Backdoor in upstream xz/liblzma leading to SSH server compromise

Very annoying - the apparent author of the backdoor was in communication with me over several weeks trying to get xz 5.6.x added to Fedora 40 &amp; 41 because of it&#x27;s &quot;great new features&quot;. We even worked with him to fix the valgrind issue (which it turns out now was caused by the backdoor he had added). We had to race last night to fix the problem after an inadvertent break of the embargo.<p>He has been part of the xz project for 2 years, adding all sorts of binary test files, and to be honest with this level of sophistication I would be suspicious of even older versions of xz until proven otherwise.

Fascinating. Just yesterday the author added a `SECURITY.md` file to the `xz-java` project.<p>&gt; If you discover a security vulnerability in this project please report it privately. *Do not disclose it as a public issue.* This gives us time to work with you to fix the issue before public exposure, reducing the chance that the exploit will be used before a patch is released.<p>Reading that in a different light, it says give me time to adjust my exploits and capitalize on any targets. Makes me wonder what other vulns might exist in the author&#x27;s other projects.

Looks like one of the backdoor authors even went and disabled the feature the exploit relied on directly on oss-fuzz to prevent accidental discovery: <a href="https:&#x2F;&#x2F;social.treehouse.systems&#x2F;@Aissen&#x2F;112180302735030319" rel="nofollow">https:&#x2F;&#x2F;social.treehouse.systems&#x2F;@Aissen&#x2F;112180302735030319</a> <a href="https:&#x2F;&#x2F;github.com&#x2F;google&#x2F;oss-fuzz&#x2F;pull&#x2F;10667">https:&#x2F;&#x2F;github.com&#x2F;google&#x2F;oss-fuzz&#x2F;pull&#x2F;10667</a><p>But luckily there was some serendipity: &quot;I accidentally found a security issue while benchmarking postgres changes.&quot; <a href="https:&#x2F;&#x2F;mastodon.social&#x2F;@AndresFreundTec&#x2F;112180083704606941" rel="nofollow">https:&#x2F;&#x2F;mastodon.social&#x2F;@AndresFreundTec&#x2F;112180083704606941</a>

I&#x27;ve long since said that if you want to hide something nefarious you&#x27;d do that in the GNU autoconf soup (and not in &quot;curl | sh&quot; scripts).<p>Would be interesting to see what&#x27;s going on here; the person who did the releases has done previous releases too (are they affected?) And has commits going back to 2022 – relatively recent, but not <i>that</i> recent. Many are real commits with real changes, and they have commits on some related projects like libarchive. Seems like a lot of effort just to insert a backdoor.<p><i>Edit</i>: anyone with access can add files to existing releases and it won&#x27;t show that someone else added it (I just tested). However, the timestamp of the file will be to when you uploaded it, not that of the release. On xz all the timestamps of the files match with the timestamp of the release (usually the .tar.gz is a few minutes earlier, which makes sense). So looks like they were done by the same person who did the release. I suspected someone else might have added&#x2F;altered the files briefly after the release before anyone noticed, but that doesn&#x27;t seem to be the case.

For those panicking, here are some key things to look for, based on the writeup:<p>- A very recent version of liblzma5 - 5.6.0 or 5.6.1. This was added in the last month or so. If you&#x27;re not on a rolling release distro, your version is probably older.<p>- A debian or RPM based distro of Linux on x86_64. In an apparent attempt to make reverse engineering harder, it does not seem to apply when built outside of deb or rpm packaging. It is also specific to Linux.<p>- Running OpenSSH sshd from systemd. OpenSSH as patched by some distros only pulls in libsystemd for logging functionality, which pulls in the compromised liblzma5.<p>Debian testing already has a version called &#x27;5.6.1+really5.4.5-1&#x27; that is really an older version 5.4, repackaged with a newer version to convince apt that it is in fact an upgrade.<p>It is possible there are other flaws or backdoors in liblzma5, though.

I hope Lasse Collin is doing OK! Here is a older message from him [1]<p>&quot;I haven&#x27;t lost interest but my ability to care has been fairly limited mostly due to longterm mental health issues but also due to some other things. Recently I&#x27;ve worked off-list a bit with Jia Tan on XZ Utils and perhaps he will have a bigger role in the future, we&#x27;ll see.<p>It&#x27;s also good to keep in mind that this is an unpaid hobby project. &quot;<p>Github (Microsoft) are in a unique position to figure out if his account is hacked or not, and find a way to reach him. I hope they reach out and offer him some proper support! Economic support (if that&#x27;s needed), or just help clearing his name.<p>This is another tale of how we are building multi trillion dollar industries on the back of unpaid volunteers. It&#x27;s not github &#x27;job&#x27;, and many other organisations have benefited even more from Lasses work, but they are in a unique position, and would be literally pocket change for them.<p>1:<a href="https:&#x2F;&#x2F;www.mail-archive.com&#x2F;xz-devel@tukaani.org&#x2F;msg00567.html" rel="nofollow">https:&#x2F;&#x2F;www.mail-archive.com&#x2F;xz-devel@tukaani.org&#x2F;msg00567.h...</a>

A couple of years ago I wrote a Go library that wraps the xz C code and allows you to do xz compression in Go: <a href="https:&#x2F;&#x2F;github.com&#x2F;jamespfennell&#x2F;xz">https:&#x2F;&#x2F;github.com&#x2F;jamespfennell&#x2F;xz</a><p>About a week ago I received the first PR on that repo, to upgrade to 5.6.1. I thought it was odd to get such a random PR...it&#x27;s not the same GitHub account as upstream though.

<p><pre><code> I am *not* a security researcher, nor a reverse engineer. There&#x27;s lots of stuff I have not analyzed and most of what I observed is purely from observation rather than exhaustively analyzing the backdoor code.</code></pre> I love this sort of technical writing from contributors outside the mainstream debugging world who might be averse to sharing. What an excellently summarized report of his findings that should be seen as a template.

Related ongoing threads:<p><i>Xz: Disable ifunc to fix Issue 60259</i> - <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=39869718">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=39869718</a><p><i>FAQ on the xz-utils backdoor</i> - <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=39869068">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=39869068</a><p><i>Everything I Know About the XZ Backdoor</i> - <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=39868673">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=39868673</a>

Out of curiosity I looked at the list of followers of the account who committed the backdoor.<p>Randomly picked <a href="https:&#x2F;&#x2F;github.com&#x2F;Neustradamus">https:&#x2F;&#x2F;github.com&#x2F;Neustradamus</a> and looked at all their contributions.<p>Interestingly enough, they got Microsoft to upgrade ([0],[1]) `vcpkg` to liblzma 5.6.0 3 weeks ago.<p>[0] <a href="https:&#x2F;&#x2F;github.com&#x2F;microsoft&#x2F;vcpkg&#x2F;issues&#x2F;37197">https:&#x2F;&#x2F;github.com&#x2F;microsoft&#x2F;vcpkg&#x2F;issues&#x2F;37197</a><p>[1] <a href="https:&#x2F;&#x2F;github.com&#x2F;microsoft&#x2F;vcpkg&#x2F;pull&#x2F;37199">https:&#x2F;&#x2F;github.com&#x2F;microsoft&#x2F;vcpkg&#x2F;pull&#x2F;37199</a>

Imagine a more competent backdoor attempt on xz(1)—one that wouldn&#x27;t have been noticed this quickly. xz is everywhere. They could pull off a &quot;reflections on trusting trust&quot;: an xz which selectively modifies a tiny subset of the files it sees, like .tar.xz software tarballs underlying certain build processes. Not source code tarballs (someone might notice)—tarballs distributing pre-compiled binaries.<p>edit to add: Arch Linux&#x27; entire package system used to run on .tar.xz binaries (they switched to Zstd a few years ago [0]).<p>[0] <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=19478171">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=19478171</a> (<i>&quot;Arch Linux propose changing compression method from xz to zstd (archlinux.org)&quot;</i>)

Unfortunately, this is how <i>good</i> bad actors work: with a very long-term point of view. There is no “harmless” project any more.

Looks like Lasse Collin has commented on LKML: <a href="https:&#x2F;&#x2F;lkml.org&#x2F;lkml&#x2F;2024&#x2F;3&#x2F;30&#x2F;188" rel="nofollow">https:&#x2F;&#x2F;lkml.org&#x2F;lkml&#x2F;2024&#x2F;3&#x2F;30&#x2F;188</a><p>Also, some info here: <a href="https:&#x2F;&#x2F;tukaani.org&#x2F;xz-backdoor&#x2F;" rel="nofollow">https:&#x2F;&#x2F;tukaani.org&#x2F;xz-backdoor&#x2F;</a>

The terrifying part is that this was primarily found because the backdoor was poorly made and causing performance problems.<p>Makes you wonder what more competent actors can do.

Funny how Lasse Collin started to ccing himself and Jia Tan from 2024-03-20 (that was a day of tons of xz kernel patches), he never did that before. :)<p><a href="https:&#x2F;&#x2F;lore.kernel.org&#x2F;lkml&#x2F;20240320183846.19475-2-lasse.collin@tukaani.org&#x2F;" rel="nofollow">https:&#x2F;&#x2F;lore.kernel.org&#x2F;lkml&#x2F;20240320183846.19475-2-lasse.co...</a>

My favorite part was the analysis of &quot;I&#x27;m not really a security researcher or reverse engineer but here&#x27;s a complete breakdown of exactly how the behavior changes.&quot;<p>You only get this kind of humility when you&#x27;re working with absolute wizards on a consistent basis.

That&#x27;s completely crazy, the backdoor is introduced through a very cryptic addition to the configure script. Just looking at the diff, it doesn&#x27;t look malicious at all, it looks like build script gibberish.

So when are we going to stop pretending that OSS maintainers&#x2F;projects are reaping what they sow when they &quot;work for free&quot; and give away their source code away using OSS licensed software, while large companies profit off of them? If they were paid more (or in some cases even actually paid), then they could afford to quit their day jobs, reducing burn out, they could actually hire a team of trusted vetted devs instead of relying on the goodwill of strangers who step up &quot;just to help them out&quot; and they could pay security researchers to vet their code.<p>Turns out burned out maintainers are a great attack vector and if you are willing to play the long game you can ingratiate yourself with the community with your seemingly innocuous contributions.

The discussion to upload it to Debian is interesting on its own <a href="https:&#x2F;&#x2F;bugs.debian.org&#x2F;cgi-bin&#x2F;bugreport.cgi?bug=1067708" rel="nofollow">https:&#x2F;&#x2F;bugs.debian.org&#x2F;cgi-bin&#x2F;bugreport.cgi?bug=1067708</a>

I&#x27;d love to be at Microsoft right now and have the power to review this user&#x27;s connection history to Github, even though VPN exists, many things can be learned from connection habits, links to ISPs, maybe even guess if VPNs were used, roundtrip time on connections can give hints.<p>I really don&#x27;t think some random guy wants to weaken ssh just to extract some petty ransomware cash from a couple targets.

<a href="https:&#x2F;&#x2F;github.com&#x2F;tukaani-project&#x2F;tukaani-project.github.io&#x2F;commit&#x2F;42fbb038b4f36c9d1830144bafa6c9d0d101aaa9#diff-0eb547304658805aad788d320f10bf1f292797b5e6d745a3bf617584da017051R83-R87">https:&#x2F;&#x2F;github.com&#x2F;tukaani-project&#x2F;tukaani-project.github.io...</a><p>&gt; Note: GitHub automatically includes two archives Source code (zip) and Source code (tar.gz) in the releases. These archives cannot be disabled and should be ignored.<p>The author was thinking ahead! Latest commit hash for this repo: 8a3b5f28d00ebc2c1619c87a8c8975718f12e271

Jia Tan &quot;cleaned up&quot; in all their ZSTD branches some hours ago, probably hiding something <a href="https:&#x2F;&#x2F;github.com&#x2F;JiaT75&#x2F;zstd&#x2F;branches&#x2F;all">https:&#x2F;&#x2F;github.com&#x2F;JiaT75&#x2F;zstd&#x2F;branches&#x2F;all</a>

Comment from Andres Freund on how and why he found it [0] and more information on the LWN story about the backdoor. Recommend people read this to see how close we came (and think about what this is going to mean for the future).<p>[0] <a href="https:&#x2F;&#x2F;lwn.net&#x2F;Articles&#x2F;967194&#x2F;" rel="nofollow">https:&#x2F;&#x2F;lwn.net&#x2F;Articles&#x2F;967194&#x2F;</a>

A mirror of the offending repository created by someone else is available at [1]. GitHub should be keeping the evidence in the open (even if just renamed or archived in a safer format) instead of deleting it&#x2F;hiding it away.<p>The offending tarball for v5.6.1 is easier to find, an example being.[2]<p>m4&#x2F;.gitignore was updated 2 weeks ago to hide build-to-host.m4 that is only present in the release tarball and is used to inject the backdoor at build time.[3]<p>[1] <a href="https:&#x2F;&#x2F;git.phial.org&#x2F;d6&#x2F;xz-analysis-mirror" rel="nofollow">https:&#x2F;&#x2F;git.phial.org&#x2F;d6&#x2F;xz-analysis-mirror</a><p>[2] <a href="https:&#x2F;&#x2F;mirrors.xtom.ee&#x2F;gentoo&#x2F;distfiles&#x2F;9f&#x2F;xz-5.6.1.tar.gz" rel="nofollow">https:&#x2F;&#x2F;mirrors.xtom.ee&#x2F;gentoo&#x2F;distfiles&#x2F;9f&#x2F;xz-5.6.1.tar.gz</a><p>[3] <a href="https:&#x2F;&#x2F;git.phial.org&#x2F;d6&#x2F;xz-analysis-mirror&#x2F;commit&#x2F;4323bc3e0c1e1d2037d5e670a3bf6633e8a3031e" rel="nofollow">https:&#x2F;&#x2F;git.phial.org&#x2F;d6&#x2F;xz-analysis-mirror&#x2F;commit&#x2F;4323bc3e0...</a>

This gist summarizes the current situation very well: <a href="https:&#x2F;&#x2F;gist.github.com&#x2F;thesamesam&#x2F;223949d5a074ebc3dce9ee78baad9e27" rel="nofollow">https:&#x2F;&#x2F;gist.github.com&#x2F;thesamesam&#x2F;223949d5a074ebc3dce9ee78b...</a><p>Definitely looking like they were most likely some sort of state actor. This is very well done and all in plain sight. It&#x27;s reassuring that it was discovered but given a simple audit of the release build artifacts would have raised alarms, how prevalent is this behavior in other projects? Terrifying stuff.

A lot of eyes will be dissecting this specific exploit, and investigating this specific account, but how can we find the same kind of attack in a general way if it’s being used in other projects and using other contributor names?

NixOS&#x2F;Pkgs 23.11 unaffected, unstable contains backdoored implementations (5.6.0, 5.6.1) but their OpenSSH sshd does not seem to link against systemd&#x2F;liblzma, and the backdoor doesn&#x27;t get configured in (only happens on .deb&#x2F;.rpm systems).

I looked at the differences between the GitHub repository and released packages. About 60 files are in a release package that are not in the repo (most are generated files for building) but also some of the .po files have changes.<p>That&#x27;s devastating.<p>If you don&#x27;t build your release packages from feeding &quot;git ls-files&quot; into tar, you are doing it wrong.

The latest commit from the user who committed those patches is weirdly a simplification of the security reporting process, to not request as much detail:<p><a href="https:&#x2F;&#x2F;github.com&#x2F;tukaani-project&#x2F;xz&#x2F;commit&#x2F;af071ef7702debef4f1d324616a0137a5001c14c">https:&#x2F;&#x2F;github.com&#x2F;tukaani-project&#x2F;xz&#x2F;commit&#x2F;af071ef7702debe...</a><p>Not sure what to make of this.

&gt; &quot;Docs: Simplify SECURITY.md.&quot;<p><a href="https:&#x2F;&#x2F;github.com&#x2F;tukaani-project&#x2F;xz&#x2F;commit&#x2F;af071ef7702debef4f1d324616a0137a5001c14c">https:&#x2F;&#x2F;github.com&#x2F;tukaani-project&#x2F;xz&#x2F;commit&#x2F;af071ef7702debe...</a><p>Removes instructions about details relevant to security reports. Heh, nice one.

It looks like the person who added the backdoor is in fact the current co-maintainer of the project (and the more active of the two): <a href="https:&#x2F;&#x2F;tukaani.org&#x2F;about.html" rel="nofollow">https:&#x2F;&#x2F;tukaani.org&#x2F;about.html</a>

Why has Github disabled the (apparently official) xz repository, but left the implicated account open to the world? It makes getting caught up on the issue pretty difficult, when GitHub has revoked everyone&#x27;s access to see the affected source code.<p><a href="https:&#x2F;&#x2F;github.com&#x2F;tukaani-project&#x2F;xz">https:&#x2F;&#x2F;github.com&#x2F;tukaani-project&#x2F;xz</a> vs <a href="https:&#x2F;&#x2F;github.com&#x2F;JiaT75">https:&#x2F;&#x2F;github.com&#x2F;JiaT75</a>

The author (Jia Tan) also changed the xz.tukaani.org (actually the github.io, where the main contributor is, surprise, also them) release description to state all new releases are signed by their OpenPGP key. I&#x27;d guess that was one of the first steps to a complete project takeover.<p>I hope Lasse Collin still has control of his accounts, though the CC on the kernel mailing list looks kind of suspicious to me.

The backdoor is not in the C source directly, but a build script uses data from files in the test dir to only create the backdoor in the release tars. Did I summarize that correctly?

&quot;Amazon Linux customers are not affected by this issue, and no action is required. AWS infrastructure and services do not utilize the affected software and are not impacted. Users of Bottlerocket are not affected.&quot;<p><a href="https:&#x2F;&#x2F;aws.amazon.com&#x2F;security&#x2F;security-bulletins&#x2F;AWS-2024-002&#x2F;" rel="nofollow">https:&#x2F;&#x2F;aws.amazon.com&#x2F;security&#x2F;security-bulletins&#x2F;AWS-2024-...</a>

The best part is everyone disabling security tests that started failing

I read through the entire report and it gradually got more interesting. Then, I got to the very end, saw Andres Freund&#x27;s name, and it put a smile on my face. :)<p>Who else would have run a PostgreSQL performance benchmark and discover a major security issue in the process?

This is another proof that systemd is an anti-pattern for security: with its crawling and ever growing web of dependencies, it extends the surface of vulnerability to orders of magnitude, and once embraced not even large distro communities can defend you from that.<p>A malware code injection in upstream xz-tools is a vector for remote exploitation of the ssh daemon due to a dependency on systemd for notifications and due to systemd&#x27;s call to dlopen() liblzma library (CVE-2024-3094). The resulting build interferes with authentication in sshd via systemd.

For bad-3-corrupt_lzma2.xz, the claim was that &quot;the original files were generated with random local to my machine. To better reproduce these files in the future, a constant seed was used to recreate these files.&quot; with no indication of what the seed was.<p>I got curious and decided to run &#x27;ent&#x27; <a href="https:&#x2F;&#x2F;www.fourmilab.ch&#x2F;random&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.fourmilab.ch&#x2F;random&#x2F;</a> to see how likely the data in the bad stream was to be random. I used some python to split the data into 3 streams, since it&#x27;s supposed to be the middle one that&#x27;s &quot;bad&quot;:<p>I used this regex to split in python, and wrote to &quot;tmp&quot;:<p><pre><code> re.split(b&#x27;\xfd7zXZ&#x27;, x) </code></pre> I manually used dd and truncate to strip out the remaining header and footer according to the specification, which left 48 bytes:<p><pre><code> $ ent tmp2 # bad file payload Entropy = 4.157806 bits per byte. Optimum compression would reduce the size of this 48 byte file by 48 percent. Chi square distribution for 48 samples is 1114.67, and randomly would exceed this value less than 0.01 percent of the times. Arithmetic mean value of data bytes is 51.4167 (127.5 = random). Monte Carlo value for Pi is 4.000000000 (error 27.32 percent). Serial correlation coefficient is 0.258711 (totally uncorrelated = 0.0). $ ent tmp3 # urandom Entropy = 5.376629 bits per byte. Optimum compression would reduce the size of this 48 byte file by 32 percent. Chi square distribution for 48 samples is 261.33, and randomly would exceed this value 37.92 percent of the times. Arithmetic mean value of data bytes is 127.8125 (127.5 = random). Monte Carlo value for Pi is 3.500000000 (error 11.41 percent). Serial correlation coefficient is -0.067038 (totally uncorrelated = 0.0). </code></pre> The data does not look random. From <a href="https:&#x2F;&#x2F;www.fourmilab.ch&#x2F;random&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.fourmilab.ch&#x2F;random&#x2F;</a> for the Chi-square Test, &quot;We interpret the percentage as the degree to which the sequence tested is suspected of being non-random. If the percentage is greater than 99% or less than 1%, the sequence is almost certainly not random. If the percentage is between 99% and 95% or between 1% and 5%, the sequence is suspect. Percentages between 90% and 95% and 5% and 10% indicate the sequence is “almost suspect”.&quot;

All these older (4.x, 5.0.x etc) releases that were suddenly uploaded a few months ago should probably also be considered suspect: <a href="https:&#x2F;&#x2F;github.com&#x2F;tukaani-project&#x2F;tukaani-project.github.io&#x2F;commit&#x2F;071a8acf097e11b659f6d7eb0f3b2e5e8934de0e">https:&#x2F;&#x2F;github.com&#x2F;tukaani-project&#x2F;tukaani-project.github.io...</a>

Here&#x27;s a handy bash script I threw together to audit any docker containers you might be running on your machine. It&#x27;s hacky, but will quickly let you know what version, if any, of xz, is running in your docker containers.<p>``` #!&#x2F;bin&#x2F;bash<p># Get list of all running Docker containers containers=$(docker ps --format &quot;{{.Names}}&quot;)<p># Loop through each container for container in $containers; do # Get container image image=$(docker inspect --format=&#x27;{{.Config.Image}}&#x27; &quot;$container&quot;)<p><pre><code> # Execute xz --version inside the container version=$(docker exec &quot;$container&quot; xz --version) # Write container name, image, and command output to a text file echo &quot;Container: $container&quot; &gt;&gt; docker_container_versions.txt echo &quot;Image: $image&quot; &gt;&gt; docker_container_versions.txt echo &quot;xz Version:&quot; &gt;&gt; docker_container_versions.txt echo &quot;$version&quot; &gt;&gt; docker_container_versions.txt echo &quot;&quot; &gt;&gt; docker_container_versions.txt </code></pre> done<p>echo &quot;Output written to docker_container_versions.txt&quot; ```

Sadly this is exactly one of the cases where open source is much more vulnerable to a state actor sponsored attack than proprietary software. (it is also easier to find such backdoors in OS software but that&#x27;s BTW)<p>Why? Well, consider this, to &quot;contribute&quot; to a proprietary project you need to get hired by a company, go through their he. Also they have to be hiring in the right team etc. Your operative has to be in a different country, needs a CV that checks out, passports&#x2F;ids are checked etc.<p>But to contribute to an OS project? You just need an email address. Your operative sends good contributions until they build trust, then they start introducing backdoors in the part of the code &quot;no one, but them understands&quot;.<p>The cost of such attack is a lot lower for a state actor so we have to assume every single OS project that has a potential to get back doored had many attempts of doing so. (proprietary software too, but as mentioned, this is much more expensive)<p>So what is the solution? IDK, but enforcing certain &quot;understandability&quot; requirements can be a part of it.

It&#x27;s wild that this could have laid dormant for far longer if the exploit was better written-- if it didn&#x27;t spike slow down logins or disturb valgrind.

So many security companies publishing daily generic blog posts about &quot;serious supply chain compromises&quot; in various distros on packages with 0 downloads, and yet it takes a developer debugging performance issues to find an actual compromise.<p>I worked in the software supply chain field and cannot resist feeling the entire point of that industry is to make companies pay for a security certificate so you can shift the blame onto someone else when things go wrong.

List of pull request requesting the updating to liblzma 5.6.0 [0]<p>I wonder what amount of scrutiny all the accounts that proposed the upgrade should be put under.<p>[0] <a href="https:&#x2F;&#x2F;github.com&#x2F;search?q=liblzma+5.6.0&amp;type=pullrequests">https:&#x2F;&#x2F;github.com&#x2F;search?q=liblzma+5.6.0&amp;type=pullrequests</a>

When I search for &quot;digital masquerade&quot; on Google, the first result is a book with this title from the author Jia Tan. I assume that is how the attackers got their fake name. Or they think using this author&#x27;s name is a joke.

A lot of software (including <a href="https:&#x2F;&#x2F;gitlab.com&#x2F;openconnect&#x2F;openconnect" rel="nofollow">https:&#x2F;&#x2F;gitlab.com&#x2F;openconnect&#x2F;openconnect</a> of which I&#x27;m a maintainer) uses libxml2, which in turn transitively links to libzma, using it to load and store <i>compressed</i> XML.<p>I&#x27;m not *too* worried about OpenConnect given that we use `libxml2` only to read and parse <i>uncompressed</i> XML…<p>But I am wondering if there has been any statement from libxml2 devs (they&#x27;re under the GNOME umbrella) about potential risks to libxml2 and its users.

Potentially malicious commit by same author on libarchive: <a href="https:&#x2F;&#x2F;github.com&#x2F;libarchive&#x2F;libarchive&#x2F;pull&#x2F;1609">https:&#x2F;&#x2F;github.com&#x2F;libarchive&#x2F;libarchive&#x2F;pull&#x2F;1609</a>

Summary: &quot;The upstream xz repository and the xz tarballs have been backdoored.&quot;<p>It is known to be in version 5.6.0 and 5.6.1, and the obfuscated code is found in the test directory.

Since GitHub disabled the repos.. I uploaded all GitHub Events from the two suspected users and from their shared project repo as easy to consume CSV files:<p><a href="https:&#x2F;&#x2F;github.com&#x2F;emirkmo&#x2F;xz-backdoor-github">https:&#x2F;&#x2F;github.com&#x2F;emirkmo&#x2F;xz-backdoor-github</a><p>For those who want to see the GitHub events (commits, comments, pull_requets, diffs, etc.)

Very strange behavior from the upstream developers. Possible government involvement? I have a feeling LANG is checked to target servers from particular countries

If you have a recently updated NixOS unstable it has the affected version:<p><pre><code> $ xz --version xz (XZ Utils) 5.6.1 liblzma 5.6.1 </code></pre> EDIT: I&#x27;ve been informed on the NixOS matrix that they are 99% sure NixOS isn&#x27;t affected, based on conversations in #security:nixos.org

Personally, I use lzip ever since I read <a href="https:&#x2F;&#x2F;www.nongnu.org&#x2F;lzip&#x2F;xz_inadequate.html" rel="nofollow">https:&#x2F;&#x2F;www.nongnu.org&#x2F;lzip&#x2F;xz_inadequate.html</a> Seems like the complexity of XZ has backfired severely, as expected.

This potentially could be a full automated rootkit type breach right? Great - is any system with 5.6.1 possibly vulnerable?<p>Also super weird a contributor thought they could slip this in and not have it be noticed at some point. It may point to burning that person (aka, they go to jail) for whatever they achieved with this. (And whoever they are…)

This was only a matter of time. Open source projects are under-staffed, maintainers are overworked and burned out, and everyone relies on the goodwill of all actors.<p>Obviously a bad actor will make use of these conditions and the assumption of good will.<p>We need automated tooling to vet for stuff like this. And maybe migrate away from C&#x2F;C++ while we are at it because they don&#x27;t make such scanning easy at all.

Wouldn’t be surprised that the ssh auth being made slower was deliberate - that makes it fairly easy to index all open ssh servers on the internet, then to see which ones get slower to fail preauth as they install the backdoor

people are mis-reading the Debian bug report: <a href="https:&#x2F;&#x2F;bugs.debian.org&#x2F;cgi-bin&#x2F;bugreport.cgi?bug=1067708" rel="nofollow">https:&#x2F;&#x2F;bugs.debian.org&#x2F;cgi-bin&#x2F;bugreport.cgi?bug=1067708</a><p>it wasn&#x27;t the apparently newly-created identity &quot;Hans Jansen&quot; just <i>asking</i> for a new version to be uploaded, it was &quot;Hans Jansen&quot; <i>providing</i> a new version to be uploaded as a non-maintainer-upload - Debian-speak for &quot;the maintainer is AWOL, someone else is uploading their package&quot;. if &quot;Hans Jansen&quot; is another attacker then they did this cleverly, providing the new - compromised - upstream tarballs in an innocent-looking way and avoiding anyone examining the upstream diff.

Looking at how many requests to update to the backdoored version have been made, I wonder if the fact that many people (including developers) have been conditioned to essentially accept updates as &quot;always-good&quot; is a huge contributing factor in how easy it is to spread something like this.<p>The known unknowns can be better than the unknown unknowns.

Looks like GitHub has suspended access to the repository, which while it protects against people accidentally compiling and using the code, but certainly complicates forensic analysis for anyone who doesn&#x27;t have a clone or access to history (which is what I think a lot of people will be doing now to understand their exposure).

It seems like based on the (very well written) analysis that this is a way to bypass ssh auth, not something that phones out which would&#x27;ve been even scarier.<p>My server runs arch w&#x2F; a LTS kernel (which sounds dumb on the surface, but was by far the easiest way to do ZFS on Linux that wasn&#x27;t Ubuntu) and it seems that since I don&#x27;t have SSH exposed to the outside internet for good reason, and my understanding is Arch never patched shhd to begin with that I and most people who would be in similar situations to me are unaffected.<p>Still insane that this happened to begin with, and I feel bad for the Archlinux maintainers who are now going to feel more pressure to try to catch things like this.

Interesting commit in January where the actual OpenPGP key was changed: <a href="https:&#x2F;&#x2F;github.com&#x2F;tukaani-project&#x2F;tukaani-project.github.io&#x2F;commit&#x2F;76f58f1e14e44d69f712841090d331437c187b30">https:&#x2F;&#x2F;github.com&#x2F;tukaani-project&#x2F;tukaani-project.github.io...</a>

&gt; <i>I am *not* a security researcher, nor a reverse engineer.</i><p>Could have fooled me - impressive write-up!

Github making suspect repository private and hiding recent account activity is wrong move and is interfering with citizens investigation efforts.

I think the lesson here for packagers is that binary testdata should not be present while doing the build.<p>It is too easy to hide things in testdata.

Mirror of the report, since the Openwall servers appear to be down.<p><a href="https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20240329182300&#x2F;https:&#x2F;&#x2F;www.openwall.com&#x2F;lists&#x2F;oss-security&#x2F;2024&#x2F;03&#x2F;29&#x2F;4" rel="nofollow">https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20240329182300&#x2F;https:&#x2F;&#x2F;www.openw...</a>

Debian is considering that their infrastructure may be compromised[1].<p>[1] <a href="https:&#x2F;&#x2F;fulda.social&#x2F;@Ganneff&#x2F;112184975950858403" rel="nofollow">https:&#x2F;&#x2F;fulda.social&#x2F;@Ganneff&#x2F;112184975950858403</a>

Looks like Arch Linux shipped both compromised versions - and 5.6.1-2 is out to hopefully resolve it.

Incredible. It&#x27;s like discovering your colleague for 2 years at the secret nuclear weapon facility is a spy for another country, covering his tracks until the very last minute. Feels like a Hollywood movie is coming up.<p>Should we start doing background checks on all committers to such critical IT infrastructure?

@people who write github scanners for updates and security issues (dependabot and the like)<p>Can we start including a blacklist of emails and names of contributors (with reasons&#x2F;links to discussions)?<p>I can&#x27;t track them and I don&#x27;t want them in my projects.<p>Might not be very helpful as it is easy to create new identities, but I see no reason to make it easier for them. Also, I might approach differently someone with lots of contributions to known projects than a new account, so it still helps.

Github should probably remove the dopamine hits of green checkmarks etc. like in serious stock broker apps

There&#x27;s good discussion of the timeline here: <a href="https:&#x2F;&#x2F;boehs.org&#x2F;node&#x2F;everything-i-know-about-the-xz-backdoor" rel="nofollow">https:&#x2F;&#x2F;boehs.org&#x2F;node&#x2F;everything-i-know-about-the-xz-backdo...</a>

&gt; openssh does not directly use liblzma. However debian and several other distributions patch openssh to support systemd notification, and libsystemd does depend on lzma.<p>It looks to be limited to Linux systems that are running certain patches. macOS and BSD seem unaffected?

Is the solution against such attacks in the future only to scrutinize more, or are there other reasonable options in terms of hardening?

&gt; One portion of the backdoor is <i>solely in the distributed tarballs</i>. For easier reference, here&#x27;s a link to debian&#x27;s import of the tarball, but it is also present in the tarballs for 5.6.0 and 5.6.1:<p>Ubuntu 22.04 version:<p>dpkg -l |grep liblzma ii liblzma5:amd64 5.2.5-2ubuntu1 amd64 XZ-format compression library<p>Whew!

Is this a crime? Has anyone been prosecuted for adding a backdoor like this?

Kinda relevant, as I saw few comments about how safer languages are the solution.<p>Here[0] is a very simple example, that shows how easy such supply chain attacks are in Rust; and lets not forget that there was a very large python attack just a few days ago[1].<p>[0] - <a href="https:&#x2F;&#x2F;github.com&#x2F;c-skills&#x2F;rust1">https:&#x2F;&#x2F;github.com&#x2F;c-skills&#x2F;rust1</a><p>[1] - <a href="https:&#x2F;&#x2F;checkmarx.com&#x2F;blog&#x2F;over-170k-users-affected-by-attack-using-fake-python-infrastructure&#x2F;" rel="nofollow">https:&#x2F;&#x2F;checkmarx.com&#x2F;blog&#x2F;over-170k-users-affected-by-attac...</a>

Keeps one wonder how many similar backdoors are there in the wild. What is the best way to execute such a move? This is sophisticated enough, but not good enough to stay unnoticed for a long while. If I were a state actor I&#x27;d think about at least 6-12 months.

Both <a href="https:&#x2F;&#x2F;github.com&#x2F;tukaani-project">https:&#x2F;&#x2F;github.com&#x2F;tukaani-project</a> members accounts have been suspended. (to see that, you can list the followers of each account).

Jai Tan&#x27;s commit history on his github profile suggests he took off for Christmas, new years, and spring break. I smell an American.

Quite ironic: The most recent commit in the git repo is &quot;Simplify SECURITY.md&quot;, committed by the same Github account which added the backdoor.<p><a href="https:&#x2F;&#x2F;github.com&#x2F;tukaani-project&#x2F;xz&#x2F;commit&#x2F;af071ef7702debef4f1d324616a0137a5001c14c">https:&#x2F;&#x2F;github.com&#x2F;tukaani-project&#x2F;xz&#x2F;commit&#x2F;af071ef7702debe...</a>

This is exactly why I fight the windmills so hard when it comes automatic updates in Linux software.<p>So much damage is caused just by adding a single maintainer to a project - imagine how much power you would have to wield the remote execution systems put in place by naive developers for &quot;automatic updates&quot;.<p>All it takes is a single malicious maintainer given access to the new version update of some popular user software, and they have a new botnet of thousands of devices at their disposal. Better yet, after the backdoor installation, they can just release the <i>real</i> update and cover their tracks forever.<p>Automatic updates are like running web applications, but without any sandboxing or protection usually implemented by the browser.

I hope mainstream news cover this so the general population can understand the issue with our software ecoysystems reliance on unpaid open-source maintainers

&gt; Red Hat assigned this issue CVE-2024-3094.<p>Does that mean this affects RHEL and Fedora?

Given the recent ( not so recent ) attacks&#x2F;&quot;bugs&quot; I feel there is a need to do more than the already hard task of investigating and detecting attacks but also to bring IRL consequences to these people.<p>My understanding is that right now it&#x27;s pretty much a name and shame of people who most of the time aren&#x27;t even real &quot;people&quot; but hostile agents either working for governments or criminal groups ( or both )<p>Getting punched in the face is actually a necessary human condition for a healthy civilization.

&gt; openssh does not directly use liblzma. However debian and several other distributions patch openssh to support systemd notification, and libsystemd does depend on lzma.<p>The systemd notification protocol could have been as simple as just writing a newline to a pipe, but instead you have to link to the libsystemd C library, so now security-critical daemons like openssh have additional dependencies like liblzma loaded into their address space (even if you don&#x27;t use systemd as PID 1), increasing the risks of supply chain attacks. Thanks, systemd.

xz is so pervasive, I just discovered on my Mac that the (affected?) version 5.6.1 made it into homebrew. The post in the linked article says that only Linux x86-64 systems are affected, but now I&#x27;m left scratching my head whether my Mac is also in trouble, just that we don&#x27;t know it yet.

The two active maintainers seem to be: Lasse Collin &lt;lasse.collin@tukaani.org&gt; and Jia Tan &lt;jiat0218@gmail.com&gt;<p>Searching DDG for &quot;jiat0218&quot; I came across a blog post which I found weird. Seems to be dated: 2006-05-03<p>Blog post: &quot;Kuso拍賣．有靈氣的筷子 - 闕小豪&quot; &lt;<a href="https:&#x2F;&#x2F;char.tw&#x2F;blog&#x2F;post&#x2F;24397301" rel="nofollow">https:&#x2F;&#x2F;char.tw&#x2F;blog&#x2F;post&#x2F;24397301</a>&gt;<p>Internet Archive link: &lt;<a href="https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20240329182713&#x2F;https:&#x2F;&#x2F;char.tw&#x2F;blog&#x2F;post&#x2F;24397301" rel="nofollow">https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20240329182713&#x2F;https:&#x2F;&#x2F;char.tw&#x2F;b...</a>&gt;<p>The contents of the page when translated seems to be about jiat0218 auctioning a pair of spiritual chopsticks as a prank.<p>The blog entry is basically a QA between jiat0218 and various other people about these chopsticks.<p>If Jia Tan does turn out to be a compromised maintainer working for a state actor then some of the content on the blog page can be viewed in a more sinister way (i.e. spycraft &#x2F; hacks for sale etc.).<p>Example question 38:<p><pre><code> Question 38 accounta066 (3): Are these chopsticks really that good? I kind of want to buy them! But I recently sent money for online shopping but didn’t receive anything. It’s very risky; currently jiat0218 you don’t have any reviews, you can interview me. Do you want to hand it over?! … A sincere buyer will keep it. Reply to jiat0218 (4): First of all, I would like to express my condolences to you for your unfortunate experience! What can I say about this kind of thing...My little sister has always been trustworthy. What’s more, this is a pair of spiritual chopsticks, so I hope to have a good one. It’s the beginning! As you can see, my little sister is very careful and takes her time when answering your questions. Except for the two messages that were accidentally deleted by her, she always answers your questions. If this still doesn’t reassure you, then I can only say that I still have room to work hard. You are still welcome to bid... ^_^ </code></pre> Note however, it could all just be what it purports to be which is a prank auction of spiritual chopsticks.

Something about this I found surprising is that Linux distros are pulling and packaging pre-built binaries from upstream projects. I&#x27;d have expected them to build from source.

Homebrew is currently shipping 5.6.1 (and was shipping 5.6.0 as well). Hopefully not affected on mac?

Well isn&#x27;t this an interesting commit. He finished his inject macro to compose the payload at build, so now he can start clearing up the repo so none of that shit gets seen when cruising through it.<p><a href="https:&#x2F;&#x2F;git.tukaani.org&#x2F;?p=xz.git;a=commitdiff;h=4323bc3e0c1e1d2037d5e670a3bf6633e8a3031e;hp=5394a1665b7a108a54cb8b4ef3ebe59d3dbcca3a" rel="nofollow">https:&#x2F;&#x2F;git.tukaani.org&#x2F;?p=xz.git;a=commitdiff;h=4323bc3e0c1...</a>

Everybody here In jumping into the pure malice bandwagon, I have a better hypothesis.<p>Abandonment and inaction, the actual developers of these tools are elsewhere, oblivious to this drama, trying to make living because most of the time you are not compensated nor any corporation cares about making things sustainable at all. This is the default status of everything your fancy cloud depends on underneath.<p>An attacker took over of the project slowly and stayed dormant until recently.

I&#x27;m really curious about if the act of injecting a backdoor into OSS software is legal&#x2F;illegal ?<p>Are they somehow in the clear unless we can show they actively exploited it?

Oof, this is on my Sid laptop:<p><pre><code> {0}[calvinow@mozart ~] dpkg-query -W liblzma5 liblzma5:amd64 5.6.0-0.2 {0}[calvinow@mozart ~] hexdump -ve &#x27;1&#x2F;1 &quot;%.2x&quot;&#x27; &#x2F;lib&#x2F;x86_64-linux-gnu&#x2F;liblzma.so.5 | grep -c f30f1efa554889f54c89ce5389fb81e7000000804883ec28488954241848894c2410 1 </code></pre> Glad I stopped running sshd on my laptop a long time ago... still probably going to reinstall :&#x2F;

Anyone have any idea what the code in the malicious liblzma_la-crc64-fast.o is actually doing? It&#x27;s difficult to follow statically.

The `pack`[0] compression utility that reached the HN front page the other day[1] is setting off my alarm bells right now. (It was at the time too, but now doubly so)<p>It&#x27;s written in Pascal, and the only (semi-)documented way to build it yourself is to use a graphical IDE, and pull in pre-compiled library binaries (stored in the git repo of a dependency which afaict Pack is the only dependent of - appears to be maintained by the same pseudonymous author but from a different account).<p>I&#x27;ve opened an issue[2] outlining my concerns. I&#x27;m certainly not accusing them of having backdoored binaries, but <i>if</i> I was setting up a project to be deliberately backdoorable, it&#x27;d look a lot like this.<p>[0] <a href="https:&#x2F;&#x2F;pack.ac&#x2F;" rel="nofollow">https:&#x2F;&#x2F;pack.ac&#x2F;</a><p>[1] <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=39793805">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=39793805</a><p>[2] <a href="https:&#x2F;&#x2F;github.com&#x2F;PackOrganization&#x2F;Pack&#x2F;issues&#x2F;10">https:&#x2F;&#x2F;github.com&#x2F;PackOrganization&#x2F;Pack&#x2F;issues&#x2F;10</a>

We need to get these complex &amp; bloated build-systems under control.

I&#x27;m not trying to troll, but I&#x27;m wondering if a distro like Gentoo is less susceptible to such attacks, since the source code feels more transparent with their approach. But then again, it seems that upstream was infected in this case, so I&#x27;m not sure if a culture of compiling from source locally would help.

I am not embarrassed to say... is there anything in there that someone who runs a server with ssh needs to know?<p>I literally can&#x27;t make heads or tails of the risk here. All I see is the very alarming and scary words &quot;backdoor&quot; and &quot;ssh server&quot; in the same sentence.<p>If I am keeping stuff up to date, is there anything at all to worry about?

Is it time to deprecate the ability for code to implement linker symbols in other libraries? Shouldn&#x27;t there be a strict namespace separation between binaries&#x2F;libraries? liblzma being to implement openssh symbols seems like a symptom of a much larger problem.

Safety through obscurity and weirdness! If you disable ifunc, like any sensible person, this backdoor disables itself.

Why doesn’t GitHub force “releases” to be a simple repo tarball for sources and with binaries from GitHub actions or such…<p>I find it incredibly ironic that a “version control” site gives no assurance of reproducible builds (nor reproducible source!!)<p>The real villain is not the perpetrator, it is Microsoft, and it is all of us.

Really disappointed in the number of posters here who are playing down rushing to judgement and suggesting perhaps a legitimate developer was compromised, when it&#x27;s very clear this is sophisticated and not the work of a single person.<p>I&#x27;m recalling bad memories of the Juniper backdoor years ago.<p>Whoever did this, was playing the long game. As the top post pointed out, there was an effort to get this into Fedora.... which eventually makes its way into RHEL (read: high value targets). This was not for short term payoffs by some rogue developer trying to mine crypto or other such nonsense. What you are seeing here is the planting of seeds for something months or a year down the road.

It doesn&#x27;t really relate to this issue other than that both issues share a common source, but I wish we&#x27;d never fallen for xz.<p>I agree with the lzip guy<p><a href="https:&#x2F;&#x2F;www.nongnu.org&#x2F;lzip&#x2F;xz_inadequate.html" rel="nofollow">https:&#x2F;&#x2F;www.nongnu.org&#x2F;lzip&#x2F;xz_inadequate.html</a>

So, it&#x27;s been almost 24 hours since I read this yesterday. Is it confirmed that Jia Tan is the perpetrator? do we know who he&#x2F;she really is? Or are we going to live for the rest of our lives only knowing the pseudo name? just like Satoshi Nakamoto did to us. ;)

<a href="https:&#x2F;&#x2F;github.com&#x2F;tukaani-project&#x2F;tukaani-project.github.io&#x2F;commit&#x2F;743dc204551ecccf831108bb33ad1ee00116b58e">https:&#x2F;&#x2F;github.com&#x2F;tukaani-project&#x2F;tukaani-project.github.io...</a> Does this mean anything that it changed to a parameter??

So much for a quiet Easter holiday. Fuck

There&#x27;s a bug in the detection script. The line:<p>if [ &quot;$path&quot; == &quot;&quot; ]<p>should be<p>if [ &quot;$path&quot; = &quot;&quot; ]

Could anyone please tell me if current stable version of Debian has that backdoor or not?

Python for Windows bundles liblzma from this project, but it appears to be version 5.2.5 [0] vendored into the Python project&#x27;s repo on 2022-04-18 [1], so that should be fine, right?<p>[0] <a href="https:&#x2F;&#x2F;github.com&#x2F;python&#x2F;cpython&#x2F;blob&#x2F;main&#x2F;PCbuild&#x2F;get_externals.bat">https:&#x2F;&#x2F;github.com&#x2F;python&#x2F;cpython&#x2F;blob&#x2F;main&#x2F;PCbuild&#x2F;get_exte...</a><p>[1] <a href="https:&#x2F;&#x2F;github.com&#x2F;python&#x2F;cpython-source-deps&#x2F;tree&#x2F;xz">https:&#x2F;&#x2F;github.com&#x2F;python&#x2F;cpython-source-deps&#x2F;tree&#x2F;xz</a>

a user offered 5.6.0 and 5.4.5 in an issue to microsoft&#x2F;vcpkg<p>5.4.5 can be compromised<p><a href="https:&#x2F;&#x2F;github.com&#x2F;microsoft&#x2F;vcpkg&#x2F;issues&#x2F;37197">https:&#x2F;&#x2F;github.com&#x2F;microsoft&#x2F;vcpkg&#x2F;issues&#x2F;37197</a>

Which nation state (if any) is most likely behind this? China based on name, or is this a red herring?<p>The perpetrator did most GitHub actions between 10 and 18 UTC, which sort of rules out US based, unless the messages were scheduled. Consistent with Europe to Asia.<p>See clickhouse for data: <a href="https:&#x2F;&#x2F;play.clickhouse.com&#x2F;play?user=play#U0VMRUNUICogRlJPTSBnaXRodWJfZXZlbnRzIFdIRVJFIGFjdG9yX2xvZ2luPSdKaWFUNzUnIE9SREVSIEJZIGZpbGVfdGltZSBERVND" rel="nofollow">https:&#x2F;&#x2F;play.clickhouse.com&#x2F;play?user=play#U0VMRUNUICogRlJPT...</a>

What a disappointment.<p>It&#x27;s something always in the back of our minds as developers using public libraries, but when something like this happens, non-developers that hear about it start to associate it with the rest of the open-source community.<p>It&#x27;s essentially a terrorist attack on developer experience. Thankfully, management doesn&#x27;t follow the same approach as the TSA.

Doesn&#x27;t this call for criminal charges?

Hello,<p>Github just disabled the repo : <a href="https:&#x2F;&#x2F;github.com&#x2F;tukaani-project&#x2F;xz">https:&#x2F;&#x2F;github.com&#x2F;tukaani-project&#x2F;xz</a><p>Do someone have an up to date fork to see the project history ?

Is there any news concerning the payload analysis? Just curious to see if it can be correlated with something I have in my sshd logs (e.g. login attempt with specific RSA keys).

I think we have to assume that all community software is a target. The payoff for bad actors is too great.<p>For every one of these we spot, assume there are two we have not.

Now consider that your average Linux distribution pulls in tens of thousands of packages, each of which can be similarly compromised. Pretty scary to think about.

Also the attacker included in the 5.6.0 release the support for the long-awaited multi-threading decompression (and - broken - sandbox) making it very attractive to upgrade to...<p>It was probably a tactic to give a reason to upgrade. It&#x27;s not always a fault for those who did or tried to do.

Is there a proper reverse engineering of the payload yet?

Anyone keeping current with OpenSUSE Tumbleweed got a update...downgrade. Prior to `zypper dup --no-allow-vendor-change` I had 5.6.0, now I&#x27;m at 5.4.6.

It was caught out of luck due to performance degradation. So nobody reads the code - not even once- prior to merging into upstream supply chain?

This is why the less the better... even if it means less comfortable... to a certain point obviously. And that includes SDKs...

On Ubuntu there is a bug report asking to sync the 5.6 version from Debian experimental <a href="https:&#x2F;&#x2F;bugs.launchpad.net&#x2F;ubuntu&#x2F;+source&#x2F;xz-utils&#x2F;+bug&#x2F;2055422" rel="nofollow">https:&#x2F;&#x2F;bugs.launchpad.net&#x2F;ubuntu&#x2F;+source&#x2F;xz-utils&#x2F;+bug&#x2F;2055...</a>

Saw this on nix, which was using a compromised version in the unstable channel, I hope not too many systems are affected.

State actor or not, let&#x27;s not ignore that the backdoor has been discovered thanks to the open nature of the projects involved that allowed digging into the code. Just another example like the infamous Borland InterBase backdoor in the early 2K that remained dormant for years and was discovered months after the source code has been released. If the xz malware authors worked for any corp that produced closed source drivers or blobs that can&#x27;t be properly audited, we would be fucked; I just hope this is not already happening, because the attack surface in all those devices and appliances out there running closed code is huge.

Why are projects like xz and sshd still active? Just freeze it, it works fine. Only changes should be fixes for vulnerabilities. None of this complicated new functionality. If you want something like that make a new project. If it is truly better people will use it.

chmod u+x running detect_sh script just runs with no output on my arch linux box?<p><a href="https:&#x2F;&#x2F;www.openwall.com&#x2F;lists&#x2F;oss-security&#x2F;2024&#x2F;03&#x2F;29&#x2F;4" rel="nofollow">https:&#x2F;&#x2F;www.openwall.com&#x2F;lists&#x2F;oss-security&#x2F;2024&#x2F;03&#x2F;29&#x2F;4</a>

Interestingly on of the accounts that the GitHub account who introduced the backdoor follows was suspended very recently [1] who is also part of the org who runs XZ<p>[1] <a href="https:&#x2F;&#x2F;github.com&#x2F;JiaT75?tab=following">https:&#x2F;&#x2F;github.com&#x2F;JiaT75?tab=following</a>

It seems that to counter this type of supply chain attack, the best practices for managing software dependencies are to pin the version numbers of dependencies instead of using `latest`, and to use static linking instead of dynamic linking.

In the future: automated `diff` or any other A&#x2F;B check to see whether or not the tarball matches the source repo (if not, auto-flag with a mismatch warning attribute), is that feasible to implement?

For someone who does not understand the packages used, could you please summarize in layman non technical terms. Thanks I did read the main post.

that&#x27;s... creative. and patient. 11&#x2F;10 concerning - now I&#x27;m wondering how many other projects could have shit like this in them or added right as I&#x27;m writing this <i>shudder</i>

Wow<p><a href="https:&#x2F;&#x2F;ubuntu.com&#x2F;security&#x2F;notices&#x2F;USN-5378-2" rel="nofollow">https:&#x2F;&#x2F;ubuntu.com&#x2F;security&#x2F;notices&#x2F;USN-5378-2</a>

Brain fart: would it be possible to attach passwords to a crypto based micro transaction such that every time you attempted a password entry your crypto account was charged a small fee for the login attempt?<p>This would thwart brute force attacks, but not be a significant cost for users. If you could attach your login to the crypto account it would mean the account would have to be funded to allow the attempt. The token wouldn&#x27;t store passwords it would just be a gatekeeper to the login attempt.<p>The fees would be paid to the service providers as mining fees.<p>E.g. foo@bar.com needs a password and a token provided from a designated crypto address to gain access to the service.

Damn. I&#x27;m on macOS and use homebrew. To my surprise I had &quot;xz&quot; version 6.5.1 installed on my computer!<p>I ran &quot;brew upgrade&quot; and that downgraded to version 5.4.6.

xz is just a horribly designed format, and always has been. If you use it, please switch to Lzip. Same compression level, but designed by someone competent.<p><a href="https:&#x2F;&#x2F;www.nongnu.org&#x2F;lzip&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.nongnu.org&#x2F;lzip&#x2F;</a><p><a href="https:&#x2F;&#x2F;www.nongnu.org&#x2F;lzip&#x2F;xz_inadequate.html" rel="nofollow">https:&#x2F;&#x2F;www.nongnu.org&#x2F;lzip&#x2F;xz_inadequate.html</a>

Looks like Jonathan Blow was right about open source.

Why is the Long Range Zip lrzip compression format not used? It gives better compression than xz when using the correct switches.

Why isn&#x27;t he identified personally? Very likely he is &#x27;contributing&#x27; to other projects under different accounts.

Maybe @JiaT75 got forced to do it. Maybe someone has more personal contact with him and can check how he is doing.

Is there already a list of distributions that included the affected versions in non-prereelase channels?

Surely the real target of this was Tor (which links liblzma) not random SSH servers.

Has this affected OpenBSD at all?

I wonder which browsers link liblzma and can this lead to https eavesdropping?

Fairly deep bugs for a Bazaar.

we should take this diagram and change &quot;random person in nebraska&quot; to &quot;possibly a state-level attacker&quot;<p><a href="https:&#x2F;&#x2F;xkcd.com&#x2F;2347&#x2F;" rel="nofollow">https:&#x2F;&#x2F;xkcd.com&#x2F;2347&#x2F;</a><p>nice

Candidly how would someone protect against a vulnerability like this?

Which OS are affected by this compromise?? Is Ubuntu affected?

How that backdoor is triggered and what exactly it does?

Maybe it&#x27;s finally time to start sunsetting LZMA and xz all together in favor of newer algorithms like Zstandard that also offer better performance but compression rates on par with LZMA.

Was Debian 12&#x2F;stable unaffected? Only sid?

- * _ring ring_ * - &quot;Hello?&quot; - &quot;It&#x27;s Lasse Collin.&quot; - &quot;Why are you collin me? Why not just use the backdoor?&quot;

<a href="https:&#x2F;&#x2F;imgur.com&#x2F;WGaK3Tn" rel="nofollow">https:&#x2F;&#x2F;imgur.com&#x2F;WGaK3Tn</a>

Please note: the changes have been made after GitHub has enforced 2FA (certainly not for &quot;better security&quot;, but for promotion of FIDO2 and Windows Hello biometric impl of FIDO2, see <a href="https:&#x2F;&#x2F;codeberg.org&#x2F;KOLANICH&#x2F;Fuck-GuanTEEnomo" rel="nofollow">https:&#x2F;&#x2F;codeberg.org&#x2F;KOLANICH&#x2F;Fuck-GuanTEEnomo</a> for more info. Until recent times (for now access via git protocol is blocked for my acc, I guess based on lack of 2FA set up) it was even possible to push into all repos one has access by just using single-factor SSH key even without enabling 2FA in the account). As I have warned, nothing will protect when a backdoor is introduced by a malicious maintainer, or a &quot;smart entrepreneur&quot; who sold his project to a ad-company, or a loyal &quot;patriot&quot; living and earning money within reach of some state, or just a powerless man who got an offer he can&#x27;t refuse. In general supply chain attacks by &quot;legitimate&quot; maintainers cannot be prevented. &quot;Jia Tan&quot; is just a sockpuppet to mitigate consequences to maintainers to make it look like they are not involved into it. They surely are. At least according to the current info it were they who have given the malicious account the permission to publish releases on behalf of the project and access to the repo.<p>IMHO all maintainers of the backdooored projects anyhow related to accepting the malicious changes should be considered as accomplices and boycotted. We don&#x27;t need evidence of their liability, it is they who need to maintain their reputation. We are just free to take our decisions based on their reputation. Even if they were hacked themselves, it is not our problem, it is their problem. Our problem is to keep ourselves safe. It may feel &quot;unjust&quot; to ruin reputation of a person based on the fact he may be cheated or hacked… But if a person can be cheated or hacked, why should he&#x2F;she have such a good reputation as everyone else?! So, it makes a lot of sense to just exclude and replace everyone, for whome there exists evidence of comprometation, no matter due to unconcern or malice. But FOSS is a doocracy serving products at dumpling prices ($0, free of charge), and for majority backdoored software is completely acceptable given that they get them free of charge. And powerful actors who can afford to pay for software will just hire devs to develop their private versions, while allowing the public to pay $0 for their free versions and use the backdoors placed into them themselves. In other words a complete market failure.<p>I think that 1. xz project must be shut down completely. I mean projects should stop using it as a dependency, exclude from distros, boycott it. LZMA algo was developed by Igor Pavlov in 7z project, but somehow it has happenned that liblzma was developed and maintained by unrelated folks. liblzma should be developed as a part of 7z project taking no code other than the trivial one for API compatibility adapter from xz. 2. Projects created by compromised authkrs should be boycotted. 3. Other projects touched by the compromised devs&#x2F;maintainers should be audited. 4. All the projects using autotools should be audited and must replace autotools with cmake&#x2F;meson. Autotools is a piece of shit, completely uncomprehensible. There is no surprise it was used to hude a backdoor - according to my experience in FOSS noone likes to touch its scripts anyhow. 5. No project should be built from releases. Project should be built from git directly. Implementing full support of SHA256 in git and git forges (GitHub, GitLab, Codeberg, sr.ht) should be accelerated to mitigate attacks using collisions to replace approved commits (I guess the randomness can be concealed from reviewer&#x27;s eye in binary resource files, like pictures).

TLDR: Some people have been throwing around “China,” but it seems also quite possible that Jia is from somewhere in Eastern Europe pretending to be from China. In addition, Lasse Collin and Hans Jansen are from the same EET time zone.<p>These are my notes on time stamps&#x2F;zones. There are a few interesting bits that I haven&#x27;t fully fleshed out.<p>The following analysis was conducted on JiaT75’s (<a href="https:&#x2F;&#x2F;github.com&#x2F;JiaT75?tab=overview&amp;from=2021-12-01&amp;to=2021-12-31">https:&#x2F;&#x2F;github.com&#x2F;JiaT75?tab=overview&amp;from=2021-12-01&amp;to=20...</a>) commits to the XZ repository, and their time stamps.<p>Observation 1: Time zone basic analysis<p>Here is the data on Jia’s time zone and the number of times he was recorded in that time zone:<p>3: + 0200 (in winter: February and November)<p>6: +0300 (in summer: in Jun, Jul, early October)<p>440: +0800<p>1. The +800 is likely CST. China (or Indonesia or Philippines), given that Australia does daylight savings time and almost no one lives in Siberia and the Gobi dessert.<p>2. The +0200&#x2F;+0300, if we are assuming that this is one location, is likely on EET (Finland, Estonia, Latvia, Lithuania, Ukraine, Moldavia, Romania, Bulgaria, Greece, Turkey). This is because we see a switch from +300 in the winter (past the last weekend of October) and +200 in the summer (past the last Sunday in March).<p>Incidentally, this seems to be the same time zone as Lasse Collin and Hans Jansen…<p>Observation 2: Time zone inconsistencies<p>Let’s analyze the few times where Jia was recorded in a non +800 time zone. Here, we notice that there are some situations where Jia switches between +800 and +300&#x2F;+200 in a seemingly implausible time. Indicating that perhaps he is not actually in +800 CST time, as his profile would like us to believe.<p>Jia Tan Tue, 27 Jun 2023 23:38:32 +0800 —&gt; 23:38 + 8 = 7:30 (+ 1) Jia Tan Tue, 27 Jun 2023 17:27:09 +0300 —&gt; 17:27 + 3 = 20:30 —&gt; about a 9 hour difference, but flight from China to anywhere in Eastern Europe is at a min 10 hours<p>Jia Tan Thu, 5 May 2022 20:53:42 +0800<p>Jia Tan Sat, 19 Nov 2022 23:18:04 +0800<p>Jia Tan Mon, 7 Nov 2022 16:24:14 +0200<p>Jia Tan Sun, 23 Oct 2022 21:01:08 +0800<p>Jia Tan Thu, 6 Oct 2022 21:53:09 +0300 —&gt; 21:53 + 3 = 1:00 (+1)<p>Jia Tan Thu, 6 Oct 2022 17:00:38 +0800 —&gt; 17:00 + 8 = 1:00 (+1)<p>Jia Tan Wed, 5 Oct 2022 23:54:12 +0800<p>Jia Tan Wed, 5 Oct 2022 20:57:16 +0800<p>—&gt; again, given the flight time, this is even more impossible<p>Jia Tan Fri, 2 Sep 2022 20:18:55 +0800<p>Jia Tan Thu, 8 Sep 2022 15:07:00 +0300<p>Jia Tan Mon, 25 Jul 2022 18:30:05 +0300<p>Jia Tan Mon, 25 Jul 2022 18:20:01 +0300<p>Jia Tan Fri, 1 Jul 2022 21:19:26 +0800<p>Jia Tan Thu, 16 Jun 2022 17:32:19 +0300<p>Jia Tan Mon, 13 Jun 2022 20:27:03 +0800<p>—&gt; the ordering of these time stamps, and the switching back and forth looks strange.<p>Jia Tan Thu, 15 Feb 2024 22:26:43 +0800<p>Jia Tan Thu, 15 Feb 2024 01:53:40 +0800<p>Jia Tan Mon, 12 Feb 2024 17:09:10 +0200<p>Jia Tan Mon, 12 Feb 2024 17:09:10 +0200<p>Jia Tan Tue, 13 Feb 2024 22:38:58 +0800<p>—&gt; this travel time is possible, but the duration of stay is unlikely<p>Observation 3: Strange record of time stamps It seems that from the commits, often the time stamps are out of order. I am not sure what would cause this other than some tampering.<p>Observation 4: Bank holiday inconsistencies<p>We notice that Jia’s work schedule and holidays seem to align much better with an Eastern European than a Chinese person.<p>Disclaimer: I am not an expert in Chinese holidays, so this very well could be inaccurate. I am referencing this list of bak holidays:(<a href="https:&#x2F;&#x2F;www.bankofchina.co.id&#x2F;en-id&#x2F;service&#x2F;information&#x2F;latest-news&#x2F;2022&#x2F;public-holidays-in-china-hk-and-the-us-in-2023.html" rel="nofollow">https:&#x2F;&#x2F;www.bankofchina.co.id&#x2F;en-id&#x2F;service&#x2F;information&#x2F;late...</a>)<p>Chinese bank holidays (just looking at 2023):<p>- Working on 2023, 29 September: Mid Autumn Festival<p>- Working on 2023, 05 April: Tomb Sweeping Day<p>- Working on 2023, 26, 22, 23, 24, 26, 27 Jan: Lunar New Year<p>Eastern European holidays:<p>- Never working on Dec 25: Christmas (for many EET countries)<p>- Never working Dec 31 or Jan 1: New Years<p>Observation 5: No weekend work —&gt; salary job?<p>The most common working days for Jia was Tue (86), Wed (85), Thu (89), and Fri (79). If we adjust his time zone to be EET, then that means he is usually working 9 am to 6 pm. This makes much more sense than someone working at midnight and 1 am on a Tuesday night.<p>These times also line up well with Hans Jansen and Lasse Collin.<p>I think it is more likely that Jia does this as part of his work… somewhere in Eastern Europe. Likely working with, or in fact being one and the same as, Hans Jansen and Lasse Collin.

Thank the gods I didn&#x27;t plan on having a life this weekend

Is this sev0?

Hello everybody.<p>I am taking the initiative to gather more information regarding the possible precursors and perpetrators of the backdoor.<p>The purpose of this commentary is focused on open source information (OSINT).<p>I am not a judge of anyone or any action that may occur, the objective of this comment is to help through accurate and quick information to help the core developers of the affected packages and consequently the Linux kernel (which may have been indirectly or directly affected) take action necessary in relation to the fact that occurred.<p>NOTE: This comment will always have &quot;edit&quot; so always review it for information.<p>Information I have so far.<p>Summary: 1. GitHub Account Suspension: - The accounts of @JiaT75 and @Larhzu were suspended by GitHub. - All Tukaani repositories, including downloads, were disabled. - Investigate the cause of the account suspensions and whether there is any correlation with suspicious activities.<p>2. Possible Backdoor in xz&#x2F;liblzma: - There are concerns about the presence of a backdoor in xz&#x2F;liblzma. - Investigate whether there is evidence of compromise in the source code and recent updates. - Examine potential impacts, especially if the software is used in critical systems.<p>3. Updates and Patches in Packages: - Note recent updates in packages such as MinGW w64, pacman-static, Alpine, and OpenSUSE. - Review changelogs to understand if these updates are related to security fixes.<p>4. Jia&#x27;s Activities on Platforms and Projects: - Investigate Jia&#x27;s contributions to different projects and platforms, such as Arch Linux, Alpine Linux, and OpenSUSE. - Check for correlations between Jia&#x27;s activities and reported security issues.<p>5. Libera Registration Information: - Analyze Jia&#x27;s registration details on Libera to determine the timeline of their online activities. - Consider correlating this information with other online activities of Jia.<p>6. VPN Usage: - Confirm Jia&#x27;s use of VPN and assess its impact on security investigations. - Explore possible reasons for using a VPN and how it may affect the identification and tracking of online activities.<p>Links related to user JiaT75 [xz] Remove JiaT75 as a contact, determine correct contacts #11760 - Google&#x2F;oss-fuzz <a href="https:&#x2F;&#x2F;github.com&#x2F;google&#x2F;oss-fuzz&#x2F;issues&#x2F;11760">https:&#x2F;&#x2F;github.com&#x2F;google&#x2F;oss-fuzz&#x2F;issues&#x2F;11760</a><p>Tuktest index hash #7 - tukaani-project&#x2F;xz&#x2F;pull&#x2F;7 <a href="https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20240329230522&#x2F;https:&#x2F;&#x2F;github.com&#x2F;tukaani-project&#x2F;xz&#x2F;pull&#x2F;7" rel="nofollow">https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20240329230522&#x2F;https:&#x2F;&#x2F;github.co...</a>

Time for another OS wipe. Glad I keep bleeding edge versions VMd

is this sev0?

Jesus! Does anyone know if Debian stable is affected?

now I wonder which browsers link liblzma?

Notes on time stamps and time zones.<p>A few interesting bits that I haven&#x27;t fully fleshed out. TLDR: Some people have been throwing around that Jia is from “China,” but it seems also quite possible that Jia is from somewhere in Eastern Europe pretending to be from China. In addition, Lasse Collin and Hans Jansen are from the same EET time zone.<p>The following analysis was conducted on JiaT75’s (<a href="https:&#x2F;&#x2F;github.com&#x2F;JiaT75?tab=overview&amp;from=2021-12-01&amp;to=2021-12-31">https:&#x2F;&#x2F;github.com&#x2F;JiaT75?tab=overview&amp;from=2021-12-01&amp;to=20...</a>) commits to the XZ repository, and their time stamps.<p>Observation 1: Time zone basic analysis<p>Here is the data on Jia’s time zone and the number of times he was recorded in that time zone: 3: + 0200 (in winter: February and November) 6: +0300 (in summer: in Jun, Jul, early October) 440: +0800<p>1. The +800 is likely CST. China (or Indonesia or Philippines), given that Australia does daylight savings time and almost no one lives in Siberia and the Gobi dessert. 2. The +0200&#x2F;+0300, if we are assuming that this is one location, is likely on EET (Finland, Estonia, Latvia, Lithuania, Ukraine, Moldavia, Romania, Bulgaria, Greece, Turkey). This is because we see a switch from +300 in the winter (past the last weekend of October) and +200 in the summer (past the last Sunday in March). 1. Incidentally, this seems to be the same time zone as Lasse Collin and Hans Jansen…<p>Observation 2: Time zone inconsistencies<p>Let’s analyze the few times where Jia was recorded in a non +800 time zone. Here, we notice that there are some situations where Jia switches between +800 and +300&#x2F;+200 in a seemingly implausible time. Indicating that perhaps he is not actually in +800 CST time, as his profile would like us to believe.<p>Jia Tan Tue, 27 Jun 2023 23:38:32 +0800 —&gt; 23:38 + 8 = 7:30 (+ 1) Jia Tan Tue, 27 Jun 2023 17:27:09 +0300 —&gt; 17:27 + 3 = 20:30 —&gt; about a 9 hour difference, but a flight from China to anywhere in Eastern Europe is at a min 10 hours<p>Jia Tan Thu, 5 May 2022 20:53:42 +0800 Jia Tan Sat, 19 Nov 2022 23:18:04 +0800 Jia Tan Mon, 7 Nov 2022 16:24:14 +0200 Jia Tan Sun, 23 Oct 2022 21:01:08 +0800 Jia Tan Thu, 6 Oct 2022 21:53:09 +0300 —&gt; 21:53 + 3 = 1:00 (+1) Jia Tan Thu, 6 Oct 2022 17:00:38 +0800 —&gt; 17:00 + 8 = 1:00 (+1) Jia Tan Wed, 5 Oct 2022 23:54:12 +0800 Jia Tan Wed, 5 Oct 2022 20:57:16 +0800 —&gt; again, given the flight time, this is even more impossible<p>Jia Tan Fri, 2 Sep 2022 20:18:55 +0800 Jia Tan Thu, 8 Sep 2022 15:07:00 +0300 Jia Tan Mon, 25 Jul 2022 18:30:05 +0300 Jia Tan Mon, 25 Jul 2022 18:20:01 +0300 Jia Tan Fri, 1 Jul 2022 21:19:26 +0800 Jia Tan Thu, 16 Jun 2022 17:32:19 +0300 Jia Tan Mon, 13 Jun 2022 20:27:03 +0800 —&gt; the ordering of these time stamps and the switching back and forth between time zones looks strange.<p>Jia Tan Thu, 15 Feb 2024 22:26:43 +0800 Jia Tan Thu, 15 Feb 2024 01:53:40 +0800 Jia Tan Mon, 12 Feb 2024 17:09:10 +0200 Jia Tan Mon, 12 Feb 2024 17:09:10 +0200 Jia Tan Tue, 13 Feb 2024 22:38:58 +0800 —&gt; this travel time is possible, but the duration of stay is unlikely<p>Observation 3: Strange record of time stamps<p>It seems that from the commits, often the time stamps are out of order. I am not sure what would cause this other than some tampering.<p>Observation 4: Bank holiday inconsistencies<p>We notice that Jia’s work schedule and holidays seems to align much better with an Eastern European than a Chinese person.<p>Disclaimer: I am not an expert in Chinese holidays, so this very well could be inaccurate. I am referencing this list of bank holidays:(<a href="https:&#x2F;&#x2F;www.bankofchina.co.id&#x2F;en-id&#x2F;service&#x2F;information&#x2F;latest-news&#x2F;2022&#x2F;public-holidays-in-china-hk-and-the-us-in-2023.html" rel="nofollow">https:&#x2F;&#x2F;www.bankofchina.co.id&#x2F;en-id&#x2F;service&#x2F;information&#x2F;late...</a>)<p>Chinese bank holidays (just looking at 2023): - Working on 2023, 29 September: Mid Autumn Festival - Working on 2023, 05 April: Tomb Sweeping Day - Working on 2023, 26, 22, 23, 24, 26, 27 Jan: Lunar New Year<p>Eastern European holidays: - Never working on Dec 25: Christmas (for many EET countries) - Never working Dec 31 or Jan 1: New Years<p>Observation 5: Little weekend work —&gt; salary job?<p>The most common working days for Jia were Tue (86), Wed (85), Thu (89), and Fri (79). If we adjust his time zone to EET, then that means he is usually working 9 am to 6 pm. This makes much more sense than someone working at midnight and 1 am on a Tuesday night.<p>These times also line up well with Hans Jansen and Lasse Collin.<p>I think it is more likely that Jia does this as part of his work… somewhere in Eastern Europe. Likely working with, or in fact being one and the same as, Hans Jansen and Lasse Collin.

Another interesting data point: about 2 years ago there was a clear pressure campaign to name a new maintainer: <a href="https:&#x2F;&#x2F;www.mail-archive.com&#x2F;xz-devel@tukaani.org&#x2F;msg00566.html" rel="nofollow">https:&#x2F;&#x2F;www.mail-archive.com&#x2F;xz-devel@tukaani.org&#x2F;msg00566.h...</a><p>At the time I thought it was just rude, but maybe this is when it all started.

Wait, I&#x27;m on mobile. Did this partially slip by because of the ABSURD PRACTICE of publishing release.tarballs that do not 1:1 correspond with source?<p>Let me guess, autotools? I want to rage shit post but I guess I&#x27;ll wait for confirmation first.<p>EDIT: YUP, AT LEAST PARTIALLY. Fucking god damn autotools.

I think its much more likely this was not a bad actor, given their long history of commits.<p>It&#x27;s a known fact that China will &quot;recruit&quot; people to operate them. A quote:<p>&gt; They talk to them, say my friend, I see you like our special menu. Are you from China? Are you here on a VISA? Do you have family back there? Would you like your family to stay alive? Is your loyalty to this temporary employer or is your loyalty to your motherland? You know, a whole bunch of stuff like that. That’s how Chinese intelligence operations acts...<p>This just gives feelings of less &quot;compromised account&quot; and more &quot;Your account is now our account&quot;

Yikes! Do you have any info on the individual&#x27;s background or possible motivations?

Tukaani website states &quot;jiatan&quot; as the nickname of the malicious code committer on Libera Chat.<p>WHOWAS jiatan provided me the following information:<p>jiatan ~jiatan 185.128.24.163 * :Jia Tan jiatan 185.128.24.163 :actually using host jiatan jiatan :was logged in as jiatan tungsten.libera.chat :Fri Mar 14:47:40 2024<p>WHOIS yields nothing, the user is not present on the network at the moment.<p>Given that 185.128.24.163 is covered with a range-block on the English Wikipedia, it appears this is a proxy.

can someone ELI5 ?

pRoBaBlY a StaTe AcToR<p>zero definition of what that means...<p>egos of people who just like to say cool words they don&#x27;t understand<p>lol<p>this comment will probably get deleted, but let the action of this comment being deleted stand that in 2024 we&#x27;re all allowed to use big words with no definition of what they mean -&gt; bad<p>state actor? who? what motive? what country? all comments involving &quot;state actor&quot; are very broad and strange... i would like people to stop using words that have no meaning, as it really takes away from the overall conversation of what is going on.<p>i mean you&#x27;re seriously going to say &quot;state actor playing the long game&quot; to what end? the issue was resolved in 2 hours... this is stupid

It&#x27;s always Debian, like last time when they removed RNG randomness from ssh because of a warning.

This is why we never upgrade software versions. I’ve been asked by our customers why we use such an old AMI version. This is why.

Waiting for the new YouTube videos on this. &quot;Woah! Linux has a back door dudes!&quot;. My distribution, Ubuntu (now Kubuntu) 2022 isn&#x27;t affected.

I guess that rewriting liblzma in Rust would <i>not</i> have prevented this backdoor. But would have likely increased the confidence in its safety.<p>Using the build system (and potentially the compiler) to insert malicious backdoors is far from a new idea, and I don&#x27;t see why this example would the only case.

Pretty much proof that OSS != automatically more secure. And proof that OSS projects can get backdoored. See this for more ideas on this issue: <a href="https:&#x2F;&#x2F;seirdy.one&#x2F;posts&#x2F;2022&#x2F;02&#x2F;02&#x2F;floss-security&#x2F;" rel="nofollow">https:&#x2F;&#x2F;seirdy.one&#x2F;posts&#x2F;2022&#x2F;02&#x2F;02&#x2F;floss-security&#x2F;</a>

&quot;Lasse Collin,&quot; as other posters here have found, does not seem to exist as an experienced coder. Oddly, there is a Swedish jazz musician named Lasse Collin, which would otherwise be one of those names, especially the last name, that would stick out. Instead it is buried under a lot of mentions of a musician.