BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] Debian 12 in the Cloud
- Subject: [Discuss] Debian 12 in the Cloud
- From: richard.pieri at gmail.com (Rich Pieri)
- Date: Fri, 31 May 2024 17:31:38 -0400
- In-reply-to: <53c737b9-7b6d-4f4d-82b8-d6b485414080@borg.org>
- References: <a09a4ca0-bfc8-4c5c-ad30-e307be9e2cc1@borg.org> <f840e62cb5c88c336909575f0acc5365.squirrel@mail.mohawksoft.com> <3d52eef7-5aa4-49a0-b580-91183ca1b0ae@borg.org> <20240531124428.649ba044.Richard.Pieri@gmail.com> <53c737b9-7b6d-4f4d-82b8-d6b485414080@borg.org>
On Fri, 31 May 2024 10:07:29 -0700 Kent Borg <kentborg at borg.org> wrote: > The point remains that the code OpenSSH people reviewed, merged, > tested, and published was *not* vulnerable. But as part of using > systemd, others patched sshd to add a new dependency, adding a > backdoor, and the resulting code almost hit stable. If you were to have built OpenSSH and xz and systemd from source code yourself, with systemd notification patches, you would have a version of xz that was *not* backdoored. Because the backdoor was never in any of the source code or in any of the systemd notification patches. It was very cleverly, and very insidiously, concealed in a test harness used by automated build systems to validate the builds, in tarballs you probably would not have used, and even then it was triggered only under very specific conditions. Normally, tools used to detect problems in these files would have caught it, but the bad actor had a year previously requested that their failure case files be excluded from those tests because they would always fail. This is a common practice. And it is important to note that the backdoor had not yet been introduced. Up to this point it was all preparation. Then the systemd maintainers announced that they would be removing some external dependencies including xz. Good on them. The backdoor was added *after* this announcement was made. This is when we see the backdoor added to the test harness and the push by the bad actor to get the new release into major distributions. They almost succeeded: the backdoored xz was in Debian Sid and Ubuntu 24.04 developer builds, and in OpenSUSE Tumbleweed, for about two weeks. As I pointed out previously, *anything* using xz and liblzma could have been targeted. So please, don't blame Debian for using systemd when the reality is that the systemd is also a victim here. If systemd weren't a nigh-ubiquitous target then they would have targeted something else, and perhaps used a different library to insert their backdoor, but the final results would have been the same. If you're going to lay blame on anyone, blame it on all of us who put our mission critical applications on libraries maintained by lone individuals in their spare time. Because this is the real reason, the real root cause, for this. One lone individual manipulated by a (probably) well-funded (probably) state actor. -- \m/ (--) \m/
- Follow-Ups:
- [Discuss] Debian 12 in the Cloud
- From: kentborg at borg.org (Kent Borg)
- [Discuss] Debian 12 in the Cloud
- From: markw at mohawksoft.com (markw at mohawksoft.com)
- [Discuss] Debian 12 in the Cloud
- References:
- [Discuss] Debian 12 in the Cloud
- From: kentborg at borg.org (Kent Borg)
- [Discuss] Debian 12 in the Cloud
- From: markw at mohawksoft.com (markw at mohawksoft.com)
- [Discuss] Debian 12 in the Cloud
- From: kentborg at borg.org (Kent Borg)
- [Discuss] Debian 12 in the Cloud
- From: richard.pieri at gmail.com (Rich Pieri)
- [Discuss] Debian 12 in the Cloud
- From: kentborg at borg.org (Kent Borg)
- [Discuss] Debian 12 in the Cloud
- Prev by Date: [Discuss] "Enter a passphrase to unlock the volume"
- Next by Date: [Discuss] Debian 12 in the Cloud
- Previous by thread: [Discuss] Debian 12 in the Cloud
- Next by thread: [Discuss] Debian 12 in the Cloud
- Index(es):