Backdoor in upstream xz/liblzma leading to SSH server compromise

Source: Hacker News

Article note: This shit is subtle and scary. Supply chain attack on xz's liblzma (compression tool + library) which is linked by libsystemd, which is linked by openssh, putting it in the same namespace so it can intercept some function calls from openssh to open a backdoor. Injected into the release tarball (not in git), activated by the build scripts (such that it will typically only exhibit if a deb or rpm is the target), with various obfuscations to make it evade common instrumentation. By a moderately prolific and established contributor to a number of high-profile projects. Discovered because it caused a noticeable performance regression because of Debian's build time tweaks.
This entry was posted in News. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *