Replying to Avatar Dr. Hax

The xz package was backdoored, and the payload appears to be targeting SSH on x86_64 Fedora and Debian.

What you need to know:

- The backdoored version did not make it into any stable distros

- It was caught about a month after it was introduced

- It did make it into some bleeding edge distros (e.g. Debian's unstable branch: sid)

- It only affected the binary releases, so if you build from source, you were safe from this one

- It was only caught because the backdoor caused some tests to take a half second longer, someone noticed this and decided to investigate why

Get the technical details directly from the person who discovered it: https://www.openwall.com/lists/oss-security/2024/03/29/4

Avatar
ndr 1y ago

I'm not fully agree with that. You said:

~~~

What you need to know:

- It only affected the binary releases, so if you build from source, you were safe from this one

~~~

The backdoored xz was from upstream github, and was ported to Debian and fedora by building from source ... Also the backdoor get added to binarys by compiling it from source, since the malware is offuscaded not at the source by it is at side files included during compiling

Then I understood that it will only trigger at x86_64 , also if vulnerable xz packages were included on macosx brew .. That run almost arm architecture

Reply to this note

Please Login to reply.

Discussion

Avatar
Alex 1y ago

The CVE mentions that part of the backdoor was not in the source code. That part was in release tarballs created by the attacker. https://tukaani.org/xz-backdoor/ I don’t get how this stuff gets included in Debian and Fedora. I guess they pull in tar balls too.

Avatar
Dr. Hax 1y ago

I was also very surprised/confused by that. But searching salsa.debian.org for liblzma doesn't turn anything up. I'm not sure why that one isn't built from source. 🤔🤷‍♂️

Avatar
Dr. Hax 1y ago

You aren't disagreeing with me, you are disagreeing with the person who discovered it.

Feel free to follow the link I provided and read what the person who discovered it said.

Avatar
ndr 1y ago

Yes, you was right. He said that the backdoor was inside (partially?) such tar files .. what is confusing me now is that he said also that it get triggered at configure and so at compiling time ... And probably I don't fully know the process from where other distros (fedora and Debian) use xz source to build distro packages .. So probably I would need to look at such stuff .. Were such tar files sources or binary ready compiled files ? .. Need to give a look into ...