Hacker News new | ask | show | jobs
by kevin_b_er 811 days ago
They appear to have moved carefully to set this up over the course of weeks by setting up the framework to perform this attack.

I would now presume this person to be a hostile actor and their contributions anywhere and everywhere must be audited. I would not wait for them to cry 'but my bother did it', because an actual malicious actor would say the same thing. The 'mob' should be pouring over everything they've touched.

Audit now and audit aggressively.
1 comments
b112 811 days ago
My above post shows the primary domain for xz moving from tukaani.org to xz.tukaani.org. While it's hosted on github:

$ host xz.tukaani.org

host xz.tukaani.org is an alias for tukaani-project.github.io.

And originally it was not:

$ host tukaani.org

tukaani.org has address 5.44.245.25 (seemingly in Finland)

It was moved there in Jan of this year, as per the commit listed in my prior post. By this same person/account. This means that instead of Lasse Collin's more restrictive webpage, an account directly under the control of the untrusted account, is now able to edit the webpage without anyone else's involvement.

For example, to make subtle changes in where to report security issues to, and so on.

So far I don't see anything nefarious, but at the same time, isn't this the domain/page hosting bad tarballs too?

link
pja 811 days ago
This account changed the instructions for reporting security issues in the xz github as their very last commit:

    commit af071ef7702debef4f1d324616a0137a5001c14c (HEAD -> master, origin/master, origin/HEAD)
    Author: Jia Tan <jiat0218@gmail.com>
    Date:   Tue Mar 26 01:50:02 2024 +0800

        Docs: Simplify SECURITY.md.

    diff --git a/.github/SECURITY.md b/.github/SECURITY.md
    index e9b3458a..9ddfe8e9 100644
    --- a/.github/SECURITY.md
    +++ b/.github/SECURITY.md
    @@ -16,13 +16,7 @@ the chance that the exploit will be used before a patch is released.
     You may submit a report by emailing us at
     [xz@tukaani.org](mailto:xz@tukaani.org), or through
     [Security Advisories](https://github.com/tukaani-project/xz/security/advisories/new).
    -While both options are available, we prefer email. In any case, please
    -provide a clear description of the vulnerability including:
    -
    -- Affected versions of XZ Utils
    -- Estimated severity (low, moderate, high, critical)
    -- Steps to recreate the vulnerability
    -- All relevant files (core dumps, build logs, input files, etc.)
    +While both options are available, we prefer email.

     This project is maintained by a team of volunteers on a reasonable-effort
     basis. As such, please give us 90 days to work on a fix before
Seems innocuous, but maybe they were planning further changes.
link
bombcar 811 days ago
> Seems innocuous, but maybe they were planning further changes.

Seems like an attempt to get 90 days of "use" of this vulnerability after discovery. If they only had checked performance before!

link
hackernudes 811 days ago
No, they just removed the bullet points about what to include in a report. The 90 days part was in both versions.
link
meragrin_ 811 days ago
Yes. An incomplete report allows for dragging out "fixing" the issue longer.
link
bombcar 811 days ago
True, but the "talk only to me" part was new, I think.
link
hughesjj 808 days ago
They didn't add any content, it was a pure removal commit
link
mxmlnkn 811 days ago
The website change reminds me a bit of lbzip2.org https://github.com/kjn/lbzip2/issues/26#issuecomment-1582645... Although, at the moment, it only seems to be spam. The last commit was 6 years ago, so I guess that's better than a maintainer change...
link
buildbot 811 days ago
> tukaani.org has address 5.44.245.25 (seemingly in Finland)

Hetzner?

link
yencabulator 811 days ago
For what it's worth, tukaani is how you spell toucan (the bird) in Finnish, and Lasse is a common Finnish name; the site being previously hosted in Finland is very plausible.
link
Stagnant 811 days ago
Yeah according to their website[0] it looks like majority of the past contributors were Finnish so nothing odd about the hosting provider. On the same page it says that Jia Tan became co-maintainer of xz in 2022.

0: https://tukaani.org/about.html

link
TimWolla 811 days ago
No:

    route:          5.44.240.0/21
    descr:          Zoner Oy
    origin:         AS201692
    mnt-by:         MNT-ZONER
    created:        2014-09-03T08:09:00Z
    last-modified:  2014-09-03T08:09:00Z
    source:         RIPE
link
whizzter 811 days ago
It's Finnish, Oy is short for "Osake Yhtiö" (share-association, basically a LLC), seems to be registered/hosted at https://www.zoner.fi/
link
jaakl 810 days ago
So probably Suojelupoliisi, Finnish Security and Intelligence Service is behind all this
link
ancientMariner 810 days ago
Zoner is a Finnish web hosting company, which has a history of providing hosting for Finnish open source projects, and the original maintainer (and most of the original crew) is Finnish as well. Nothing weird here.
link
buildbot 811 days ago
Interesting, seems to be a tiny finnish hosting company: https://www.zoner.fi/english/
link