Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20240412163744.6z5n5fhqdu27jybj@jwilk.net>
Date: Fri, 12 Apr 2024 18:37:44 +0200
From: Jakub Wilk <jwilk@...lk.net>
To: <oss-security@...ts.openwall.com>
Subject: Re: Re: backdoor in upstream xz/liblzma leading to
 ssh server compromise

* Jonathan Schleifer <js@....im>, 2024-03-30 17:17:
>I replaced the sed in here:
>
>sed \"r\n\" $gl_am_configmake | eval $gl_path_map | 
>$gl_localedir_prefix -d 2>/dev/null
>
>With a simple cat, as I could not make sed work. This worries me as it 
>means there is probably some other transformation that I'm missing that 
>would have made the sed work.

It's confusing because there are two layers of eval involved. You 
actually end up running:

   sed rn ...

The "r" command means "read from file"; but there's no file named "n", 
so this is no-op.

The sed command is not completely equivalent to cat though: it appends a 
newline, because the original file didn't end with one. This trailing 
garbage slightly upsets xz(1):

     xz: (stdin): Unexpected end of input

(You normally wouldn't see this warning, thanks to generous use of 
"2>/dev/null" in build-to-host.m4.)

-- 
Jakub Wilk

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.