Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]


Groups > linux.debian.project > #14074

Re: Question about XZ backdoor & compression

From <tomas@tuxteam.de>
Newsgroups linux.debian.project
Subject Re: Question about XZ backdoor & compression
Date 2025-12-28 09:40 +0100
Message-ID <M6UtH-6fyy-3@gated-at.bofh.it> (permalink)
References <M6Mw9-6a2e-3@gated-at.bofh.it>
Organization linux.* mail to news gateway

Show all headers | View raw


[Multipart message — attachments visible in raw view] - view raw

On Sat, Dec 27, 2025 at 11:59:27PM +0000, William Richards #SaveOurInternet wrote:
> Hello Debian (and RedHat),
> I am wondering if anyone ended up compressing (or considered compressing)
> their software with XZ Utils before the latest Debian build at the time of
> the backdoor's discovery was released. Are they allowed to do that? Has any
> developer considered it at one point?
> Also:

[...]

That thing has been described extensively. I don't understand why
you are posing this questions.

Have you read, e.g.

  https://en.wikipedia.org/wiki/Xz_backdoor#Mechanism

Do you have any reasons to believe that this exploit has targeted
anything else than the patched-for-systemd sshd server variants?

Remember: for stealthiness, the exploit was injected during the
"make test" phase, thus avoiding being seen directly in the source
code. It checked whether it was "in" the mentioned SSH patch.

(As a side note, this "indirect deploy during the build process"
has gained some tradition in the wild, as can be seen in [1].
This is interesting, because Ken Thompson demonstrated this
pattern already 1984 [2]. Sometimes, industry moves slowly)

Cheers

[1] https://lwn.net/Articles/773121/
[2] https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf

-- 
t

Back to linux.debian.project | Previous | NextPrevious in thread | Find similar | Unroll thread


Thread

Question about XZ backdoor & compression "William Richards #SaveOurInternet" <corpseleague@gmail.com> - 2025-12-28 01:10 +0100
  Re: Question about XZ backdoor & compression <tomas@tuxteam.de> - 2025-12-28 09:40 +0100

csiph-web