Re: backdoor in upstream xz/liblzma leading to ssh server compromise

["Alexander E. Patrakov" <patrakov () gmail com>]

On Sat, Mar 30, 2024 at 2:59 AM Alexander E. Patrakov
<patrakov () gmail com> wrote:
> On Sat, Mar 30, 2024 at 12:09 AM Andres Freund <andres () anarazel de> wrote:
> > == Affected Systems ==
> >
> > The attached de-obfuscated script is invoked first after configure, where it
> > decides whether to modify the build process to inject the code.
> >
> > These conditions include...
> <snip>
> > Running as part of a debian or RPM package build:
> >     if test -f "$srcdir/debian/rules" || test "x$RPM_ARCH" = "xx86_64";then
>
> Could you please confirm that the Arch Linux binary package was never
> actually compromised?

Answering my own question. Supposedly (as "confirmed" by
https://lists.archlinux.org/archives/list/arch-security () lists archlinux 
org/thread/R3HBBSVYIRTXB4O64N2WZX55BF6IIPST/),
"package xz before version 5.6.1-2 is vulnerable". So, I downloaded
versions 5.6.1-1 (supposedly vulnerable) and 5.6.1-2 (supposedly
fixed) from Arch Linux Archive:
https://archive.archlinux.org/packages/x/xz/

I extracted both binary packages and disassembled the liblzma.so.5.6.1
library contained therein using "objdump -d". The files are not
identical, however, their disassembly is. Therefore, either both are
trojaned, or none. Based on the "if test -f "$srcdir/debian/rules" ||
test "x$RPM_ARCH" = "xx86_64";then" line, I think that the correct
answer is "none", and therefore no advisory should have been created.
But it's 4:18am here, not the best time to think, so I would
appreciate it if somebody else confirms my conclusion.

P.S. Kudos to the reproducible-builds project for making the analysis that easy.

-- 
Alexander E. Patrakov