Dave AndersonThe poor original maintainer of xz is on it now, and has already found another "fun" thing: https://git.tukaani.org/?p=xz.git;a=commitdiff;h=f9cf4c05edd14dedfe63833f8ccbe41b55823b00 . The configure check for enabling the Landlock sandboxing facility was subtly broken, so that Landlock support would never get enabled. The original malicious commit landed around the same timeframe as the main backdoor, also at an abnormal time of day compared to the new maintainer's historical activity pattern.
David Andersen@danderson that one is deliciously clever. I didn't see it when I looked at the diff despite having been primed to look for something evil.
any maw@dave_andersen @danderson
so how does it work? I guess CMake passes that chunk of C to the compiler, but then the build script assumes that if that compilation fails for any reason, including a syntax error, then the system doesn't actually support landlock?
and are you in fact two different people?
@anymaw @dave_andersen Yeah, these feature checks usually work by compiling (and maybe running) a test program, to check that everything required is present. The original malicious commit that added this check explained that on some systems the header files for Landlock are present but Landlock doesn't actually work, so the configuration builds a test program to check if it actually works.
And yes, any failure is interpreted as the feature being unavailable :/
@anymaw @dave_andersen And yes, different people. The joy of having a very common name :)
Pusher of Pixels@danderson @anymaw @dave_andersen There was a Mrs. Smith in our church growing up. She got divorced and when she remarried became....Mrs Jones ;-)
@pixelpusher220 @danderson @anymaw I probably should have taken my wife's name when we got married, but by then she and I both had extensive publication records under our original names.
Knud Jahnke@dave_andersen @pixelpusher220 @danderson @anymaw
We always wanted to coax a bunch of Danish astronomer colleagues to write a joint paper. It could have been at least 6 Andersens, some even with the same initials...
@knud @pixelpusher220 @danderson @anymaw And then you could do an international collaboration and see if you could get Andersson, Anderson, Andersen, Anderssen, Andrésson, & Andressen as authors.
@dave_andersen @pixelpusher220 @danderson @anymaw
Uuuh, interesting! We were initially just interested to obfuscate who actually was first author.
@dave_andersen @knud @danderson @anymaw
And all presentations have to begin with Matrix Agent Smith
clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛@anymaw What do you mean? @dave_andersen has a Danish last name and @danderson has a Swedish one. Completely different! 😁
Samantaz Fox@danderson That one is tricky!
I'm so sorry for Lasse, who now has double the amount of work, to review again every line of code added by the malicious actor.
Matt Campbell@danderson I want to support the original maintainer or show my appreciation if I can. But I feel like sending an email just to say thanks or ask how to help would just add to the stress; there must be a ton of emails coming in already.
@danderson I think it's important to give credit where credit is due. Yesterday someone discovered it on Github, prior to the repo being taken down. I saved the malicious commit link, because I found it interesting.
Last night (long after all my Mastodon posts, so don't read much into them) I joined the tukaani IRC server, because I was curious if Lasse was aware yet. While I was there I mentioned the issue with that commit, and Lasse pushed the fix. We 1/2
@danderson decided to credit the discovery to "someone on GitHub", but Lasse was really busy+tired, so I think he forgot to include that in the commit description
gunstick@danderson I still have not understood what that single dot does?
Pär Björklund@gunstick @danderson the build system tries to compile the code to see if it's supported. The dot is a syntax error causing the check to always fail and disable the landlock feature
economística@danderson why would they do it at an odd time? Is it possible the account itself was compromised?