this post was submitted on 29 Mar 2024

144 points (98.0% liked)

Programming

17507 readers

9 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Follow the programming.dev instance rules
Keep content related to programming in some way
If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities [email protected]

founded 1 year ago

MODERATORS

snowe

Ategon

[email protected]

144

Backdoor in upstream xz/liblzma leading to ssh server compromise (www.openwall.com)

submitted 8 months ago by [email protected] to c/programming

11 comments fedilink hide all child comments

top 11 comments

sorted by: hot top controversial new old

[–] anzo 36 points 8 months ago (1 children)

A nice tl;dr was https://news.ycombinator.com/item?id=39866307

Copied here:

For those panicking, here are some key things to look for, based on the writeup:

A very recent version of liblzma5 - 5.6.0 or 5.6.1. This was added in the last month or so. If you're not on a rolling release distro, your version is probably older.
A debian or RPM based distro of Linux on x86_64. In an apparent attempt to make reverse engineering harder, it does not seem to apply when built outside of deb or rpm packaging. It is also specific to Linux.
Running OpenSSH sshd from systemd. OpenSSH as patched by some distros only pulls in libsystemd for logging functionality, which pulls in the compromised liblzma5.

Debian testing already has a version called '5.6.1+really5.4.5-1' that is really an older version 5.4, repackaged with a newer version to convince apt that it is in fact an upgrade.

It is possible there are other flaws or backdoors in liblzma5, though.

[–] [email protected] 14 points 7 months ago* (last edited 7 months ago) (1 children)

5.6.1+really5.4.1

Most sane Debian package management

[–] technom 1 points 7 months ago (1 children)

They really ought to have version masking like in Gentoo portage.

[–] [email protected] 1 points 7 months ago

Package management deserves more love on Debian, indeed. Yet they apparently have the largest collection of packages...

[–] alienscience 19 points 7 months ago (1 children)

The person that found this is a hero.

Whenever I see slightly weird behaviour, there is a temptation to just move on because there isn't enough time, running software is complicated, and there is something else I want to do. I will try to change my attitude in future in case it uncovers a backdoor like this -- it would be educational too.

[–] [email protected] 8 points 7 months ago

It's a Microsoft engineer

[–] [email protected] 12 points 8 months ago (1 children)

Additional relevant discussion on HN: https://news.ycombinator.com/item?id=39865810

[–] [email protected] 25 points 8 months ago (2 children)

Very annoying - the apparent author of the backdoor was in communication with me over several weeks trying to get xz 5.6.x added to Fedora 40 & 41 because of it's "great new features". We even worked with him to fix the valgrind issue (which it turns out now was caused by the backdoor he had added). We had to race last night to fix the problem after an inadvertent break of the embargo.

He has been part of the xz project for 2 years, adding all sorts of binary test files, and to be honest with this level of sophistication I would be suspicious of even older versions of xz until proven otherwise.

Damn. I would love to see a full post mortem on this compromise.

[–] [email protected] 5 points 8 months ago

https://www.openwall.com/lists/oss-security/2024/03/29/4

[–] technom 4 points 7 months ago

The hack is still not fully understood and is being analyzed. It doesn't help that Github suspended everything, including the original maintainer's account (who is believed to be a victim of social engineering).

Anyway, you will eventually see a post mortem. I'm willing to bet that it's going to be as phenomenal as the hack itself. The case and its investigation is going to be a classic case study for all security researchers and security-minded users. Anyway, I doubt that the attackers will ever be found. Jia Tan, Jigar Kumar and others are going to remain as ghosts like Satoshi Nakamoto.

[–] RonSijm 3 points 7 months ago

I saw this video yesterday: https://www.youtube.com/watch?v=jqjtNDtbDNI

The guy describes what's going on pretty good