Is there any hope that some authority somewhere will ever consider this sort of thing serious criminal behavior?
Most of them do. Identifying the actors is the hard part though.
Also, this backdoor is sophisticated enough that a state actor is likely to be involved.
Also, this backdoor is sophisticated enough that a state actor is likely to be involved.
Apparently this person was a regular contributor to xz for a couple years.
Whatever/whoever was behind this, that is quite the inside job. This will make for a very interesting story if more details come to light.
One persona, multiple accounts that seem like fake accounts used to support the main persona, and if it was the plan from the beginning this has been in the works since 2021
It seems that this affects deb and rpm systems who patch sshd with liblzma. Unfortunately it seems that PureOS does the same. Running
ldd “$(command -v sshd)”
on Byzantium, among other things it says:
liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007f69e5dfb000)
On the other hand the xz version is not 5.6.X but earlier. It seems though it is unclear if earlier versions are not really affected. It is also unclear if the kernel is affected somehow as xz maybe is used to create compressed images.
Rolling distributions as Arch and Manjaro are not affected as the ldd above shows that there is no linking to liblzma.
It would be good if Purism can issue a statement clearing out the situation for PureOs.
One can argue that Linux is so safe that they try to stage an actor to add malicious code like Jia Tan since they can not break in with ways they use for other OSes. But how to avoid such defaming situations in the future?
/lib/x86_64-linux-gnu/liblzma.so.5 is probably a symbolic link, but byzantium is so old that the actual libzma is probably not 5.6.x
However, for future reference:
ldd(1) and untrusted binaries - Julio Merino (jmmv.dev)
TL/DR:
Wait, what? Under some circumstances (which ones?) and with some versions of ldd (which ones again?1), ldd may execute the given binary to determine the libraries it uses. Which means that running ldd on an untrusted binary could compromise your system. The manual page goes on to say that you should never run ldd against untrusted binaries.
So apparently xz-utils got infected with a SSH port/protocol feature. Is there a fix to this unauthorized SSH access? I have recently removed xz-utils before any further damage can occur.
I know that the xz-utils is just a archive packing utility and I haven’t used it yet. However, someone with the remote access and evil maid attack capability could exploit this vulnerability. Until then, I request that PureOS and GNU/Linux drop support of xz-utils until further notice.
Yes, update to a version of the package that doesn’t have the backdoor.
All OS distributions that are affected have already issued updates.
PureOS Byzantium has never been affected because it never contained the vulnerable versions in the first place.
GNU/Linux is not a distribution, it’s just a generic term for a certain set of OS distributions that use Linux as a kernel.
I don’t think asking any distribution to drop support for xz-utils helps much; 1. it’s a reputable project, 2. it’s a load-bearing package that you can’t just remove from distributions on a whim; 3. the backdoor has been removed (you can confirm this by downloading and inspecting the source package), 4. only bleeding-edge distributions were affected anyway, and perhaps most importantly, 5. maintainer’s time is much better spent focusing on their daily work and keeping a close eye on incoming software so they have a better chance at thwarting upcoming attempts at planting a backdoor.