Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 30 Mar 2024 18:07:59 +0100
From: "Rein Fernhout (Levitating)" <>
Cc: Jonathan Schleifer <>
Subject: Re: Re: backdoor in upstream xz/liblzma leading to ssh
 server compromise

I am currently checking out the RISC-V test files. They were updated around the same time as the others.

> My main worry is that when I extracted it, I replaced the sed in here:

You can just use 'sed r\n filename' and it should work. I think it just reads the file and appends a newline.

Extracting it can be simplified to:
sed r\n $(grep -aErls "#{4}[[:alnum:]]{5}#{4}$" .) | tr "\t \-_" " \t_\-" | xz -d 2>/dev/null

Where the grep finds bad-3-corrupt_lzma2.xz

As for the extra code in 5.6.1, I think because the greps are for some specific bytes they are meant for 1 or 2 specific test files that don't actually exist yet, but might've been uploaded later. Using grep, the right offsets are found, and this is then read, translated, decompressed and executed. The translation is the same for both.

> I think it's time to coordinate things.

There is already some discussion on #tukaani on Libera.

I also joined your channel.

My mail client had format=flowed enabled so my list of test files by Jia was malformed, but here they are again (without the summaries).

bad-3-corrupt_lzma2.xz     74b138d2a6529f2c07729d7c77b1725a8e8b16f1
bad-dict_size.lzma         cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0
good-1-riscv-lzma2-1.xz    a67dcce6109c2f932a0a86abb0d7a95d3c31fb3e
good-1-riscv-lzma2-2.xz    a67dcce6109c2f932a0a86abb0d7a95d3c31fb3e
good-2cat.xz               cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0
good-large_compressed.lzma 74b138d2a6529f2c07729d7c77b1725a8e8b16f1
good-small_compressed.lzma cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0

On 2024-03-30 17:17, Jonathan Schleifer wrote:
> Am 30.03.24 um 16:10 schrieb Rein Fernhout (Levitating):
>> The script attached by Andres was from 5.6.0.
>> I extracted the script from both versions and I can verify your diff.
>> I attached the two versions I extracted.
>> It definitely does look like the 5.6.1 version looks for 2 extra scripts to execute.
>> I don't get any matches on the greps either though.
> My main worry is that when I extracted it, I replaced the sed in here:
> sed \"r\n\" $gl_am_configmake | eval $gl_path_map | $gl_localedir_prefix -d 2>/dev/null
> With a simple cat, as I could not make sed work. This worries me as it means there is probably some other transformation that I'm missing that would have made the sed work. Which means there's transformations I'm missing and those could as well mutate some of the test files or resulting payloads. So it could either change the grep itself, or create files that match the grep.
> Which means I'm not sure that actually no files match and it actually executes nothing.
>> I also want to look more into the object file.
> I think it's time to coordinate things.
> I created a chat room for this on Matrix, IRC and Discord -- all bridged together so it's essentially one chat room. Those interested, please join:
> Matrix:
> IRC: #xz-backdoor-reversing on
> Discord:

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.