Hate speech appeared in the Ukrainian version of Ubuntu 23.10, a contributor from Russia is suspected. How to update the release?

Hate speech appeared in the Ukrainian version of Ubuntu 23.10, a contributor from Russia is suspected. How to update the release?

Ubuntu, the most popular Linux distribution, has stopped releasing version 23.10 for desktop computers after it was discovered that the Ukrainian translations contained hate speech. This is reported by Bleeping computer.

According to the Ubuntu project, the attacker is behind the anti-Semitic, homophobic and xenophobic images that were introduced into the distribution via “Third Party Tool”, which is outside the Ubuntu archive.

“We discovered hate speech from an attacker in some of our translations provided as part of a third-party tool outside of the Ubuntu archive. Ubuntu 23.10 has been removed and a new version will be available as soon as the correct translations are restored.”announced in the project.

On its community forum, the Ubuntu team explained that the malicious Ukrainian translations were sent by a community member to “publicly available third-party online service”, which Ubuntu Desktop Installer relies on to provide language support:

“Approximately three hours after the release of Ubuntu 23.10, we brought this fact to our attention. After the initial triage is complete, we believe the incident only affects the translations provided to the user during installation via the Live CD environment (not an update). During installation, translations are stored only in memory and are not distributed to disk. If you upgraded to Ubuntu Desktop 23.10 from a previous release, you will not be affected by this issue. The affected images are for Ubuntu Desktop 23.10 and Ubuntu Budgie 23.10. The Ubuntu Desktop Legacy ISO is still available and unchanged.

Translations are data files that support application internationalization. These files are maintained by third-party online systems by individuals around the world, which are then integrated into Ubuntu. It is unfortunate when this way of cooperation is undermined and used as a mechanism of social aggression. In accordance with our code of conduct, Canonical and Ubuntu do not condone hate speech or offensive language of any kind.”

Bleeping Computer noticed that the mysterious Ukrainian lines were entered by a user named Danilo Negrilo at the end of the translation file, making them harder to spot.

Although the obscene translations were discovered at a time of heightened tensions in the Middle East, commit history confirms that the diversion occurred around September 22nd.

Users have raised concerns about the possibility of malware being introduced into future releases of Ubuntu due to similar vulnerabilities.

It is worth noting that checking translations submitted in different languages, if the developers themselves do not know these languages, is a much more difficult task, which may not be assigned to a regular code security audit.

Additionally, open source dependencies, code, and components may go through a separate anti-malware review process than the one appropriate for translations, making it harder to detect such incidents.

Currently, Ubuntu has restored its Ukrainian translations “to the point where it was sabotaged,” but will spend extra time on “wider audit before making it officially available.”

In the meantime, users are advised to download Ubuntu Desktop 23.10 from the Ubuntu downloads page using the previous installer ISO that is not affected by the incident.

Additionally, users can upgrade to a previously supported version of Ubutnu.

According to an unconfirmed version, Danilo Negrilo may be Russian Semyon Ridin, an employee of Canonical’s San Francisco office. This is quoted in the comments on OMG Ubuntu. But there is no reliable data about the author of these commits.

Earlier we reported: Ubuntu 23.10 (Mantic Minotaur) is officially released with Linux 6.5 and GNOME 45.

Subscribe to ProIT on Telegram so you don’t miss a post!

Related posts