Ubuntu, the most popular Linux distribution, has pulled its Desktop release 23.10 after its Ukrainian translations were discovered to contain hate speech.
According to the Ubuntu project, a malicious contributor is behind anti-Semitic, homophobic, and xenophobic slurs that were injected into the distro via a “third party tool” that lives outside of the Ubuntu Archive.
Ukrainian translations laced with ‘insulting’ strings
This week, Ubuntu took down its Desktop installer 23.10 after spotting insulting strings buried in its Ukrainian release.
“We have identified hate speech from a malicious contributor in some of our translations submitted as part of a third party tool outside of the Ubuntu Archive,” announced the project.
“The Ubuntu 23.10 image has been taken down and a new version will be available once the correct translations have been restored.”
On its community forum, the Ubuntu team further explained that malicious Ukrainian translations were submitted by a community contributor to a “public, third party online service” relied upon by the Ubuntu Desktop Installer for providing language support.
“Around three hours after the release of Ubuntu 23.10 this fact was brought to our attention and we immediately removed the affected images.
After completing initial triage, we believe that the incident only impacts translations presented to a user during installation through the Live CD environment (not an upgrade). During installation the translations are resident in memory only and are not propagated to the disk. If you have upgraded to Ubuntu Desktop 23.10 from a previous release, then you are not affected by this issue.
The impacted images were Ubuntu Desktop 23.10 and Ubuntu Budgie 23.10.
The Ubuntu Desktop Legacy ISO is still available and not affected.
Please keep in mind that translations are data files that support internationalisation of applications. These files are updated with the support of third-party online systems with contributions from individuals all around the world that then get integrated into Ubuntu. It’s unfortunate when that path of collaboration is undermined and used as a mechanism of social aggression. Canonical and Ubuntu do not condone hate speech or offensive language of any kind, as per our code of conduct 21.”
A GitHub pull request spotted by Reddit users [1, 2] and seen by BleepingComputer removed the “insulting [localization] strings” around October 12th.
BleepingComputer observed the cryptic malicious Ukrainian strings were injected by a user by the name of “Danilo Negrilo” towards the end of the translations file, making them harder to spot.
Although the ill-natured translations have been discovered at a time of heightened tensions in the Middle East, commit history confirms the sabotage occurred around September 22nd, prior to the Israel-Hamas war coming into effect.
Concerns about malware injections
Granted the impact of this incident remained limited to translations, users have raised concerns about the possibility of malware that could be injected in future Ubuntu releases through dependencies in a similar manner.
“I trust Ubuntu because it’s the most widely used so it should have the best review team, but if this happened with translations and no one saw, imagine with dependencies with malware injected,” posted a user on X (formerly Twitter). “I think no one reviews anything.”
“If this is true then that means you’re not beta-testing the non-English versions of your distro,” said another one.
“The possibilities for malware from bad-faith actors are huge. This is something that needs to be bridged. You’re not elementaryOS. You’re a large company & this should not happen.”
It is worth noting, however, that reviewing translations submitted in different languages—unless the developers themselves are proficient in these languages, is a much more challenging task that a regular code security audit may not be designed for.
Furthermore, dependencies, code, and open source components may undergo a separate validation process, aimed at thwarting malware, than the one suited for translations, making incidents like these harder to discover.
Ubuntu has now restored its Ukrainian translations “to the state before it was sabotaged,” but is spending additional time on “a broader audit before making it officially available.”
In the meantime, users are advised to download Ubuntu Desktop 23.10 from the Ubuntu downloads page using the Legacy installer ISO that remains unaffected by the incident. Alternatively, users can upgrade from a previously supported Ubutnu release.
Source: www.bleepingcomputer.com