if you're looking at the lzma thing and trying to figure out if you should be concerned, and if you can do anything about it:
the answers are definitely yes, and probably not much, respectively
this is one of those 'off the charts' sorts of scenarios, because the impact isn't just the vulnerability itself (a remote ssh backdoor on some systems), it's that it was seemingly inserted intentionally into this library which exists on every linux distro by one of the maintainers of the library, in signed commits, with very thorough attempts to obfuscate it, and with what appears to be active efforts to mask side effects when they were noticed.
so even if your system did not fit the criteria that we believe are necessary to trigger that backdoor and/or you have reverted to an older version that didn't have the final piece, you are still running code written by the person who intentionally added that backdoor.
Conversation
Notices
-
Embed this notice
linear cannon (linear@nya.social)'s status on Saturday, 30-Mar-2024 06:19:49 JST 
linear cannon
-
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Saturday, 30-Mar-2024 06:21:42 JST 
Haelwenn /элвэн/ :triskell:
@linear Right, and sadly it's pretty much a core dependency of most distros (like on a BSD it would be in base) so that's going to be a hell of a moment to figure out wtf to do in terms of "now, what?". -
Embed this notice
linear cannon (linear@nya.social)'s status on Saturday, 30-Mar-2024 06:26:26 JST
linear cannon
@lanodan@queer.hacktivis.me yep.
in netbsd, at least, the one in base seems to be from before this person became a maintainer
the version in pkgsrc is much newer, thoughHaelwenn /элвэн/ :triskell: likes this. -
Embed this notice
Wolf480pl (wolf480pl@mstdn.io)'s status on Saturday, 30-Mar-2024 16:32:15 JST 
Wolf480pl
@linear it's worse than that.
This backdoor showed that ot's possible, and it was caught by sheer luck. How many more are there in other projects, added by different people, that we're not aware of?Haelwenn /элвэн/ :triskell: likes this. -
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Saturday, 30-Mar-2024 16:42:19 JST
Haelwenn /элвэн/ :triskell:
@wolf480pl @linear
Well one of the things could be to push for autotools to be replaced:
- having code undistinguishable from obfuscation means no code review and makes it much harder to patch
- forces the use of generated tarballs that doesn't corresponds to what's in version control
- autoreconf fails way too frequently at regenerating ./configure files -
Embed this notice
Wolf480pl (wolf480pl@mstdn.io)'s status on Saturday, 30-Mar-2024 16:42:20 JST
Wolf480pl
@linear and we have no way of stopping this from happening in the future.
-
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Saturday, 30-Mar-2024 17:11:33 JST
Haelwenn /элвэн/ :triskell:
@wolf480pl @linear Yeah and having the tools to do so, pkgdiff being one of them.
But I know some packagers always review diffs and are quite expected to do so, but they need to be able to review everything and we're *really bad* at allowing this, a ton of projects just ship binaries in the source tarballs. -
Embed this notice
Wolf480pl (wolf480pl@mstdn.io)'s status on Saturday, 30-Mar-2024 17:11:34 JST
Wolf480pl
@lanodan @linear
that's one half of a solutionThe other is having someone dpwnstream read diffs. All of them.
-
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Saturday, 30-Mar-2024 17:21:34 JST
Haelwenn /элвэн/ :triskell:
@wolf480pl @linear Possibly… so far I've failed at bootstrapping OpenJDK from source.
See https://hacktivis.me/notes/bootstrapping where I've put both chicken-egg things and ones shipping with blobs. -
Embed this notice
Wolf480pl (wolf480pl@mstdn.io)'s status on Saturday, 30-Mar-2024 17:21:35 JST
Wolf480pl
-
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Saturday, 30-Mar-2024 17:52:01 JST
Haelwenn /элвэн/ :triskell:
@wolf480pl @linear To put comments?
Interesting at first but I'd say it's actually an awful idea as it could be a strong way of making malware seem legit. Because reviewers, specially casual ones like packagers which aren't going to go in careful auditing mode, would end up trusting the comments over the actual code.
I think it would make more sense to verify (say with sandboxing or separated repo for the fixtures) that the test fixtures aren't used in production binaries.
Which could allow to have well-known fixtures, quite like the PNG ones, that could be carefully reviewed once and not need modifications for many years. -
Embed this notice
Wolf480pl (wolf480pl@mstdn.io)'s status on Saturday, 30-Mar-2024 17:52:02 JST
Wolf480pl
@lanodan @linear also, speaking of not keeping blobs in source code:
If the test files are binary, I think they shilould be generated at build time, eg. with nasm or some script, so that it's clear why specific bytes go in specific places.
-
Embed this notice
Wolf480pl (wolf480pl@mstdn.io)'s status on Sunday, 31-Mar-2024 03:17:35 JST
Wolf480pl
@lanodan @linear
I was thinking more like explicit field sizes (writeI32, writeU8, etc), calculated fields, maybe loops, to reduce the overall entropy and hopefully use nothing-up-my-sleeve numbers.But you're right, there's a high chance magic numbers will appear anyway, and if we accept those, then it's safer to have them as a blob than surrounded with misleading comments / variable names /etc.
Haelwenn /элвэн/ :triskell: likes this. -
Embed this notice
Wolf480pl (wolf480pl@mstdn.io)'s status on Sunday, 31-Mar-2024 03:18:18 JST
Wolf480pl
Also, I'm not saying the test vectors should change / shouldn't be standardized. You coud keep in the repo sha256sums of known-good test vectors, and check the generated ones against the sums.
Haelwenn /элвэн/ :triskell: likes this.
-
Embed this notice
All GNU social JP content and data are available under the