Xz backdoor compromises ssh

j_s · March 29, 2024, 9:55pm

Is there any hope that some authority somewhere will ever consider this sort of thing serious criminal behavior?

https://www.openwall.com/lists/oss-security/2024/03/29/4

Lliure · March 30, 2024, 12:19am

Most of them do. Identifying the actors is the hard part though.

Also, this backdoor is sophisticated enough that a state actor is likely to be involved.

spacemanspiffy · March 30, 2024, 3:54pm

Also, this backdoor is sophisticated enough that a state actor is likely to be involved.

Apparently this person was a regular contributor to xz for a couple years.
Whatever/whoever was behind this, that is quite the inside job. This will make for a very interesting story if more details come to light.

pajuky · March 31, 2024, 12:28am

One persona, multiple accounts that seem like fake accounts used to support the main persona, and if it was the plan from the beginning this has been in the works since 2021

antonis · March 31, 2024, 4:44pm

It seems that this affects deb and rpm systems who patch sshd with liblzma. Unfortunately it seems that PureOS does the same. Running

ldd “$(command -v sshd)”

on Byzantium, among other things it says:

liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007f69e5dfb000)

On the other hand the xz version is not 5.6.X but earlier. It seems though it is unclear if earlier versions are not really affected. It is also unclear if the kernel is affected somehow as xz maybe is used to create compressed images.

Rolling distributions as Arch and Manjaro are not affected as the ldd above shows that there is no linking to liblzma.

It would be good if Purism can issue a statement clearing out the situation for PureOs.

One can argue that Linux is so safe that they try to stage an actor to add malicious code like Jia Tan since they can not break in with ways they use for other OSes. But how to avoid such defaming situations in the future?

j_s · March 31, 2024, 4:57pm

/lib/x86_64-linux-gnu/liblzma.so.5 is probably a symbolic link, but byzantium is so old that the actual libzma is probably not 5.6.x

However, for future reference:
ldd(1) and untrusted binaries - Julio Merino (jmmv.dev)
TL/DR:

Wait, what? Under some circumstances (which ones?) and with some versions of ldd (which ones again?1), ldd may execute the given binary to determine the libraries it uses. Which means that running ldd on an untrusted binary could compromise your system. The manual page goes on to say that you should never run ldd against untrusted binaries.