oss-sec mailing list archives
Re: backdoor in upstream xz/liblzma leading to ssh server compromise
From: "Alexander E. Patrakov" <patrakov () gmail com>
Date: Sat, 30 Mar 2024 04:18:43 +0800
On Sat, Mar 30, 2024 at 2:59 AM Alexander E. Patrakov <patrakov () gmail com> wrote:
On Sat, Mar 30, 2024 at 12:09 AM Andres Freund <andres () anarazel de> wrote:== Affected Systems == The attached de-obfuscated script is invoked first after configure, where it decides whether to modify the build process to inject the code. These conditions include...<snip>Running as part of a debian or RPM package build: if test -f "$srcdir/debian/rules" || test "x$RPM_ARCH" = "xx86_64";thenCould you please confirm that the Arch Linux binary package was never actually compromised?
Answering my own question. Supposedly (as "confirmed" by https://lists.archlinux.org/archives/list/arch-security () lists archlinux org/thread/R3HBBSVYIRTXB4O64N2WZX55BF6IIPST/), "package xz before version 5.6.1-2 is vulnerable". So, I downloaded versions 5.6.1-1 (supposedly vulnerable) and 5.6.1-2 (supposedly fixed) from Arch Linux Archive: https://archive.archlinux.org/packages/x/xz/ I extracted both binary packages and disassembled the liblzma.so.5.6.1 library contained therein using "objdump -d". The files are not identical, however, their disassembly is. Therefore, either both are trojaned, or none. Based on the "if test -f "$srcdir/debian/rules" || test "x$RPM_ARCH" = "xx86_64";then" line, I think that the correct answer is "none", and therefore no advisory should have been created. But it's 4:18am here, not the best time to think, so I would appreciate it if somebody else confirms my conclusion. P.S. Kudos to the reproducible-builds project for making the analysis that easy. -- Alexander E. Patrakov
Current thread:
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise, (continued)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Alex Gaynor (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jeffrey Walton (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Ivan Delalande (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Vegard Nossum (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Vegard Nossum (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Loganaden Velvindron (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 31)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Vegard Nossum (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Alexander E. Patrakov (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Alexander E. Patrakov (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise terraminator (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Alexander E. Patrakov (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Matthias Weckbecker (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Loganaden Velvindron (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Demi Marie Obenour (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 31)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 29)