Evan B🥥ehsMar 29, 2024

Unfolding now: https://news.ycombinator.com/item?id=39865810

- https://www.openwall.com/lists/oss-security/2024/03/29/4
- https://github.com/tukaani-project/xz/commit/cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0

An incredibly technically complex #backdoor in xz (potentially also in libarchive and elsewhere) was just discovered. This backdoor has been quietly implemented over years, with the assistance of a wide array of subtly interconnected accounts:

- https://github.com/tukaani-project/xz/commit/ee44863ae88e377a5df10db007ba9bfadde3d314
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067708
- https://github.com/jamespfennell/xz/pull/2

The timeline on this is going to take so long to unravel

#security #linux

Backdoor in upstream xz/liblzma leading to SSH server compromise | Hacker News

Show threadEvan B🥥ehsMar 29, 2024

https://boehs.org/node/everything-i-know-about-the-xz-backdoor

I have begun a post explaining this situation in a more detailed writeup. This is updating in realtime, and there is a lot still missing.

#security #xz #linux

Everything I know about the XZ backdoor

Please note: This is being updated in real-time. The intent is to make sense of lots of simultaneous discoveries

Show threadendrift 🏳️‍⚧️Mar 30, 2024
@eb I should note that Lasse also has some suspicious activity recently, such as https://github.com/plougher/squashfs-tools/pull/276 --and also may be currently affiliated with Jia in some capacity, as per https://tukaani.org/about.html
Add RISC-V filter support by Larhzu · Pull Request #276 · plougher/squashfs-tools

This requires liblzma >= 5.6.0. The LZMA2 options are set with the assumption that the RISC-V C extension is in use. I have submitted the RISC-V filter to Linux. It's in the -mm mm-nonmm-unstable b...

GitHub
Show threadEvan B🥥ehsMar 30, 2024
@endrift This is interesting. I've also heard the absolutely crazy theory this is all Lasse's doing given the timezones roughly match up and I mean I guess it's possible you could orchistrate all this conversation yourself. Would be criminal mastermind level stuff if so, but I want to give them the benefit of the doubt.
Show threadgamer191Mar 30, 2024

@eb @endrift the only thing Lasse would gain out of that is that they'll likely continue to be maintainer now that this has been discovered. I don't think that's close to enough reason for them to orchistrate all the conversations, so I'm not buying that theory tbh

It seems more likely that Lasse got bought out (or convinced) by Jia, after Jia gained his trust

That said, the most likely explanation imo is that Lasse was telling the truth in the PR description and wanted RISC-V filter 1/2

Show threadgamer191Mar 30, 2024
@eb @endrift support. The linked Linux patch (https://lore.kernel.org/lkml/202403201[email protected]/) was developed by him and co-developed by Jia. It's description suggests that it requires changes to Squashfs-tools. Either he took the initiative to make that PR, or Jia suggested he make that PR. Either way, he was most likely unaware of the backdoor
[PATCH 09/11] xz: Add RISC-V BCJ filter - Lasse Collin

Show threadendrift 🏳️‍⚧️
@gamer191 @eb Yeah, I could go either way on this PR. It might be a coincidence, it might not be.
Mar 30, 2024 at 7:14amWeb
Show threadendrift 🏳️‍⚧️Mar 30, 2024
@gamer191 @eb having gotten some sleep and seeing new developments, yeah, Lasse is not at fault here.