[Bug]: Upstream compromised? Or is the compromise?

[alerque]

I understand why the author(s) of the analysis of the backdoor being distributed by this project decided not to notify upstream first since it looks like either the upstream is the compromise or at least are compromised themselves, so reporting here first would have done nothing except give the culprit time to wiggle. But the cat is out of the bag now and I see comments all over the place pinging the author. I think it's high time a bug report here notifies people following this tracker there is an issue. Also this serves as a request for a postmortem. Either this project has members that are bad actors or the members have themselves been deeply compromised. Most evidence seems to support the former. If there is evidence of the latter I suggest getting it out there post-haste.

[skull-squadron]

Without adding fuel to the fire, this is a good reminder about discretion in trust, vigilance, and security practices in F{L,}OSS dev and packaging. Recall also ProFTPD, OpenBSD, PyPi, rest-client.

In the future, it would be useful for researchers and laypeople to submit SHA256, etc. hashes of known good and known bad artifacts to make tracing simpler.

Cheers peeps and best wishes for cleanup and recovery. xz is a core package to FLOSS.

[AffSeda]

Sorry, I meant update brew in the sense of "update the package you have installed on brew" which will actually result in a downgrade. You can view their report here: https://github.com/orgs/Homebrew/discussions/5243

I'm afraid I do not have the expertise to speculate on the answers to your questions, so I'm going with the option provided by Homebrew maintainers. They do not believe theirs was affected.

[DanielRuf]

@skull-squadron that is a developing story. Did you see https://github.com/cyclone-github/scripts/blob/main/xz_cve-2024-3094-detect.sh#L40 and the bash script at https://www.openwall.com/lists/oss-security/2024/03/29/4?

[DanielRuf]

The code checks for linux and x86-64 as architecture according to Andres Freund (see https://www.openwall.com/lists/oss-security/2024/03/29/4).

Apple has a different architecture.

[BurningEnlightenment]

@ShePastAway0 The backdoor which has been found is quite sophisticated and relies on a prebuilt object file shipped as part of test files with this repository. As far as I am aware this object file is built for x86_64 and no other payloads have been found at the time of writing. However, it is not inconceivable that other attack vectors have been introduced in the past year--it will take more time to fully audit the changes made in the past year, e.g. we might find something like the the suspicious libarchive PR. A conservative approach would be to revert back to the last release made by Lasse Collins himself.

[Midek]

Whats with chinks always trying to get into my ssh? first it was just the bruteforce loggin attempts, now they want to get in from the inside.

[Tejeev]

@Midek, hopefully you're knowledgeable in infosec and just joking, but if not, you may want to look up what a false flag is. There are a lot of malicious actors out there, and folks who are quick to point fingers are the easiest to manipulate. If someone were trying to hide their tracks, planting a few false flags like making sure they committed at a similar time window each time, would be too easy a step for them to not take. Especially someone smart and dedicated enough to do this.

[cwegener]

Does anyone have any information concerning the threat actor such as his identity or country of origin?

Commit history shows timezone to be UTC+8, so likely a chink.

I have no clue what you are trying to say, but on the off chance that you are not in the world of software engineering, here is a screenshot of me making a git commit with UTC+8 (note on the top right, my local time is UTC+11)

[Hakkin]

Lasse doesn't appear to be involved: https://www.mail-archive.com/xz-devel@tukaani.org/msg00567.html

It's interesting to note that the "Jigar Kumar" in this thread that is pressuring Lasse to find a replacement maintainer has the same e-mail format (<firstname><lastname><number>) as the "Hans Jansen" e-mail that was part of the backdoored commits. The PGP key for the Protonmail account (0xA97B6FC34F5DB756) was created on 2022-04-26, and the first message by "Jigar Kumar" on the xz-devel mailing list was on 2022-04-27, one day later.

It's seeming increasingly likely that every step of this process was carefully orchestrated by multiple sockpuppet accounts controlled by the same actor.

[alanc]

I'd be happy to understand why @Larhzu didn't react yet.

It appears github has suspended the accounts of both project maintainers, but this is only shown in their entries in the "following" lists of accounts who follow them, not their main profiles:

• https://github.com/JiaT75?tab=following
• https://github.com/Larhzu?tab=following

[cwegener]

This issue should probably be locked

Locked by who though?

[alerque]

@alanc Interesting find. Hans' account is also suspended. Somebody at GH probably has access (and possibly soon a legal mandate) to look into PII on those accounts and correlate activity.

[P-EB]

I'd be happy to understand why @Larhzu didn't react yet.

It appears github has suspended the accounts of both project maintainers, but this is only shown in their entries in the "following" lists of accounts who follow them, not their main profiles:

* https://github.com/JiaT75?tab=following

* https://github.com/Larhzu?tab=following

Ah this UI is really horrible. Thanks for finding out.

That being said, a mail on oss-security would be a good start.

[Asday]

That being said, a mail on oss-security would be a good start.

https://www.openwall.com/lists/oss-security/2024/03/29/4 Like this one?

Am I misunderstanding what "oss-security" is?

[P-EB]

https://www.openwall.com/lists/oss-security/2024/03/29/4 Like this one?

No. From Lasse.

[Asday]

Lasse regularly has internet breaks and is on one at the moment, started before this all kicked off. We believe CISA may be trying to get in contact with him.

[mirabilos]

Debian is currently looking into downgrading it even further, before the first contribution from the known bad actor, which may be an older 5.2 release (later ones were also cut by them), then reapplying only the security fixes that came later on top manually, for now.

[medicalwei]

Is it safe to keep discussions here where their maintainers have delete access to the whole thread? I worry they may drop the discussion or repo.

[colleirose]

Yeah, the maintainers could delete the thread, but having it here until they delete it will help serve as a warning to the public.

[AffSeda]

I'm pretty sure the maintainers are both suspended and can't do anything.

[colleirose]

I'm pretty sure the maintainers are both suspended and can't do anything.

Oh, that's good.

[rugk]

Also there is archive.org.

[junaruga]

Also there is archive.org.

Nice! The link below is maybe better to see the updated archives. https://web.archive.org/web/20240000000000*/https://github.com/tukaani-project/xz/issues/92

[thesamesam]

I'm going to close this for now. There's a huge amount of comments and speculation and it's not really actionable in terms of technical items to work on other than the obvious.

I may start a new issue with a checklist of what is to be done to decontaminate things.

If you need information on the incident, please see https://tukaani.org/xz-backdoor/.

[Kamillaova]

xd

[thepwrtank18]

it's fixed boowomp