Christian Weisgerber:
> > It sounds like a backdoor made it into the upstream repository:
> > https://www.openwall.com/lists/oss-security/2024/03/29/4
>
> Yes, I just learned. I am investigating.
The xz 5.6.1 update hasn't been committed yet, so this mostly
concerns only me anyway.
* A malicious m4/build-to-host.m4 has been inserted and its code
is used in the generated configure script.
* This extracts and executes a shell script from
tests/files/bad-3-corrupt_lzma2.xz.
That script aborts if $(uname) is not Linux. <=== IT ENDS HERE.
If the script continued, it would fail because it uses "head -c"
and "tail -c" which are a nonstandard extension that the corresponding
OpenBSD commands don't support.
* The script extracts the next stage shell script from
tests/files/good-large_compressed.lzma.
This stage aborts again early when $(uname) is not Linux.
It then proceeds to manipulate the build in some way I won't waste
my time to figure out.
In short, it's a supply chain attack on Linux that doesn't concern
OpenBSD.
PS:
If anybody wants to compare build-to-host.m4, here's the GNU upstream:
https://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob;f=m4/build-to-host.m4;h=f928e9ab403b3633e3d1d974abcf478e65d4b0aa;hb=HEAD
--
Christian "naddy" Weisgerber naddy@mips.inka.de
No comments:
Post a Comment