{"id":60049,"date":"2024-03-29T12:16:50","date_gmt":"2024-03-29T16:16:50","guid":{"rendered":"http:\/\/pappp.net\/?guid=3a4592a8f340b9f9ed63d6ca2d32d96c"},"modified":"2024-03-29T12:16:50","modified_gmt":"2024-03-29T16:16:50","slug":"backdoor-in-upstream-xz-liblzma-leading-to-ssh-server-compromise","status":"publish","type":"post","link":"https:\/\/pappp.net\/?p=60049","title":{"rendered":"Backdoor in upstream xz\/liblzma leading to SSH server compromise"},"content":{"rendered":"<p class=\"syndicated-attribution\">Source: <a href=\"https:\/\/www.openwall.com\/lists\/oss-security\/2024\/03\/29\/4\">Hacker News<\/a><\/p>\n<div style=\"background-color : #fff7d5;\n\t\t\tborder-width : 1px; padding : 5px; border-style : dashed; border-color : #e7d796;margin-bottom : 1em; color : #9a8c59;\">Article note: This shit is subtle and scary.\nSupply chain attack on xz's liblzma (compression tool + library) which is linked by libsystemd, which is linked by openssh, putting it in the same namespace so it can intercept some function calls from openssh to open a backdoor.  \nInjected into the release tarball (not in git), activated by the build scripts (such that it will typically only exhibit if a deb or rpm is the target), with various obfuscations to make it evade common instrumentation.\nBy a moderately prolific and established contributor to a number of high-profile projects. \nDiscovered because it caused a noticeable performance regression because of Debian's build time tweaks.<\/div><a href=\"https:\/\/news.ycombinator.com\/item?id=39865810\" rel=\"noopener noreferrer\">Comments<\/a>","protected":false},"excerpt":{"rendered":"<p>Comments<\/p>\n<p> <a href=\"https:\/\/pappp.net\/?p=60049\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[226],"tags":[],"class_list":["post-60049","post","type-post","status-publish","format-standard","hentry","category-news-2"],"_links":{"self":[{"href":"https:\/\/pappp.net\/index.php?rest_route=\/wp\/v2\/posts\/60049","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pappp.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pappp.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pappp.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pappp.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=60049"}],"version-history":[{"count":0,"href":"https:\/\/pappp.net\/index.php?rest_route=\/wp\/v2\/posts\/60049\/revisions"}],"wp:attachment":[{"href":"https:\/\/pappp.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=60049"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pappp.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=60049"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pappp.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=60049"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}