oss-security - Re: backdoor in upstream xz/liblzma leading to ssh server compromise

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Fri, 29 Mar 2024 23:50:53 +0400
From: Loganaden Velvindron <loganaden@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: backdoor in upstream xz/liblzma leading to ssh
 server compromise

I think that distros should be very careful when they start patching
openssh in general.








On Fri, Mar 29, 2024, 23:20 Andres Freund <andres@...razel.de> wrote:

> Hi,
>
> On 2024-03-29 19:44:05 +0100, Matthias Weckbecker wrote:
> > I've attached a yara rule to detect the *.o droplet you attached in the
> > email (liblzma_la-crc64-fast.o.gz).
>
> Unfortunately xz 5.61 added further obfuscations, making it harder to
> detect. Should have made it clearer that the attached .o was from 5.60.
> Among
> others 5.61 removed the two symbols you're checking against here.  That's
> why
> Vegard's script looks for a specific instructions sequence, but obviously
> is
> also more obscure :/
>
> Regards,
>
> Andres
>

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.