DPG success story: Fedora Linux stops a major backdoor security vulnerability before it goes downstream

[jwflory]

CVE-2024-3094 was recently published, which details a security vulnerability in a compression/decompression library used in virtually all Linux operating system distributions. See this announcement from the Fedora Project announcing how we identified the issue and resolved it for our open source community. Thanks to the timely and prompt action by our packaging and infrastructure community, all users running on stable update channels were NOT impacted by this vulnerability.

As a reflection on the upcoming release of Fedora Linux 40, there remains a lot of uncertainty about this exploit. It appears to be a sophisticated breach of trust that may have taken place over an extended period of time. Fedora Linux 40 is around the corner, which is also distinguished from other Fedora releases because Fedora Linux 40 is the branch point for CentOS Stream 10, the next major version of Enterprise Linux. Therefore, if this exploit had been discovered even two or three months later, this vulnerability would also have impacted downstream builds from Fedora and CentOS Stream, including Red Hat Enterprise Linux (RHEL), AlmaLinux, Rocky Linux, Amazon Linux, Oracle Linux, and others.

I thought this was a great success story for open source. Of course, it shows a weakness in the maintainer model. There are big questions to answer. What if this had not been stopped as early? What if it breached Enterprise Linux? Yet at the same time, the most practical way this could have been discovered is the Free Software way. Someone was literally performance testing a PostgreSQL database, saw something weird, and shared their discovery with others.