backdoor in upstream xz/liblzma leading to ssh server compromise
backdoor in upstream xz/liblzma leading to ssh server compromise
backdoor in upstream xz/liblzma leading to ssh server compromise
You're viewing a single thread.
Time to bring back the reproducible build hype
Won't help here; this backdoor is entirely reproducible. That's one of the scary parts.
The backdoor wasn't in the source code, only in the distributed binary. So reproducible builds would have flagged the tar as not coming from what was in Git
Reproducible builds generally work from the published source tarballs, as those tend to be easier to mirror and archive than a Git repository is. The GPG-signed source tarball includes all of the code to build the exploit.
The Git repository does not include the code to build the backdoor (though it does include the actual backdoor itself, the binary "test file", it's simply disused).
Verifying that the tarball and Git repository match would be neat, but is not a focus of any existing reproducible build project that I know of. It probably should be, but quite a number of projects have legitimate differences in their tarballs, often pre-compiling things like autotools-based configure scripts and man pages so that you can have a relaxed ./configure && make && make install
build without having to hunt down all of the necessary generators.
Time to change that tarball thing. Git repos come with built in checksums, that should be the way to go.
Honestly, while the way they deployed the exploit helped hide it, I'm not sure that they couldn't have figured out some similar way to hide it in autoconf stuff and commit it.
Remember that the attacker had commit privileges to the repository, was a co-maintainer, and the primary maintainer was apparently away on a month-long vacation. How many parties other than the maintainer are going to go review a lot of complicated autoconf stuff?
I'm not saying that your point's invalid. Making sure that what comes out of the git repository is what goes to upstream is probably a good security practice. But I'm not sure that it really avoids this.
Probably a lot of good lessons that could be learned.
You're right, there's more parts to it, especially social engineering. Maybe there's other ways to hide a payload, but there aren't many avenues. You have to hide the payload in a binary artefact, which are pretty suspicious when you don't do it in a (well scrutinized) cryptography lib, or a compression lib.
Then that payload has to be executed for some reason, which means you need a really good reason to embed it (e.g. something like widevine), or have to modify the build script.
Not exactly - it was in the source tarbal available for download from the releases page but not the git source tree.
The back door is not in the source code though, so it's not reproducible from source.
Part of the payload was in the tarball. There was still a malicious shim in the upstream repo
Why didn't this become a thing? Surely in 2024, we should be able to build packages from source and sign releases with a private key.
It's becoming more of a thing but a lot of projects are so old that they haven't been able to fix their entire build process yet
Probally more SLSA which reproducible builds is apart of