Re: backdoor in upstream xz/liblzma leading to ssh server compromise

[Michael Tokarev <mjt () tls msk ru>]

31.03.2024 23:55, Solar Designer:

> > poettering 2 days ago (2024-03-29)
> > Libselinux pulls in liblzma too and gets linked into tons more programs
> > than libsystemd. And will end up in sshd too (at the very least via
> > libpam/pam_selinux). And most of the really big distros tend do support
> > selinux at least to some level. Hence systemd or not, sshd remains
> > vulnerable by this specific attack.
> >
> > With that in mind libsystemd git dropped the dep on liblzma actually,
> > all compressors are now dlopen deps and thus only pulled in when needed.
>
> The libselinux concern is important.  I've just checked a few systems
> where libsystemd does pull liblzma, and on those libselinux does not.
> However, I guess such systems do exist too?  PAM modules would have been
> too late for the current backdoor, but the backdoor could be different
> if that were the vector it needed to target.

As has been said elsewhere, apparently libselinux dependency on liblzma
is actually an error coming from here:

https://src.fedoraproject.org/rpms/libselinux/blob/rawhide/f/libselinux.spec#_22

which is just a .spec file remnant from redhat-specific patch from some
distant past which has been dropped long ago.

/mjt