Conversation

Notices

1. Embed this notice
   Jonathan Wight (schwa@mastodon.social)'s status on Sunday, 31-Mar-2024 00:22:48 JST Jonathan Wight

   Well reading about the xz ssh backdoor turned into one heck of a rabbit hole this morning.

   • Paul Cantrell repeated this.
   • Embed this notice
     Jonathan Wight (schwa@mastodon.social)'s status on Sunday, 31-Mar-2024 00:22:48 JST Jonathan Wight

     in reply to

     My attempt to summarise what happened:

     * xz is an archive file format widely used on various Linux distributions for packaging and other purposes
     * The primary (unpaid hobbyist) maintainer isn't able to maintain it effectively (health issues/frequent internet breaks).
     * A contributor over the course of 2+ years has submitted hundreds of (originally believed legit but now considered sus) patches and gained trust of maintainer.
     * Contributor was given ability to sign releases…

     1/

   • Embed this notice
     Jonathan Wight (schwa@mastodon.social)'s status on Sunday, 31-Mar-2024 00:42:39 JST Jonathan Wight

     in reply to

     * And promptly snuck a backdoor into xz via the release package (*) (backdoor isn't present in code)
     * On some Linux distros sshd is patched for to work with systemd (to allow other services to know when sshd is/isnt running)… and that patch links in xz('s library)…
     * And now sshd is compromised - send a specially crafted xz archive to sshd and you're in…

     (* edited.)

     Paul Cantrell repeated this.
   • Embed this notice
     Jonathan Wight (schwa@mastodon.social)'s status on Sunday, 31-Mar-2024 00:42:39 JST Jonathan Wight

     in reply to

     What's wild about this is…

     … either the contributor was playing the long game - gained the trust of maintainers via legit work just to get to this point…

     … or the legit work wasn't legit and they introduced other vulnerabilities over the course of 2+ years - and this exploit was the first one they got caught doing…

     …or was legitimately contributing until they themselves were compromised (ship this vulnerability or we break your legs…)

     Paul Cantrell repeated this.
   • Embed this notice
     Paul Goracke (pgor@mastodon.social)'s status on Sunday, 31-Mar-2024 01:29:30 JST Paul Goracke

     in reply to

     @schwa My concern is that if they were playing such a long game, they weren’t/aren’t just doing it with xz.