|
Message-ID: <2b0cea4ac146cfa257c60538909e03c4@purelymail.com> Date: Fri, 29 Mar 2024 21:17:29 +0100 From: "Rein Fernhout (Levitating)" <me@...itati.ng> To: oss-security@...ts.openwall.com Cc: "Alexander E. Patrakov" <patrakov@...il.com> Subject: Re: backdoor in upstream xz/liblzma leading to ssh server compromise > P.S. in the detect.sh script, the "set -eu" line plays a bad trick: it > aborts the check if sshd is not actually linked to liblzma. Or if sshd is not in PATH. (/usr/sbin/) On 2024-03-29 19:59, Alexander E. Patrakov wrote: > On Sat, Mar 30, 2024 at 12:09 AM Andres Freund <andres@...razel.de> > wrote: >> == Affected Systems == >> >> The attached de-obfuscated script is invoked first after configure, >> where it >> decides whether to modify the build process to inject the code. >> >> These conditions include... > <snip> >> Running as part of a debian or RPM package build: >> if test -f "$srcdir/debian/rules" || test "x$RPM_ARCH" = >> "xx86_64";then > > Could you please confirm that the Arch Linux binary package was never > actually compromised? > >> openssh does not directly use liblzma. However debian and several >> other >> distributions patch openssh to support systemd notification, and >> libsystemd >> does depend on lzma. > > <snip> > >> Observed requirements for the exploit: >> b) argv[0] needs to be /usr/sbin/sshd > > I have checked, and found that Arch Linux does not apply any patches > when building OpenSSH. > > P.S. in the detect.sh script, the "set -eu" line plays a bad trick: it > aborts the check if sshd is not actually linked to liblzma.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.