BLUE

Filippo Valsorda

@filippo.abyssdomain.expert

RC F'13, F2'17 Cryptogopher / Go cryptography maintainer Professional open source maintainer filippo.io / github.com/FiloSottile mkcert.dev / age-encryption.org sunlight.dev / filippo.io/newsletter

11.9k followers405 following882 posts

FVfilippo.abyssdomain.expertMar 29, 2024 7:29pm

This might be the best executed supply chain attack we've seen described in the open, and it's a nightmare scenario: malicious, competent, authorized upstream in a widely used library. Looks like this got caught by chance. Wonder how long it would have taken otherwise.

FVfilippo.abyssdomain.expertMar 29, 2024 4:49pm

Woah. Backdoor in liblzma targeting ssh servers. www.openwall.com/lists/oss-se... It has everything: malicious upstream, masterful obfuscation, detection due to performance degradation, inclusion in OpenSSH via distro patches for systemd support… Now I’m curious what it does in RSA_public_decrypt

IClookitup.babyMar 29, 2024 7:30pm

Fucking wild mastodon.social/@AndresFreun...

GVi6t.nlMar 29, 2024 11:04pm

"[...] due to longterm mental health issues but also due to some other things. Recently I've worked off-list a bit with Jia Tan on XZ Utils and perhaps he will have a bigger role in the future" www.mail-archive.com/xz-devel@tuk... pressure in replies 👀 "Why wait until 5.4.0 to change maintainer?"

post by Lasse Collin on the xz-devel mailing list

reply to post of Lasse on the xz-devel mailing list, pressuring him to take on another maintainer

FVfilippo.abyssdomain.expertMar 29, 2024 7:33pm

Yeah ok this was 100% found by sheer luck. mastodon.social/@AndresFreun...bsky.app/profile/look...

Nnafnlaus.bsky.socialMar 29, 2024 9:52pm

Given that the payload hasn't been deciphered yet.. um... isn't this a "change all your passwords, too" thing?

Bblonkus.bsky.socialMar 30, 2024 10:57pm

Is there a good summary on this whole thing yet? I’m not a layperson, but I thankfully am not in a position where I have to care too much right now, so I haven’t been following. Curious about who did this, how it was done, how widespread it is, what the consequences are for affected servers.

Sstr4d.xyzMar 29, 2024 7:53pm

If this really was a year-long exploit deployment, it is some impressive, patient, and scary work.

Hacker News post by formerly_proven:

I think this has been in the making for almost a year. The whole ifunc infrastructure was added in June 2023 by Hans Jansen and Jia Tan. The initial patch is "authored by" Lasse Collin in the git metadata, but the code actually came from Hans Jansen.

> Thanks to Hans Jansen for the original patch.

There were a ton of patches by these two subsequently because the ifunc code was breaking with all sorts of build options and obviously caused many problems with various sanitizers. Subsequently the configure script was modified multiple times to detect the use of sanitizers and abort the build unless either the sanitizer was disabled or the use of ifuncs was disabled. That would've masked the payload in many testing and debugging environments.

The hansjans162 Github account was created in 2023 and the only thing it did was add this code to liblzma. The same name later applied to do a NMU at Debian [truncated]

AJjabsco.cia.fyiMar 29, 2024 7:42pm

the thing that's sending me is that this kind of *wasn't* authorized upstream: it was slipped into the tarballs post-source-code-checkout

AJjabsco.cia.fyiMar 29, 2024 7:35pm

it's always the night guard idly doing the rounds who just happens to notice the taped-open door latch

MRmarshray.bsky.socialMar 30, 2024 6:26am

en.wikipedia.org/wiki/BSAFE

DMdamienmiller.bsky.socialMar 29, 2024 8:41pm

There goes my week...

Filippo Valsorda

@filippo.abyssdomain.expert

RC F'13, F2'17 Cryptogopher / Go cryptography maintainer Professional open source maintainer filippo.io / github.com/FiloSottile mkcert.dev / age-encryption.org sunlight.dev / filippo.io/newsletter

11.9k followers405 following882 posts