[Discuss] Debian 12 in the Cloud

Rich Pieri richard.pieri at gmail.com
Fri May 31 17:31:38 EDT 2024 

On Fri, 31 May 2024 10:07:29 -0700
Kent Borg <kentborg at borg.org> wrote:

> The point remains that the code OpenSSH people reviewed, merged,
> tested, and published was *not* vulnerable. But as part of using
> systemd, others patched sshd to add a new dependency, adding a
> backdoor, and the resulting code almost hit stable.

If you were to have built OpenSSH and xz and systemd from source code
yourself, with systemd notification patches, you would have a version of
xz that was *not* backdoored. Because the backdoor was never in any of
the source code or in any of the systemd notification patches.

It was very cleverly, and very insidiously, concealed in a test harness
used by automated build systems to validate the builds, in tarballs you
probably would not have used, and even then it was triggered only under
very specific conditions. Normally, tools used to detect problems in
these files would have caught it, but the bad actor had a year
previously requested that their failure case files be excluded from
those tests because they would always fail. This is a common practice.
And it is important to note that the backdoor had not yet been
introduced. Up to this point it was all preparation.

Then the systemd maintainers announced that they would be removing
some external dependencies including xz. Good on them.

The backdoor was added *after* this announcement was made. This is when
we see the backdoor added to the test harness and the push by the bad
actor to get the new release into major distributions. They almost
succeeded: the backdoored xz was in Debian Sid and Ubuntu 24.04
developer builds, and in OpenSUSE Tumbleweed, for about two weeks.

As I pointed out previously, *anything* using xz and liblzma could have
been targeted. So please, don't blame Debian for using systemd when the
reality is that the systemd is also a victim here. If systemd weren't a
nigh-ubiquitous target then they would have targeted something else,
and perhaps used a different library to insert their backdoor, but the
final results would have been the same.

If you're going to lay blame on anyone, blame it on all of us who put
our mission critical applications on libraries maintained by lone
individuals in their spare time. Because this is the real reason, the
real root cause, for this. One lone individual manipulated by a
(probably) well-funded (probably) state actor.

-- 
\m/ (--) \m/

More information about the Discuss mailing list