Re: backdoor in upstream xz/liblzma leading to ssh server compromise

["Rein Fernhout (Levitating)" <me () levitati ng>]

> so I would appreciate it if somebody else confirms my conclusion.

I can confirm there is no difference in the disassembly of libzlma in 
Archlinux packages 5.6.1-1 and 5.6.1-2.

This is the difference of the hexdumps as created by xxd:

48,49c48,49
< 000002f0: 0300 0000 474e 5500 71f9 a255 f686 4e44  ....GNU.q..U..ND
< 00000300: c325 3a10 dc37 9c25 c8bf b302 0000 0000  .%:..7.%........
---
> 000002f0: 0300 0000 474e 5500 69df 3c77 1c62 8668  ....GNU.i.<w.b.h
> 00000300: 86ef f245 d5b1 5834 540d f808 0000 0000  ...E..X4T.......
12804c12804
< 00032030: 2e36 2e31 2e64 6562 7567 0000 82fd 6f66  .6.1.debug....of
---
> 00032030: 2e36 2e31 2e64 6562 7567 0000 4ad1 cc28  .6.1.debug..J..(

The commit that updated the pkgrel can be seen here:

https://gitlab.archlinux.org/archlinux/packaging/packages/xz/-/commit/881385757abdc39d3cfea1c3e34ec09f637424ad

5.6.1-1 was build from the tarball found in releases but 5.6.1-2 is not.

On 2024-03-29 21:18, Alexander E. Patrakov wrote:
> On Sat, Mar 30, 2024 at 2:59 AM Alexander E. Patrakov
> <patrakov () gmail com> wrote:
> > On Sat, Mar 30, 2024 at 12:09 AM Andres Freund <andres () anarazel de> 
> > wrote:
> > > == Affected Systems ==
> > >
> > > The attached de-obfuscated script is invoked first after configure, where it
> > > decides whether to modify the build process to inject the code.
> > >
> > > These conditions include...
> > <snip>
> > > Running as part of a debian or RPM package build:
> > >     if test -f "$srcdir/debian/rules" || test "x$RPM_ARCH" = "xx86_64";then
> >
> > Could you please confirm that the Arch Linux binary package was never
> > actually compromised?
>
> Answering my own question. Supposedly (as "confirmed" by
> https://lists.archlinux.org/archives/list/arch-security () lists archlinux 
> org/thread/R3HBBSVYIRTXB4O64N2WZX55BF6IIPST/),
> "package xz before version 5.6.1-2 is vulnerable". So, I downloaded
> versions 5.6.1-1 (supposedly vulnerable) and 5.6.1-2 (supposedly
> fixed) from Arch Linux Archive:
> https://archive.archlinux.org/packages/x/xz/
>
> I extracted both binary packages and disassembled the liblzma.so.5.6.1
> library contained therein using "objdump -d". The files are not
> identical, however, their disassembly is. Therefore, either both are
> trojaned, or none. Based on the "if test -f "$srcdir/debian/rules" ||
> test "x$RPM_ARCH" = "xx86_64";then" line, I think that the correct
> answer is "none", and therefore no advisory should have been created.
> But it's 4:18am here, not the best time to think, so I would
> appreciate it if somebody else confirms my conclusion.
>
> P.S. Kudos to the reproducible-builds project for making the analysis 
> that easy.