oss-sec mailing list archives

Re: backdoor in upstream xz/liblzma leading to ssh server compromise

From: Loganaden Velvindron <loganaden () gmail com>
Date: Fri, 29 Mar 2024 23:50:53 +0400

I think that distros should be very careful when they start patching
openssh in general.








On Fri, Mar 29, 2024, 23:20 Andres Freund <andres () anarazel de> wrote:

Hi,

On 2024-03-29 19:44:05 +0100, Matthias Weckbecker wrote:

I've attached a yara rule to detect the *.o droplet you attached in the
email (liblzma_la-crc64-fast.o.gz).


Unfortunately xz 5.61 added further obfuscations, making it harder to
detect. Should have made it clearer that the attached .o was from 5.60.
Among
others 5.61 removed the two symbols you're checking against here.  That's
why
Vegard's script looks for a specific instructions sequence, but obviously
is
also more obscure :/

Regards,

Andres

Current thread:

Re: backdoor in upstream xz/liblzma leading to ssh server compromise, (continued)
- - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy (Mar 30)
    - Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Loganaden Velvindron (Mar 30)
    - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 31)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Alexander E. Patrakov (Mar 29)
  - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Alexander E. Patrakov (Mar 29)
    - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 29)
    - Re: backdoor in upstream xz/liblzma leading to ssh server compromise terraminator (Mar 29)
  - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Matthias Weckbecker (Mar 29)
  - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 29)
    - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Loganaden Velvindron (Mar 29)
    - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 29)
    - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Demi Marie Obenour (Mar 29)
    - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 29)
    - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 31)
    - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Michael Tokarev (Mar 31)
    - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 29)
    - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 29)
    - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 30)
    - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Matthias Weckbecker (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy (Mar 29)

(Thread continues...)