#Ventoy Security Concerns (please boost for visibility)
Ventoy is a popular utility for making USB drives containing multiple operating systems in the form of bootable image files. While very useful in theory, the source tree contains numerous binary blobs without source code. This issue has been brought up to the authors multiple times, have not been corrected, and have even gotten worse (more blobs have been added to the code over time). This is a potential malware vector, similar to the "test files" in the xz-utils backdoor catastrophe.
Recently the author has ignored a very lengthy thread raising security concerns because of these binary blobs. Given the amount of attention the thread has gotten, this seems strange, especially given that the authors have been active since then. https://github.com/ventoy/Ventoy/issues/2795
Stranger yet still, a video by Veronica Explains (Veronica Explains (npub1dml…x796)) on how to create bootable USB flash drives got flooded by comments heavily suggesting the use of Ventoy and even being somewhat accusing because Veronica didn't advertise Ventoy. This is... not anything I've seen users of ANY open-source project do, and it feels similar to the social engineering done against Lasse Collin that convinced him to add Jia Tan as a maintainer, thus compromising xz-utils. See the comments of https://www.youtube.com/watch?v=QiSXClZauXA&t=3s
If you're using Ventoy, you may want to consider ceasing its use for the time being out of an abundance of caution. If you truly need its functionality, you might look into something like the IODD SSD Enclosure (https://www.iodd.shop/HDD/SSD-Enclosure) which can emulate an optical drive and allows you to select an ISO saved to the drive to boot from.
#linux #boot #security #malicious #backdoor
Aaron Rainbolt /
npub176…p9h5z
2024-08-05 18:36:38
Author Public Key
npub176a0y2lwjfwg3ykpnp82glt7dzy69vl6pzxcnn08zfu4g6n2h8rs8p9h5zPublished at
2024-08-05 18:36:38Event JSON
{
"id": "a10fc8cf109e5bc7bb377f7439f7068888ca22fbd3c360ce1c761b19c84e76e7",
"pubkey": "f6baf22bee925c8892c1984ea47d7e6889a2b3fa088d89cde71279546a6ab9c7",
"created_at": 1722882998,
"kind": 1,
"tags": [
[
"t",
"boot"
],
[
"p",
"6efe24e8d551d8669d975aa16c67e86eba709c443f107b9b3a42297c0d8f4ccf"
],
[
"t",
"Ventoy"
],
[
"proxy",
"https://theres.life/@arraybolt3/112910860206028596",
"web"
],
[
"t",
"linux"
],
[
"t",
"security"
],
[
"t",
"malicious"
],
[
"t",
"backdoor"
],
[
"proxy",
"https://theres.life/users/arraybolt3/statuses/112910860206028596",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://theres.life/users/arraybolt3/statuses/112910860206028596",
"pink.momostr"
],
[
"-"
]
],
"content": "#Ventoy Security Concerns (please boost for visibility)\n\nVentoy is a popular utility for making USB drives containing multiple operating systems in the form of bootable image files. While very useful in theory, the source tree contains numerous binary blobs without source code. This issue has been brought up to the authors multiple times, have not been corrected, and have even gotten worse (more blobs have been added to the code over time). This is a potential malware vector, similar to the \"test files\" in the xz-utils backdoor catastrophe.\n\nRecently the author has ignored a very lengthy thread raising security concerns because of these binary blobs. Given the amount of attention the thread has gotten, this seems strange, especially given that the authors have been active since then. https://github.com/ventoy/Ventoy/issues/2795\n\nStranger yet still, a video by Veronica Explains (nostr:npub1dmlzf6x428vxd8vht2skcelgd6a8p8zy8ug8hxe6gg5hcrv0fn8sycx796) on how to create bootable USB flash drives got flooded by comments heavily suggesting the use of Ventoy and even being somewhat accusing because Veronica didn't advertise Ventoy. This is... not anything I've seen users of ANY open-source project do, and it feels similar to the social engineering done against Lasse Collin that convinced him to add Jia Tan as a maintainer, thus compromising xz-utils. See the comments of https://www.youtube.com/watch?v=QiSXClZauXA\u0026t=3s\n\nIf you're using Ventoy, you may want to consider ceasing its use for the time being out of an abundance of caution. If you truly need its functionality, you might look into something like the IODD SSD Enclosure (https://www.iodd.shop/HDD/SSD-Enclosure) which can emulate an optical drive and allows you to select an ISO saved to the drive to boot from.\n\n#linux #boot #security #malicious #backdoor",
"sig": "3e90c903c691a1e6eb90903b1cd9d197612dbafd7fae79665341802ced651aa567ba6530ec8a0cfbc20f3567c2a4e5d776b92f4b2b225c0f13658e307afdfda9"
}