thesamesam

FAQ on the xz-utils backdoor (CVE-2024-3094)

This is a living document. Everything in this document is made in good faith of being accurate, but like I just said; we don't yet know everything about what's going on.

Background

On March 29th, 2024, a backdoor was discovered in xz-utils, a suite of software that

dvas0004

import jsbeautifier
import requests
import pprint

enumerateMessagesSearchString = 'exportSymbol("proto.'

r = requests.get('http://localhost:8081/dist/main.js')
jsInput = r.text

pretty_js = jsbeautifier.beautify(jsInput).split('\n')

cunneen

Introduction

This works to install Open GApps into the Android Emulator, working around the issue where the system partition is too small.

With it, I can get Google Play installing into the emulator. Tested on KitKat (API 19), Lollipop (API 21) and Oreo (API 27).

It's tested on MacOS.

Instructions

marianoviola

import svelte from 'rollup-plugin-svelte';
import resolve from 'rollup-plugin-node-resolve';
import commonjs from 'rollup-plugin-commonjs';
import buble from 'rollup-plugin-buble';
import uglify from 'rollup-plugin-uglify';
import postcss from 'postcss';
import postcssImport from 'postcss-import';
import postcssCssnext from 'postcss-cssnext';

const production = !process.env.ROLLUP_WATCH;

soulmachine

First of all, please note that token expiration and revoking are two different things.

1. Expiration only happens for web apps, not for native mobile apps, because native apps never expire.
2. Revoking only happens when (1) uses click the logout button on the website or native Apps;(2) users reset their passwords; (3) users revoke their tokens explicitly in the administration panel.

1. How to hadle JWT expiration

A JWT token that never expires is dangerous if the token is stolen then someone can always access the user's data.

Quoted from JWT RFC:

PofMagicfingers

#!/bin/sh

command -v apktool >/dev/null 2>&1 || { echo >&2 "I require apktool but it's not installed. Aborting."; exit 1; }
command -v keytool >/dev/null 2>&1 || { echo >&2 "I require keytool but it's not installed. Aborting."; exit 1; }
command -v jarsigner >/dev/null 2>&1 || { echo >&2 "I require jarsigner but it's not installed. Aborting."; exit 1; }

TMPDIR=`mktemp -d 2>/dev/null || mktemp -d -t 'apkdebug'`
APK=$1     
DEBUG_APK="${APK%.*}.debug.apk"
if [ -f $APK ]; then

tuxfight3r

#Install the relevant packages
dnf install -y ostree rpm-ostree git python rpm-ostree-toolbox libgsystem;

#checkout the build scripts
git clone https://github.com/CentOS/sig-atomic-buildscripts;
cd sig-atomic-buildscripts
git checkout downstream

# create and initialize repo directory
mkdir -p /srv/rpm-ostree/repo

mjalajel

# Example ssh config file. Usually located in ~/.ssh/config (user) or /etc/ssh/ssh_config (system)
# This works on both linux and MacOS

# Basic ssh commands converted to ssh/config file format



# Simplest format
# Run with: "ssh blog" => (equivalent to: "ssh ubuntu@example.com" and  "ssh -i ~/.ssh/id_rsa -p 22 ubuntu@example.com")
Host blog

alexpchin

// sending to sender-client only
socket.emit('message', "this is a test");

// sending to all clients, include sender
io.emit('message', "this is a test");

// sending to all clients except sender
socket.broadcast.emit('message', "this is a test");

// sending to all clients in 'game' room(channel) except sender

LeCoupa

#!/bin/bash
#####################################################
# Name: Bash CheatSheet for Mac OSX
# 
# A little overlook of the Bash basics
#
# Usage:
#
# Author: J. Le Coupanec
# Date: 2014/11/04