• tal@lemmy.today
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    7 months ago

    Man, there is a lot of concerning stuff there.

    In particular, one person commented that the original xz maintainer was possibly subjected to a pressure campaign to hand over maintainership.

    Another interesting data point: about 2 years ago there was a clear pressure campaign to name a new maintainer:

    https://www.mail-archive.com/xz-devel@tukaani.org/msg00566.html

    At the time I thought it was just rude, but maybe this is when it all started.

    I don’t know how many open-source project maintainers would be on guard for something that subtle, people coordinating to take over maintainership of a project.

    I mean, xz isn’t normally something you’d immediately think of as security-critical. I doubt that a maintainer knows or thinks about about all the potential downstream dependencies (in this case, not even a standard sshd depedendency, but one that came up because of a patch that Debian used to add some systemd functionality).

    EDIT:

    I mean, xz isn’t normally something you’d immediately think of as security-critical.

    On second thought, it actually is, given that Debian packages are xz-compressed.

    • Moonrise2473@feddit.it
      link
      fedilink
      English
      arrow-up
      1
      ·
      7 months ago

      Wow

      And for a state sponsored attacker is cheaper to bribe (or threaten to kill, even cheaper) the single developer to add a backdoor than all the research to find a zero day

  • DocMcStuffin@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    7 months ago

    There’s talk on the Linux kernel mailing list. The same person made recent contributions there.

    Andrew (and anyone else), please do not take this code right now.

    Until the backdooring of upstream xz[1] is fully understood, we should not accept any code from Jia Tan, Lasse Collin, or any other folks associated with tukaani.org. It appears the domain, or at least credentials associated with Jia Tan, have been used to create an obfuscated ssh server backdoor via the xz upstream releases since at least 5.6.0. Without extensive analysis, we should not take any associated code. It may be worth doing some retrospective analysis of past contributions as well…

  • Shimitar@feddit.it
    link
    fedilink
    English
    arrow-up
    0
    arrow-down
    1
    ·
    edit-2
    7 months ago

    Wow… Luckly I don’t use systemd which seems to be the vector causing the sshd backdoor, via liblzma…

    Pretty scary anyway.

    • tal@lemmy.today
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      7 months ago

      I bet that you use software packages that are built and authored on systems that have systemd+sshd, though.

      What happens if development or build machines belong to people who control projects that you trust and have been compromised?

      Do you use a web browser? Do you use a graphical desktop environment? Are the machines those guys use vulnerable? Are the developers of the libraries that they depend on vulnerable?

      Remember, this guy was attacking a downstream project (sshd) by compromising and signing source in a specific tarball of a library – the malicious code never made it into git – used by an unrelated piece of software (systemd) that some distros, not even the ssh guys, happened to link into sshd’s memory space. He’s trying to compromise unrelated software via elaborate supply chain attacks.