I accidentally found a security issue while benchmarking postgres changes.
If you run debian testing, unstable or some other more "bleeding edge" distribution, I strongly recommend upgrading ASAP.
I accidentally found a security issue while benchmarking postgres changes.
If you run debian testing, unstable or some other more "bleeding edge" distribution, I strongly recommend upgrading ASAP.
I was doing some micro-benchmarking at the time, needed to quiesce the system to reduce noise. Saw sshd processes were using a surprising amount of CPU, despite immediately failing because of wrong usernames etc. Profiled sshd, showing lots of cpu time in liblzma, with perf unable to attribute it to a symbol. Got suspicious. Recalled that I had seen an odd valgrind complaint in automated testing of postgres, a few weeks earlier, after package updates.
Really required a lot of coincidences.
@AndresFreundTec OMG, I read that report earlier today and completely missed it's from you.
Something tells me this is not the only backdoor that person injected into seemingly boring packages ... fun fun fun.
@hikhvar @AndresFreundTec is anyone in touch with the original maintainer?
Given they were put under pressure before already I don't want to imagine their state of mind after the flurry of news in the past few hours.
@lispi314
#guix still takes tarballs with `configure` scripts "precompiled":
https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/compression.scm?id=4b23fd7adbddc1bc18b209912c0f3ef369da2f24#n499
Same for #nix, they take distribution tarball with autoreconf-generated files.
Using autoreconf and not trusting distribution tarballs is apparently not as easy as pointing to git repo (which is now down) and using autoreconf because autoreconf itself has to be built before xz during bootstrapping then.
> I"m not sure if many other projects do like Guix and record the checksum of the whole repository so as to ensure reproducibility purely from source.
If the packager chooses to use the official tarball as "the source", validating the checksum would not have helped. :-( Also whether it's always possible to run running autoreconf depends on the content of the tarball.
Which brings me to the (preliminary) conclusion that we'd better use repos as source of trust
@lispi314 @AndresFreundTec @glyph
@AndresFreundTec I truly admire your skill, willingness to trust your gut and appreciate your doggedness and tenacity chasing this down.
The internet is a little safer because of you.
Thanks,
According to the test script fixed in testing as of today. Great. 👍
(As in maybe "right now", i.e. somewhere between early morning update and now - as we're approaching midnight. Phew!)
Beer, peanuts... 🥳
@AndresFreundTec Way to go man.
Thank you for digging deeper until you found it.
@AndresFreundTec
Awesome work!
Shows that stubbornly debugging weird issues (that many would probably just ignore as "oh, it's slower now, whatever, it still works well enough..") can pay out big time! :)
(Well, metaphorically at least, though I guess this also increases your worth on the job market)
@AndresFreundTec Oh, I didn't know you're on the fediverse! I embedded your post in my article @ https://boehs.org/node/everything-i-know-about-the-xz-backdoor
Please let me know if there's anything you'd like me to add to it or clarify!
TIL that there was a movie adaptation of this novella in 2007 called MARCH THE SECOND
https://www.imdb.com/title/tt1379226/
Can't find much info about it and where I might acquire a copy, though.