oss-sec mailing list archives

Re: backdoor in upstream xz/liblzma leading to ssh server compromise

From: Tavis Ormandy <taviso () gmail com>
Date: Fri, 29 Mar 2024 19:55:48 -0000 (UTC)

On 2024-03-29, Andres Freund wrote:

Hi,

After observing a few odd symptoms around liblzma (part of the xz package) on
Debian sid installations over the last weeks (logins with ssh taking a lot of
CPU, valgrind errors) I figured out the answer:


Thanks Andres, amazing work!

I have a minor procedural question for Solar though, shouldn't this
have been redirected to oss-security immediately from distros? What's
the rationale for an embargo here?

Tavis.

-- 
 _o)            $ lynx lock.cmpxchg8b.com
 /\\  _o)  _o)  $ finger taviso () sdf org
_\_V _( ) _( )  @taviso

Current thread:

Re: backdoor in upstream xz/liblzma leading to ssh server compromise, (continued)
- - - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Loganaden Velvindron (Mar 29)
    - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 29)
    - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Demi Marie Obenour (Mar 29)
    - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 29)
    - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 31)
    - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Michael Tokarev (Mar 31)
    - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 29)
    - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 29)
    - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 30)
    - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Matthias Weckbecker (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy (Mar 29)
  - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 29)
    - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 29)
    - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy (Mar 29)
    - Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 29)
    - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy (Mar 29)
    - Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Liguori, Anthony (Mar 29)
    - Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Marc Deslauriers (Mar 29)
    - Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Russ Allbery (Mar 29)
    - Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Marc Deslauriers (Mar 29)
    - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy (Mar 29)

(Thread continues...)