Upstream backdoor discovered in xz-utils/liblzma: https://www.openwall.com/lists/oss-security/2024/03/29/4
It seems to affect ssh authentication.
As far as we know, only xz-utils 5.6.0/5.6.1 are affected and these are luckily not yet widely deployed.
@vegard Thank you for the detection script. Unfortunately, the first echo statement is unreachable because you used `set -e` to tell bash to abort on error immediately. Here is a patch:
$ diff detect.sh.orig detect.sh
3c3
< set -eu
---
> set -u
Does it fit in a toot?
#! /bin/bash
set -u
# find path to liblzma used by sshd
path="$(ldd $(which sshd) | grep liblzma | grep -o '/[^ ]*')"
# does it even exist?
if [ "$path" == "" ]
then
echo probably not vulnerable
exit
fi
# check for function signature
if hexdump -ve '1/1 "%.2x"' "$path" | grep -q f30f1efa554889f54c89ce5389fb81e7000000804883ec28488954241848894c2410
then
echo probably vulnerable
else
echo probably not vulnerable
fi
@vegard @brenns10 Someone pointed out that you should not run ldd on untrusted binaries because in some cases, ldd will run them. Better do `objdump -p`.
While diagnosing a non-determinism Bazel issue at work, I had to compare the dynamic libraries used by two builds of the same binary. To do so, I used ldd(1) and I had to refer to its manual page to understand details of the output I had never paid attention to before. What I saw will surprise you: ldd can end up running the binary given to it, thus making it unsafe against untrusted binaries. Read on for the history I could find around this issue and what alternatives you have.
Vegard
Christian Pietsch 🍑