Gandalf_The_Grey
Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
- Apr 24, 2016
- 7,364
This week, Ubuntu took down its Desktop installer 23.10 after spotting insulting strings buried in its Ukrainian release.
"We have identified hate speech from a malicious contributor in some of our translations submitted as part of a third party tool outside of the Ubuntu Archive," announced the project.
"The Ubuntu 23.10 image has been taken down and a new version will be available once the correct translations have been restored."
On its community forum, the Ubuntu team further explained that malicious Ukrainian translations were submitted by a community contributor to a "public, third party online service" relied upon by the Ubuntu Desktop Installer for providing language support.
Concerns about malware injections
Granted the impact of this incident remained limited to translations, users have raised concerns about the possibility of malware that could be injected in future Ubuntu releases through dependencies in a similar manner.
"I trust Ubuntu because it's the most widely used so it should have the best review team, but if this happened with translations and no one saw, imagine with dependencies with malware injected," posted a user on X (formerly Twitter). "I think no one reviews anything."
"If this is true then that means you're not beta-testing the non-English versions of your distro," said another one.
"The possibilities for malware from bad-faith actors are huge. This is something that needs to be bridged. You're not elementaryOS. You're a large company & this should not happen."
It is worth noting, however, that reviewing translations submitted in different languages—unless the developers themselves are proficient in these languages, is a much more challenging task that a regular code security audit may not be designed for.
Ubuntu has now restored its Ukrainian translations "to the state before it was sabotaged," but is spending additional time on "a broader audit before making it officially available."
In the meantime, users are advised to download Ubuntu Desktop 23.10 from the Ubuntu downloads page using the Legacy installer ISO that remains unaffected by the incident. Alternatively, users can upgrade from a previously supported Ubutnu release.
Ubuntu discovers 'hate speech' in release 23.10 — how to upgrade?
Ubuntu, the most popular Linux distribution, has pulled its Desktop release 23.10 after its Ukrainian translations were discovered to contain hate speech. According to the Ubuntu project, a malicious contributor is behind anti-Semitic, homophobic, and xenophobic slurs that were injected into the...
www.bleepingcomputer.com