El Fri, 29 Mar 2024 22:55:26 +0100
Christian Weisgerber <naddy@mips.inka.de> escribió:
> Christian Weisgerber:
>
> > > It sounds like a backdoor made it into the upstream repository:
> > > https://www.openwall.com/lists/oss-security/2024/03/29/4
> >
> > Yes, I just learned. I am investigating.
>
> The xz 5.6.1 update hasn't been committed yet, so this mostly
> concerns only me anyway.
>
> * A malicious m4/build-to-host.m4 has been inserted and its code
> is used in the generated configure script.
>
> * This extracts and executes a shell script from
> tests/files/bad-3-corrupt_lzma2.xz.
> That script aborts if $(uname) is not Linux. <=== IT ENDS HERE.
> If the script continued, it would fail because it uses "head -c"
> and "tail -c" which are a nonstandard extension that the
> corresponding OpenBSD commands don't support.
>
> * The script extracts the next stage shell script from
> tests/files/good-large_compressed.lzma.
> This stage aborts again early when $(uname) is not Linux.
> It then proceeds to manipulate the build in some way I won't waste
> my time to figure out.
>
> In short, it's a supply chain attack on Linux that doesn't concern
> OpenBSD.
>
>
> PS:
> If anybody wants to compare build-to-host.m4, here's the GNU upstream:
> https://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob;f=m4/build-to-host.m4;h=f928e9ab403b3633e3d1d974abcf478e65d4b0aa;hb=HEAD
>
Good to know! Thanks for this analysis!
--
*********************************************************
Dios en su cielo, todo bien en la Tierra
No comments:
Post a Comment