Supply Chain Attack found in Fedora's Pagure and openSUSE's Open Build Service
-
You don’t need to do anything, this is on OBS’s side to fix.
I skimmed the article, but didn’t see if these issues have already been addressed yet. I assume they have been fixed and this is just a disclosure.
Perfect. Thank you for taking the time to respond
-
I've tried reading through the article, but unfortunately, I'm not the sharpest tool in the shed. I use openSUSE, how does this affect me, and what do I need to do/what can I do about this?
Usually with vulnerabilities like this, they're not gonna say anything about it until after they patch it so that people don't go abuse it
-
This post did not contain any content.
Supply chain attacks have been a trendy topic in the past years.
Has the meaning of 'trendy' changed from what I'm used to?
-
You don’t need to do anything, this is on OBS’s side to fix.
I skimmed the article, but didn’t see if these issues have already been addressed yet. I assume they have been fixed and this is just a disclosure.
Do you mean the specific exploit performed by the author has been fixed? Or the general vulnerability that this exploit was intended to demonstrate has been fixed? The article ends with a What's Next section discussing the difficulty of the latter, saying
we don’t think there’s a silver bullet to address the risks caused by the compromise of such central pieces of infrastructure
and going into detail about the challenges for openSUSE OBS. Are you claiming those challenges have all been solved and exploits like this are no longer possible?
-
Do you mean the specific exploit performed by the author has been fixed? Or the general vulnerability that this exploit was intended to demonstrate has been fixed? The article ends with a What's Next section discussing the difficulty of the latter, saying
we don’t think there’s a silver bullet to address the risks caused by the compromise of such central pieces of infrastructure
and going into detail about the challenges for openSUSE OBS. Are you claiming those challenges have all been solved and exploits like this are no longer possible?
The authors found and reported vulnerabilities in Pagure and Open Build Service. These vulnerabilities have since been fixed.
-
Supply chain attacks have been a trendy topic in the past years.
Has the meaning of 'trendy' changed from what I'm used to?
It's 2024, if you're not exploiting CI systems to inject your malware into the dependency chain for large open source projects, what even are you doing with your life?
-
It's 2024, if you're not exploiting CI systems to inject your malware into the dependency chain for large open source projects, what even are you doing with your life?
it's 2025 now but otherwise yeah
-
This post did not contain any content.
Nice post, but your title is misleading: the blog post is actually titled "Supply Chain Attacks on Linux distributions - Overview" - the word "attacks" as used here is a synonym for "vulnerabilities". It is not completely clear from their title if this is going to be a post about vulnerabilities being discovered, or about them actually being exploited maliciously, but the latter is at least not strongly implied.
This lemmy post however is titled (currently, hopefully OP will retitle it after this comment) "Supply Chain Attack found in Fedora's Pagure and openSUSE's Open Build Service".
Adding the word "found" (and making "Attack" singular) changes the meaning: this title strongly implies that a malicious party has actually been detected performing a supply chain attack for real - which is not what this post is saying at all.
TLDR: These security researchers went looking for supply chain vulnerabilities, and found several bugs in two different systems. After responsibly disclosing them, they did these (very nice and accessible, btw - i recommend reading them) writeups about two of the bugs. The two they wrote up are similar in that they both involve going from being able to inject command line arguments, to being able to write to a file, to being able to execute arbitrary code (in a context which would allow attackers to perform supply chain attacks on any software distributed via the targeted infrastructure).
-
it's 2025 now but otherwise yeah
Not according to my, completely malware free, waybar-git-real!
-
Nice post, but your title is misleading: the blog post is actually titled "Supply Chain Attacks on Linux distributions - Overview" - the word "attacks" as used here is a synonym for "vulnerabilities". It is not completely clear from their title if this is going to be a post about vulnerabilities being discovered, or about them actually being exploited maliciously, but the latter is at least not strongly implied.
This lemmy post however is titled (currently, hopefully OP will retitle it after this comment) "Supply Chain Attack found in Fedora's Pagure and openSUSE's Open Build Service".
Adding the word "found" (and making "Attack" singular) changes the meaning: this title strongly implies that a malicious party has actually been detected performing a supply chain attack for real - which is not what this post is saying at all.
TLDR: These security researchers went looking for supply chain vulnerabilities, and found several bugs in two different systems. After responsibly disclosing them, they did these (very nice and accessible, btw - i recommend reading them) writeups about two of the bugs. The two they wrote up are similar in that they both involve going from being able to inject command line arguments, to being able to write to a file, to being able to execute arbitrary code (in a context which would allow attackers to perform supply chain attacks on any software distributed via the targeted infrastructure).
yeah, it turns the thing into clickbait.
-
System shared this topic on
