this post was submitted on 29 Mar 2024
138 points (97.3% liked)

Programming

16212 readers
98 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities [email protected]

founded 1 year ago
MODERATORS
[email protected]
[email protected]
[email protected]
138
Backdoor in upstream xz/liblzma leading to ssh server compromise (www.openwall.com)
submitted 3 months ago by [email protected] to c/[email protected]
7 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] agent_flounder 25 points 3 months ago (2 children)

Very annoying - the apparent author of the backdoor was in communication with me over several weeks trying to get xz 5.6.x added to Fedora 40 & 41 because of it's "great new features". We even worked with him to fix the valgrind issue (which it turns out now was caused by the backdoor he had added). We had to race last night to fix the problem after an inadvertent break of the embargo.

He has been part of the xz project for 2 years, adding all sorts of binary test files, and to be honest with this level of sophistication I would be suspicious of even older versions of xz until proven otherwise.

Damn. I would love to see a full post mortem on this compromise.

[–] [email protected] 4 points 3 months ago

The hack is still not fully understood and is being analyzed. It doesn't help that Github suspended everything, including the original maintainer's account (who is believed to be a victim of social engineering).

Anyway, you will eventually see a post mortem. I'm willing to bet that it's going to be as phenomenal as the hack itself. The case and its investigation is going to be a classic case study for all security researchers and security-minded users. Anyway, I doubt that the attackers will ever be found. Jia Tan, Jigar Kumar and others are going to remain as ghosts like Satoshi Nakamoto.