[RndTbl] Security vulnerability: Watch out for xz

[Trevor Cordes]

On 2024-03-29 Alberto Abrao wrote:
> Nasty one...

Wunderbar!

I ran the detect script (after dissecting and rewriting manually for
tcsh) on muug (deb) and my own box (f39) and neither is vulnerable.

It looks like you had to be using a uber-bleeding edge distro (like a
-testing) to have this hole.

To be a problem for most of the world, the culprits would have to hope
the hack wouldn't have been caught for months.

Once again we can see the fragility of the entire FOSS ecosystem if
every cog doesn't do its due diligence, especially on commits and
build/packaging systems.  (Maybe those "reproduceable builds" guys are
on to something?)

One obfuscated line injected is all it takes.  It's scary that this
required a dude who was seeing symptoms on his live system to get
exposed.

And talk about obfuscated... hiding this among m4 code that virtually no
one understands now (except us sendmail geeks!).  And in what looks
like the test code that is like the last thing programmers want to
think about.

Even worse, so many programs, packaging systems, and even the kernel
rely on xz now.  Would this have worked its way into a kernel
vulnerability?

Sounds like the hack has been in there for a couple of weeks as per the
original reporter, but convenient how this comes out right at the start
of a 3 or 4 day weekend for most IT workers, virtually guaranteeing
slow or no response until mid next week.

P.S. Great work by the Andres Freund dude who pieced this all together
and reported it.  That's some major geek cred.