was affected? Did you read such statement?
<ynezz>
I've reverted the 5.6.1 bumps and moved the binaries/source tarballs to .backdoored suffixes on sources.openwrt.org and downloads.openwrt.org, just to be safe, than sorry
<ynezz>
to our knowledge there was no active backport being distributed with any OpenWrt provided binary
<ynezz>
or source code tarball
<ynezz>
in retrospective it was probably a good approach, because it was found out later, that those source code tarballs with xz 5.6.1 contains inactive backdoor payload (so harmless, but still part of a weapon) as the backdoor was cleverly split into two parts to make the detection harder
<mrkiko>
ynezz: thanks. Sorry, I only meant to say that the openwrt project was affected, not it's binaries
<ynezz>
moreover Alpine folks looked into the backdoor and made official statement, that the exploit itself is not musl compatible, so targeting glibc installations
<mrkiko>
ynezz: I was reading the arch-announce this morning - if I understand it correctly it seems at least this wasn't usable over ssh but maybe over other methods. Updating and rebooting all the machinesI am using just in case
<mrkiko>
ynezz: is there somewhere where the thing is detailed?
<mrkiko>
Regarding commit f9f2426e398cf74d1098ae40317bfba677ac7560 - I don't think it's a good idea to keep journal enabled by default, openwrt runs - in many cases, on flash
<mrkiko>
I think this might be an optional things (turned off by deault in my opinion, but regardless...)
<mrkiko>
Furthermore, is it a good idea to enable this on hw which sometimes doesn't support trim ?
<mrkiko>
luckily I was wrong and it looks like it's already confiurable, only the default is questionable to me but ok... better
asriel has quit [Quit: Don't drink the water. They put something in it to make you forget.]
<f00b4r0>
now if one wants to do forensics on what was there; they can't.
<f00b4r0>
and all linked references to backdoor commits are useless.
robimarko has joined #openwrt-devel
<robimarko>
\x: You around?
<\x>
robimarko: yeah
<\x>
btw theres this 64MB being lost on qcax 6.6
<robimarko>
\x: You tested dynamic SWIOTLB assignment
<\x>
need SWIOTLB_DYNAMIC + cmdline
<\x>
yeah i just put like 256 on it
<\x>
boots fine
<\x>
but this needs something put on cmdline
<robimarko>
What needs to be done via cmdline?
<\x>
pm
<f00b4r0>
ynezz: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024 tl;dr: considering that anything from after Jia Tan's involvement should be considered suspicious, they suggest reverting to even older and/or switching out of xz entirely (which AIUI we cannot do due to needing lzma)
<\x>
basically you just need to put something there once kernel is SWIOTLB_DYNAMIC=y
<slh>
f00b4r0: the real payload wasn't on github to begin with, 'just' the downloader
<f00b4r0>
slh: the instrumentation for the hack was in GH
<slh>
yes, the downloader
<slh>
the really nasty parts -which may do quite literally anything- wasn't
<ynezz>
oliv3r: nice
<ynezz>
f00b4r0: yep, makes sense
<f00b4r0>
slh: your point being?
<slh>
for github, it's a game of damned if you do, damned if you don't. but we don't really know yet what the actual payload was doing (and that might have even changed over time, based on geoip stuff or other qualifiers), the potentially really nasty stuff
<f00b4r0>
i still don't follow.
<f00b4r0>
my point is that removing access to the repo history makes forensics impossible. That's bad (and a lot of people are now complaining about the same thing)
Mangix has quit [Read error: Connection reset by peer]
<f00b4r0>
seems the gift hasn't stopped on giving yet either. Debian disabled archive processing until further notice.
<hauke>
f00b4r0: probably github did a snapshot of all activities of this account and everything related and handed it over to the authorities
<hauke>
probably one of the US 3 letter agencies is investigating now
<f00b4r0>
hauke: sure. Doesn't change anything to the fact that if it were the only source repo, the layman is left in the dark. Where "layman" can include distro people
<f00b4r0>
ynezz: cute indeed
<f00b4r0>
clearly this was a long con. That much is clear now.
skynet2 has joined #openwrt-devel
<mrkiko>
slh: what do you mean by "the downloader" ? Didn't the repo contain only the xz/lzma files holding the payload?
<mrkiko>
From another perspective - is it really something that can be prosecuted? I have zero legal knowledge so my question is completely navige and genuine...
<f00b4r0>
mrkiko: it's not really the most pressing matter though.
<mrkiko>
f00b4r0: don't know, but interesting still. And in any case it may be pressing... :)
<f00b4r0>
not really. Odds are whoever did this is a state actor whose identity may or may not be found and who can probably not be extradited to wherever a trial would take place. Prosecution will not fix the current state of affairs either.
<mrkiko>
f00b4r0: sure but this doesn't matter on the "pressing" part in reality.
<mrkiko>
f00b4r0: because the "pressing" thing has to do with licensing and other stuff which may be important even for other software
<f00b4r0>
i don't follow.
<mrkiko>
f00b4r0: the liability problem is important and interesting, and a fair amount of talking about it happened lately here in the EU. It's important because it can have a widr impact... of course it won't change state of affairs in the technical matter
<mrkiko>
f00b4r0: and so my original question - given licensing etc..., wondering if prosecution would be even possible
<f00b4r0>
I still don't understand the question.
<f00b4r0>
what has licensing to do with this
<mrkiko>
f00b4r0: well, in general software licenses contain text stating there is no warrany etc ...
<f00b4r0>
I suppose you're talking about the CRA which is another EU-spawned nightmare, but in the present case the implied onus would be on the commercial entities distributing the affected software and not disclosing the hack, AIUI.
<mrkiko>
f00b4r0: ok, thanks
<f00b4r0>
IANAL, of course.
<mrkiko>
f00b4r0: AIUI = ?
<f00b4r0>
As I Understand It
<mrkiko>
f00b4r0: :) ok
vincejv has quit [Remote host closed the connection]
<f00b4r0>
there's more going on apparently (following the oss-security thread). Seems to be a major clusterfuck. Lasse apparently said he can make a "clean" 5.6.2, I don't see that realistically going anywhere.
vincejv has joined #openwrt-devel
Borromini has quit [Ping timeout: 480 seconds]
<mrkiko>
f00b4r0: I PM'ed you in case, sorry for not asking first
<f00b4r0>
apparently libarchive may be impacted as well
<gch981213>
f00b4r0: In this case one probably isn't able to make up a plausible commit message for the autotools change.
<f00b4r0>
gch981213: sure. But look at how much bad stuff got blindly accepted
<f00b4r0>
the autotools change was the trigger. All the plumbing was already in "plain sight" (so to speak) in git history
<gch981213>
f00b4r0: It's still harder. Probably not infinitely harder though :D
<f00b4r0>
heh. Note I mostly agree with what was said, I just don't think we should be lulled into a false sense of security just because we pull from source repos.
<stintel>
time to update a bunch of machines but I had some compile problems
<stintel>
hmmm looks like it crashes the machine
<Znevna>
remmeber that channel that had 27 ppl last night
<Znevna>
it has 350 now
<Znevna>
rofl
Borromini has joined #openwrt-devel
<mrkiko>
354 now
<mrkiko>
but I guess interesting discussions are over now
<mrkiko>
But probably I am too naive to understand why a lot of people are spamming in that channel. I joined expecting technical talks but had to exit soon.