Re: backdoor in upstream xz/liblzma leading to ssh server compromise

[Jakub Wilk <jwilk () jwilk net>]

* Andres Freund <andres () anarazel de>, 2024-03-29 08:51:
> d) LANG needs to be set

If timing "sshd -h" is a reliable method of checking if the backdoor is 
active, then this is not correct. It seems all you need is non-empty 
environment:

   # time env -i /usr/sbin/sshd -h 2>/dev/null

   real    0m0.009s
   user    0m0.004s
   sys     0m0.005s

   # time env -i X= /usr/sbin/sshd -h 2>/dev/null

   real    0m0.345s
   user    0m0.337s
   sys     0m0.009s

Further evidence that LANG doesn't matter:
* LANG is not on the list of extracted strings[0].
* Some folks[1][2] misspelled LANG as LC_LANG, and apparently it still 
worked.

[0] https://gist.github.com/q3k/af3d93b6a1f399de28fe194add452d01
[1] https://gist.github.com/smx-smx/a6112d54777845d389bd7126d6e9f504
[2] https://github.com/binarly-io/binary-risk-intelligence/tree/master/xz-backdoor


> I am *not* a security researcher, nor a reverse engineer.

Congrats, you've just made a lot of people feel inadequate. :P

--
Jakub Wilk