El Fri, 29 Mar 2024 22:55:26 +0100 Christian Weisgerber <na...@mips.inka.de> escribió: > Christian Weisgerber: > > > > It sounds like a backdoor made it into the upstream repository: > > > https://www.openwall.com/lists/oss-security/2024/03/29/4 > > > > Yes, I just learned. I am investigating. > > The xz 5.6.1 update hasn't been committed yet, so this mostly > concerns only me anyway. > > * A malicious m4/build-to-host.m4 has been inserted and its code > is used in the generated configure script. > > * This extracts and executes a shell script from > tests/files/bad-3-corrupt_lzma2.xz. > That script aborts if $(uname) is not Linux. <=== IT ENDS HERE. > If the script continued, it would fail because it uses "head -c" > and "tail -c" which are a nonstandard extension that the > corresponding OpenBSD commands don't support. > > * The script extracts the next stage shell script from > tests/files/good-large_compressed.lzma. > This stage aborts again early when $(uname) is not Linux. > It then proceeds to manipulate the build in some way I won't waste > my time to figure out. > > In short, it's a supply chain attack on Linux that doesn't concern > OpenBSD. > > > PS: > If anybody wants to compare build-to-host.m4, here's the GNU upstream: > https://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob;f=m4/build-to-host.m4;h=f928e9ab403b3633e3d1d974abcf478e65d4b0aa;hb=HEAD >
Good to know! Thanks for this analysis! -- ********************************************************* Dios en su cielo, todo bien en la Tierra
