Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 2 Apr 2024 17:41:47 -0000 (UTC)
From: Tavis Ormandy <>
Subject: Re: finding similar compromises (was Re: From xz to ibus: more
 questionable tarballs)

On 2024-04-02, Tavis Ormandy wrote:
> On 2024-04-01, HW42 wrote:
>> Hi Jan,
>> great that you are looking for further problems. (Just to be clear, I'm
>> not associated with ibus in any way.)
> Yes, agreed. In the interests of discussing things in the open after
> just complaining about embargoes... :)
> It occurred to me that I could grep around in an SKS dump for any keys
> that had similar options that Jia Tan used -- algorithm preferences and
> so on -- and see if any jumped out as suspicious.

FYI, of the 22,885,940 signature packets in my SKS dump, 1186 had the
same options as Jia's (algo, keylen, expiry, prefs).

Around 26 were made +/- a month of Jias, I checked them all manually.

Around ~11 had github accounts that matched the user id -- no obvious
malice. A few were package signing keys, but browsing the releases they
seem okay to me.

There was a cluster from Warwick students, I'm thinking they use the
same distribution as Jia? e.g, these all look similar:


Note: You can fetch them with something like gpg --recv-key xxx

In summary, nothing suspicious jumps out, I'm just documenting it here
to save anyone else the effort.

If I extend the search for keys generated at any time (not just close to
when Jia's key was generated), there are 1,186 matches. That's probably
too much to check manually, but I'll check the user\d+@...e-email
ones this afternoon....

$ grep -cP '<\w+\d+@.*\>' matches.txt

I guess it's alo possible Jia just entered "5y" manually at the
--full-generate-key prompt, or doesn't use that expiration consistently.
If so, there are 26,871 matching keys to check :(

Anyway, I feel like my eyeballs did their part :)


 _o)            $ lynx
 /\\  _o)  _o)  $ finger
_\_V _( ) _( )  @taviso

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.