this post was submitted on 29 Mar 2024
173 points (98.3% liked)

Selfhosted

39927 readers
400 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
ruud
Loki
CannaVet
devve
HybridSarcasm
[email protected]
173
Backdoor in upstream xz/liblzma leading to ssh server compromise (www.openwall.com)
submitted 7 months ago* (last edited 7 months ago) by [email protected] to c/selfhosted
9 comments fedilink hide all child comments
 

Related discussion:

https://news.ycombinator.com/item?id=39865810

https://news.ycombinator.com/item?id=39877267

Advisories:

CVE-2024-3094
Arch
Debian
openSUSE
Red Hat

top 9 comments
sorted by: hot top controversial new old
[–] [email protected] 39 points 7 months ago* (last edited 7 months ago) (2 children)

Man, there is a lot of concerning stuff there.

In particular, one person commented that the original xz maintainer was possibly subjected to a pressure campaign to hand over maintainership.

Another interesting data point: about 2 years ago there was a clear pressure campaign to name a new maintainer:

https://www.mail-archive.com/[email protected]/msg00566.html

At the time I thought it was just rude, but maybe this is when it all started.

I don't know how many open-source project maintainers would be on guard for something that subtle, people coordinating to take over maintainership of a project.

I mean, xz isn't normally something you'd immediately think of as security-critical. I doubt that a maintainer knows or thinks about about all the potential downstream dependencies (in this case, not even a standard sshd depedendency, but one that came up because of a patch that Debian used to add some systemd functionality).

EDIT:

I mean, xz isn't normally something you'd immediately think of as security-critical.

On second thought, it actually is, given that Debian packages are xz-compressed.

[–] [email protected] 12 points 7 months ago* (last edited 7 months ago)

We've had a lot of trust among open-source projects, where people just kind of assume that people are doing the right thing, but there are some very, very large places where a potential attacker might manage to get maintainership of a library, if they're willing to spend a long time slowly getting access.

I'd figured that one day, we'd have a really big apocalypse that would cause some of that to break down, and we'd lose our innocence and have to do things differently.

I mean, let's say that I'm an important security researcher, and I use R, a common statistical tool, nothing directly to do with security. That pulls in all kinds of libraries from various online statistics archives, and the people working on those aren't really security people, probably generally don't know how to vet things effectively even if they wanted to do so. Perl and Python and other tools have similar things. If someone can target that security researcher using that, could be nothing more than an intentionally-induced parsing bug in a library they use, then they can get things like that researcher's private keys, maybe get ahold of signing keys for software packages and the like.

And in the xz case, it looks like social engineering efforts were used against both the maintainer and packagers. The open-source community has a lot of well-meaning strangers collaborating in good faith, built on a lot of trust extended, and they aimed to exploit that.

All of the problems get a lot harder to deal with when it's someone willing to spend a lot of time and use sophisticated tactics.

[–] [email protected] 6 points 7 months ago

Wow

And for a state sponsored attacker is cheaper to bribe (or threaten to kill, even cheaper) the single developer to add a backdoor than all the research to find a zero day

[–] DocMcStuffin 35 points 7 months ago

There's talk on the Linux kernel mailing list. The same person made recent contributions there.

Andrew (and anyone else), please do not take this code right now.

Until the backdooring of upstream xz[1] is fully understood, we should not accept any code from Jia Tan, Lasse Collin, or any other folks associated with tukaani.org. It appears the domain, or at least credentials associated with Jia Tan, have been used to create an obfuscated ssh server backdoor via the xz upstream releases since at least 5.6.0. Without extensive analysis, we should not take any associated code. It may be worth doing some retrospective analysis of past contributions as well...

[–] [email protected] 18 points 7 months ago
[–] [email protected] 9 points 7 months ago

In case, like me, you were wondering what this has to do with ssh:

openssh does not directly use liblzma. However debian and several other distributions patch openssh to support systemd notification, and libsystemd does depend on lzma.

[–] [email protected] 5 points 7 months ago

A good summary here: https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/