Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Re: backdoor in upstream xz/liblzma leading to ssh server compromise

Related Vulnerabilities: CVE-2024-3094  
Source 
                As GitHub has disabled the repository, the commit links in the
original message no longer work. One of the remaining mirrors is
https://git.rootprojects.org/root/xz

So, here are the links, resubmitted and accompanied by the original
text from Andres Freund's initial email to this thread.

===
The files containing the bulk of the exploit are in an obfuscated form
in tests/files/bad-3-corrupt_lzma2.xz
tests/files/good-large_compressed.lzma committed upstream. They were
initially added in

https://git.rootprojects.org/root/xz/commit/cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0

Note that the files were not even used for any "tests" in 5.6.0.

Subsequently the injected code (more about that below) caused valgrind errors
and crashes in some configurations, due the stack layout differing from what
the backdoor was expecting.  These issues were attempted to be worked around
in 5.6.1:

https://git.rootprojects.org/root/xz/commit/e5faaebbcf02ea880cfc56edc702d4f7298788ad
https://git.rootprojects.org/root/xz/commit/72d2933bfae514e0dbb123488e9f1eb7cf64175f
https://git.rootprojects.org/root/xz/commit/82ecc538193b380a21622aea02b0ba078e7ade92

For which the exploit code was then adjusted:

https://git.rootprojects.org/root/xz/commit/6e636819e8f070330d835fce46289a3ff72a7b89
===

Arch Linux builds their xz from commit
git+https://github.com/tukaani-project/xz#tag=v5.6.1 which is now an
invalid link. They use some shaXXXsums to verify the integrity of the
commit they are building from, but I don't know how this works, i.e.,
how to check this manually:

source=("git+https://github.com/tukaani-project/xz#tag=v${pkgver}";)
sha256sums=('e10fa4254d5ff033c78dcbfd2866e79a762b8a719503a7c146758e590de945dc')
sha512sums=('8f4ee2e5c9b46d0917d8bdf8b172a70d02a6cf2d4d78a2e99ae942e32979b72b407809ffda2885af41e2c9d801c19eab5e4fd73888fbaf042346be957df406fc')

The mirror does have a v5.6.1 tag, and the build passes (and validates
the checksums) if I replace the source with:

source=("git+https://git.rootprojects.org/root/xz#tag=v${pkgver}";)

On Sat, Mar 30, 2024 at 12:09 AM Andres Freund <andres () anarazel de> wrote:

-- 
Alexander E. Patrakov

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started