Backdoor in upstream xz/liblzma leading to SSH server compromise | Hacker News
news.ycombinator.com
quite interesting
thus FreeBSD is not affected.
https://news.ycombinator.com/vote?id=39866380&how=up&goto=item?id=39865810
delphij 1 hour ago | parent | next [–]
FreeBSD is not affected as the payloads in question were stripped out, however we are looking into improvements to our workflow to further improve the import process.
reply
… introduced by Ed Maste on Mastodon
He also contributed code to libarchive, btw, removing a safe_printf in one case: …
Anything suspicious there? ELI5, if it's possible. Thanks.
Merge pull request #1609 from JiaT75/added_error_message_to_warning_b… · libarchive/libarchive@e37efc1
…sdtar_1561 Added error text to warning when untaring with bsdtargithub.com
nothing nefarious
Yeah, that's what it looks like on the surface. If one does not know any better, the code will be just blindly merged. And commenters are already concerned that the changes may introduce additional vulnerabilities - because the contributor is a well-known offender, for starters.Merge pull request #1609 from JiaT75/added_error_message_to_warning_b… · libarchive/libarchive@e37efc1
…sdtar_1561 Added error text to warning when untaring with bsdtargithub.com
nothing nefarious
I believe he was taken advantage of by people who wanted to take ownership of the project:I wouldn't surprised if Jia Tan and Lasse Collin is the same person.
As for this link: It looks like XZ was unmaintained and unpatched for a long time, with nobody wanting to take ownership. Yeah, it takes commitment and time, which nobody had. Everybody wanted to just submit patches, but not be stewards of the project. There's implicit expectations that project stewards either don't let it languish or find a successor who at least won't make a mess of things. I guess not everybody has the guts to frame the issue for themselves, considering that the consequences for messing up can be pretty bad. ?I believe he was taken advantage of by people who wanted to take ownership of the project:
Re: [xz-devel] XZ for Java
www.mail-archive.com
… some evidence that may suggest the xz maintainer is a victim, not the malicious actor. If that is the case, they're probably going to have a real bad time with how the internet's being a mob right now. Until more facts are established, please try to keep the events and person separate and focus on the former :/
(x-post of original in https://hachyderm.io/@danderson/112182299348258318 if you don't want to load twitter)
This was already obvious from thoroughly reading the first post about it. But then, we're not affected just because we weren't targeted. FreeBSD not being that widespread is just a soft factor making attacks less likely, but nothing that should be relied upon.FreeBSD is not affected.
You know for sure that those backdoors in xz depend on presence of glibc and systemd? ? How?msplsh it is in the source tar all, it gets build in when the .deb is made. But it needs glibc and systemd, so we are good (for now).
The attack ultimately targets SSH, OpenSSH doesn't even depend on liblzma, but when systemd-integration is patched in, it does. As for glibc, I assume it's needed for using interception features (which work differently on different platforms).You know for sure that those backdoors in xz depend on presence of glibc and systemd? ? How?
No, they're not affected, just "used".Besides, if that were really the case, the security hole is worse than we realize, because then glibc and systemd are affected by this security bug too, by extension.
That's impossible. Not in general of course, but impossible for this specific backdoor.What would be the expected fallout if the backdoor is demonstrated to work without presence of glibc and systemd?