nemobis

## xz-backdoor.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                nemobis
                / xz-backdoor.md
            
            
              Created
              April 1, 2024 10:16
                — forked from thesamesam/xz-backdoor.md
            
              
                xz-utils backdoor situation
              
          
    FAQ on the xz-utils backdoor

This is still a new situation. There is a lot we don't know. We don't
know if there are more possible exploit paths. We only know about this
one path. Please update your systems regardless. Unknown unknowns are
safer than known unknowns.
This is a living document. Everything in this document is made in good
faith of being accurate, but like I just said; we don't know much
about what's going on.

  
## connect.funet.fi-example.html
<html xmlns:xxt="http://www.jclark.com/xt/java/com.macromedia.airspeed.servlet.ui.XSLTExtensions">
<head>
<title>THA_250117</title>
<script type="text/javascript" src="/common/scripts/s_code.js?ver=9.5.3"></script><script type="text/javascript" src="/common/scripts/OmnitureTracker.js?ver=9.5.3"></script><script type="text/javascript" src="/common/scripts/modalDialog/jquery-1.7.1.js?ver=9.5.3" charset="utf-8"></script><script type="text/javascript">
		var useUASniffing = false;
		function setUASniffing(value) {
			useUASniffing = value;
		}
	</script><script>
		var isReview = 'false';

## pidgin-telegram-crash
$ pidgin -d
(10:10:41) prefs: Reading /home/federico/.purple/prefs.xml
(10:10:41) prefs: Finished reading /home/federico/.purple/prefs.xml
(10:10:41) prefs: purple_prefs_get_path: Unknown pref /pidgin/browsers/command
(10:10:41) dbus: okkk
(10:10:41) plugins: probing /usr/lib64/pidgin/timestamp_format.so
(10:10:41) plugins: probing /usr/lib64/pidgin/spellchk.so
(10:10:41) plugins: probing /usr/lib64/pidgin/sendbutton.so
(10:10:41) plugins: probing /usr/lib64/pidgin/vvconfig.so
(10:10:41) plugins: probing /usr/lib64/pidgin/timestamp.so

## test.log
https-everywhere]$ ./test.sh
+++ readlink -f ./test.sh
++ dirname /home/federico/mw/https-everywhere/test.sh
+ cd /home/federico/mw/https-everywhere
+ TEST_ADDON_PATH=./https-everywhere-tests/
++ mktemp -d
+ PROFILE_DIRECTORY=/tmp/tmp.tL3sul3IMu
+ trap 'rm -r "$PROFILE_DIRECTORY"' EXIT
+ HTTPSE_INSTALL_DIRECTORY=/tmp/tmp.tL3sul3IMu/extensions/https-everywhere@eff.org
+ ./makexpi.sh

## HTTPS-Everywhere-broken-domains.txt
01.org
curl: (28) SSL connection timeout
0nl1ne.at
curl: (51) SSL peer certificate or SSH remote key was not OK
0x539.de
curl: (6) Couldn't resolve host '0x539.de'
0xbadc0de.be
curl: (51) SSL peer certificate or SSH remote key was not OK
100-gute-gruende.de

## 39bei_digitool4783627.pnx.xml
<?xml version="1.0" encoding="UTF-8"?>
<record>
<control>
<sourcerecordid>4783627</sourcerecordid>
<sourceid>39bei_digitool</sourceid>
<recordid>39bei_digitool4783627</recordid>
<sourceformat>Digital Entity</sourceformat>
<sourcesystem>Digitool</sourcesystem>
</control>
<display>

## commonscheck-2013-04.txt
#########################################################################
# Welcome to CommonsChecker 0.1 by WikiTeam (GPL v3)                    #
# More info at: http://code.google.com/p/wikiteam/                      #
#########################################################################

#########################################################################
# Copyright (C) 2011-2012 WikiTeam                                      #
# This program is free software: you can redistribute it and/or modify  #
# it under the terms of the GNU General Public License as published by  #
# the Free Software Foundation, either version 3 of the License, or     #

## wiki-scraper.rb
#!/usr/bin/env ruby
# encoding: utf-8
##################################################################################
# Google search scraper to list all results likely to be MediaWiki installations #
#                                                                                #
# CC-0, ArchiveTeam/WikiTeam, 2013                                               #
#                                                                                #
##################################################################################

require 'rubygems'

## commons-interlace-exiftool.sh
#!/bin/bash
# commons-interlace-exiftool.sh: silly script to find interlaced images on Commons

cat jpgcommons.txt |   # Take list of filenames, one per line
while read line   # As long as there is another line to read ...
do
  URL=$(curl "http://commons.wikimedia.org/w/api.php?action=query&prop=imageinfo&iiprop=url&titles=File:$line&format=xml" | grep -oE 'http://upload.wikimedia.org[^"]+');
  echo "URL is $URL"
  IDEN=$(curl $URL | exiftool -fast2 - | grep -i "Encoding Process")
  # "Baseline DCT" only safe JPEG SOF tag, many less common ones are uncertain

## commons-interlace.sh
#!/bin/bash
# commons-interlace.sh: silly script to find interlaced images on Commons

cat jpgcommons.txt |   # Take list of filenames, one per line
while read line   # As long as there is another line to read ...
do
  URL=$(curl "http://commons.wikimedia.org/w/api.php?action=query&prop=imageinfo&iiprop=url&titles=File:$line&format=xml" | grep -oE 'http://upload.wikimedia.org[^"]+');
  echo "URL is $URL"
  IDEN=$(curl $URL | identify -verbose -)
  if grep -qi "Interlace: None" <<< $IDEN; then
	<html xmlns:xxt="http://www.jclark.com/xt/java/com.macromedia.airspeed.servlet.ui.XSLTExtensions">
	<head>
	<title>THA_250117</title>
	<script type="text/javascript" src="/common/scripts/s_code.js?ver=9.5.3"></script><script type="text/javascript" src="/common/scripts/OmnitureTracker.js?ver=9.5.3"></script><script type="text/javascript" src="/common/scripts/modalDialog/jquery-1.7.1.js?ver=9.5.3" charset="utf-8"></script><script type="text/javascript">
	var useUASniffing = false;
	function setUASniffing(value) {
	useUASniffing = value;
	}
	</script><script>
	var isReview = 'false';
	$ pidgin -d
	(10:10:41) prefs: Reading /home/federico/.purple/prefs.xml
	(10:10:41) prefs: Finished reading /home/federico/.purple/prefs.xml
	(10:10:41) prefs: purple_prefs_get_path: Unknown pref /pidgin/browsers/command
	(10:10:41) dbus: okkk
	(10:10:41) plugins: probing /usr/lib64/pidgin/timestamp_format.so
	(10:10:41) plugins: probing /usr/lib64/pidgin/spellchk.so
	(10:10:41) plugins: probing /usr/lib64/pidgin/sendbutton.so
	(10:10:41) plugins: probing /usr/lib64/pidgin/vvconfig.so
	(10:10:41) plugins: probing /usr/lib64/pidgin/timestamp.so
	https-everywhere]$ ./test.sh
	+++ readlink -f ./test.sh
	++ dirname /home/federico/mw/https-everywhere/test.sh
	+ cd /home/federico/mw/https-everywhere
	+ TEST_ADDON_PATH=./https-everywhere-tests/
	++ mktemp -d
	+ PROFILE_DIRECTORY=/tmp/tmp.tL3sul3IMu
	+ trap 'rm -r "$PROFILE_DIRECTORY"' EXIT
	+ HTTPSE_INSTALL_DIRECTORY=/tmp/tmp.tL3sul3IMu/extensions/https-everywhere@eff.org
	+ ./makexpi.sh
	01.org
	curl: (28) SSL connection timeout
	0nl1ne.at
	curl: (51) SSL peer certificate or SSH remote key was not OK
	0x539.de
	curl: (6) Couldn't resolve host '0x539.de'
	0xbadc0de.be
	curl: (51) SSL peer certificate or SSH remote key was not OK
	100-gute-gruende.de
	<?xml version="1.0" encoding="UTF-8"?>
	<record>
	<control>
	<sourcerecordid>4783627</sourcerecordid>
	<sourceid>39bei_digitool</sourceid>
	<recordid>39bei_digitool4783627</recordid>
	<sourceformat>Digital Entity</sourceformat>
	<sourcesystem>Digitool</sourcesystem>
	</control>
	<display>
	#########################################################################
	# Welcome to CommonsChecker 0.1 by WikiTeam (GPL v3) #
	# More info at: http://code.google.com/p/wikiteam/ #
	#########################################################################

	#########################################################################
	# Copyright (C) 2011-2012 WikiTeam #
	# This program is free software: you can redistribute it and/or modify #
	# it under the terms of the GNU General Public License as published by #
	# the Free Software Foundation, either version 3 of the License, or #
	#!/usr/bin/env ruby
	# encoding: utf-8
	##################################################################################
	# Google search scraper to list all results likely to be MediaWiki installations #
	# #
	# CC-0, ArchiveTeam/WikiTeam, 2013 #
	# #
	##################################################################################

	require 'rubygems'
	#!/bin/bash
	# commons-interlace-exiftool.sh: silly script to find interlaced images on Commons

	cat jpgcommons.txt \| # Take list of filenames, one per line
	while read line # As long as there is another line to read ...
	do
	URL=$(curl "http://commons.wikimedia.org/w/api.php?action=query&prop=imageinfo&iiprop=url&titles=File:$line&format=xml" \| grep -oE 'http://upload.wikimedia.org[^"]+');
	echo "URL is $URL"
	IDEN=$(curl $URL \| exiftool -fast2 - \| grep -i "Encoding Process")
	# "Baseline DCT" only safe JPEG SOF tag, many less common ones are uncertain
	#!/bin/bash
	# commons-interlace.sh: silly script to find interlaced images on Commons

	cat jpgcommons.txt \| # Take list of filenames, one per line
	while read line # As long as there is another line to read ...
	do
	URL=$(curl "http://commons.wikimedia.org/w/api.php?action=query&prop=imageinfo&iiprop=url&titles=File:$line&format=xml" \| grep -oE 'http://upload.wikimedia.org[^"]+');
	echo "URL is $URL"
	IDEN=$(curl $URL \| identify -verbose -)
	if grep -qi "Interlace: None" <<< $IDEN; then