October 14, 2023 at 07:41AM
Ubuntu, the popular Linux distribution, has removed its Desktop release 23.10 after discovering hateful language in the Ukrainian translations. A malicious contributor injected anti-Semitic, homophobic, and xenophobic slurs into the distribution using a third-party tool. Ubuntu has taken down the affected images and will release a new version once the correct translations have been restored. Users are advised to download the unaffected Legacy installer ISO or upgrade from a previously supported release.
From the meeting notes, it is clear that Ubuntu, the popular Linux distribution, has removed its Desktop release 23.10 due to the discovery of hate speech in its Ukrainian translations. The malicious content was injected into the distro through a third party tool that is outside of the Ubuntu Archive.
The hate speech was found in the Ukrainian translations submitted by a community contributor to a public third party online service that is relied upon for language support in the Ubuntu Desktop Installer. The affected images were Ubuntu Desktop 23.10 and Ubuntu Budgie 23.10, while the Ubuntu Desktop Legacy ISO remained unaffected.
Ubuntu immediately took down the impacted images and is working on restoring the correct translations. It has also conducted an initial triage and determined that the incident only affects translations presented to users during installation through the Live CD environment, not upgrades.
The malicious translations were brought to Ubuntu’s attention approximately three hours after the release of Ubuntu 23.10, and they have since been removed. It is worth noting that those who have upgraded to Ubuntu Desktop 23.10 from a previous release are not affected by this issue.
The malicious Ukrainian strings were injected into the translations file by a user called “Danilo Negrilo” towards the end, making them more difficult to spot. The sabotage occurred around September 22nd, before the Israel-Hamas war began.
While users have expressed concerns about the possibility of malware injections in future Ubuntu releases through dependencies, it should be understood that reviewing translations submitted in different languages is a complex task that may require language proficiency. Furthermore, the validation process for dependencies and code may differ from the one for translations, making it challenging to detect such incidents.
Ubuntu has restored its Ukrainian translations to their pre-sabotage state, but is conducting a broader audit before making them officially available. In the meantime, users are advised to download Ubuntu Desktop 23.10 from the Ubuntu downloads page using the unaffected Legacy installer ISO or upgrade from a previously supported Ubuntu release.