oss-sec mailing list archives
Re: backdoor in upstream xz/liblzma leading to ssh server compromise
From: "Rein Fernhout (Levitating)" <me () levitati ng>
Date: Sat, 30 Mar 2024 05:15:09 +0100
Hey Andres,I missed the fact that you had already stated which version the .o was from.
Thanks for clearing up some confusion on my side. I did copy the wrong file (linked with crc64_fast.c). I now managed to copy ./liblzma_la-crc64-fast.o before it was deleted. With both versions my copy matches yours.Also, I am sorry for not compressing the file earlier! I realized it just as I hit Send.
PS. It seems like Github has taken down the xz repositories. The source can still be pulled from https://git.tukaani.org/. And the malicious tarballs are archived by archive.org. Kind regards, Rein On 2024-03-30 03:04, Andres Freund wrote:
Hi, On 2024-03-30 01:08:22 +0100, Rein Fernhout (Levitating) wrote:> Andres, maybe you (or Florian or someone else) can post the .o file from > 5.61 as well (gzipped just like the previous one, please)? I think the attached liblzma_la-crc64-fast.o is taken from 5.6.1. I compiled 5.6.1 and ended up with a nearly identical object file.I don't think so - while it was extracted by Florian, not me, I just re-extracted it from 5.6.0 and got the same result.When I compiled 5.6.0 I got a larger object file with additional symbolscrc64_generic, crc64_arch_optimized and crc64_resolve.I think it may just be confusion from the script renaming files. The symbols you mention come from the script compiling src/liblzma/check/crc64_fast.c after making some small changes, to call into the added _get_cpuid(). Whereas the attached file was the .o file that was, in very obfuscated form, committedto the repository. The script is quite sneaky, it 1) extracts ./liblzma_la-crc64-fast.o from the archive2) copies .libs/liblzma_la-crc64_fast.o .libs/liblzma_la-crc64-fast.o (notethe .libs) 3) compiles and links the modified crc64_fast.c file together with the extracted ./liblzma_la-crc64-fast.o, outputting to .libs/liblzma_la-crc64_fast.o, using -r 4) does 2) for the 32 bit version 5) compiles the modified crc32_fast.c, outputting to .libs/liblzma_la-crc32_fast.o 6) links the shared library7) if compilation fails, it moves .libs/liblzma_la-crc{64,32}-fast.o back to their original name, I guess to removing "evidence" of the modified output8) removes ./liblzma_la-crc64-fast.o, .libs/liblzma_la-crc64-fast.o, .libs/liblzma_la-crc32-fast.oIf you found crc64_generic etc in liblzma_la-crc64-fast.o, you must have usedthe one from .libs/ somehow?I'm attaching ./liblzma_la-crc64-fast.o for both 5.6.0 and 5.6.1. These arethe files extracted from the .xz file, and should not have symbols forcrc64_arch_optimized, crc64_resolve, crc64_generic but will have stuff like_get_cpuid, .crc64_generia.When the backdoor is not active .libs/liblzma_la-crc64_fast.o has only fewsymbols, crc64_generic, crc64_arch_optimized, crc64_resolve. Greetings, Andres Freund
Current thread:
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise, (continued)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Matthias Weckbecker (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Loganaden Velvindron (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Demi Marie Obenour (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 31)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Michael Tokarev (Mar 31)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Matthias Weckbecker (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Matthias Weckbecker (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy (Mar 29)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy (Mar 29)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Liguori, Anthony (Mar 29)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Marc Deslauriers (Mar 29)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Russ Allbery (Mar 29)