oss-sec mailing list archives
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise
From: Jakub Wilk <jwilk () jwilk net>
Date: Fri, 12 Apr 2024 18:37:44 +0200
* Jonathan Schleifer <js () nil im>, 2024-03-30 17:17:
I replaced the sed in here:sed \"r\n\" $gl_am_configmake | eval $gl_path_map | $gl_localedir_prefix -d 2>/dev/nullWith a simple cat, as I could not make sed work. This worries me as it means there is probably some other transformation that I'm missing that would have made the sed work.
It's confusing because there are two layers of eval involved. You actually end up running:
sed rn ...The "r" command means "read from file"; but there's no file named "n", so this is no-op.
The sed command is not completely equivalent to cat though: it appends a newline, because the original file didn't end with one. This trailing garbage slightly upsets xz(1):
xz: (stdin): Unexpected end of input(You normally wouldn't see this warning, thanks to generous use of "2>/dev/null" in build-to-host.m4.)
-- Jakub Wilk
Current thread:
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jakub Wilk (Apr 01)
- <Possible follow-ups>
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jakub Wilk (Apr 12)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Apr 16)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jacob Bachmeyer (Apr 17)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Loganaden Velvindron (Apr 17)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Matt Johnston (Apr 17)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jacob Bachmeyer (Apr 19)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jacob Bachmeyer (Apr 17)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jakub Wilk (Apr 17)