- The X-Z-Uils stolen door was found more than a year ago
- Despite the warnings, some linux images always contain it
- Debian will not move because the images are “historic artifacts”
At least 35 Linux images hosted on Docker Hub contain dangerous malware, which could put software developers and their products at risk of taking control, data theft, ransomware, etc.
However, at least some of the images will remain on the site and will not be deleted, because they are obsolete anyway and should not be used.
In March 2024, the open source community was amazed when safety researchers spotted “XZ Utils”, a piece of malicious code, in the publication XZ-Uils upstream 5.6.0 and 5.6.1 (the Liblzma.so library) which briefly spread in certain Linux distribution packages (and not their stable versions). The stolen door was inserted by a developer named “Jia Tan” who, during the two years preceding this moment, created significant credibility in the community thanks to various contributions.
Debian, Fedora and others
From now on, Binarly’s security researchers have said that malicious X-Zz-Uils containing the stolen door have been distributed in certain branches of several Linux distributions, notably Debian, Fedora and OpenSuse.
“This had serious implications for the software supply chain, as it has become difficult to quickly identify all the places where the Library Stepille had been included.” “This had serious implications for the software supply chain, as it has become difficult to quickly identify all the places where the Library Stepille had been included.”
Binarly experts now say that several Docker images, built at the time of the compromise, also contain the stolen door. It is said that at first glance, it might not seem alarming because if the distribution packages were rear, then all the Docker images based on them would also be rear.
However, the researchers said that some of the compromise images are still available on Docker Hub and have even been used in the construction of other images that have also been infected transiently. Binarly said he had found “only” 35 images because she focused only on the Debian images:
“The impact on the Docker images of Fedora, OpenSuse, and other distributions that have been affected by the XZ Util stolen door remains unknown at the moment.”
Debian said it would not delete malicious images because they are in any case exceeded and should not be used. They will be left as “historical artifacts”.
Via Bleeping Compompute
