Oddbean new post about login | logout Looks like someone managed to get a backdoor into ssh in Fedora and Debian testing. Patch systems ASAP. https://www.openwall.com/lists/oss-security/2024/03/29/4
Wow: "That line is *not* in the upstream source of build-to-host, nor is build-to-host used by xz in git. However, it is present in the tarballs released upstream, except for the "source code" links, which I think github" They pwned the release distribution; source in git is fine. Nuts.
Source in git has the malicious binary, though. A malicious committer did it, not just anyone.
Fascinated to behold. 🍿
Technically, the backdoor is in xz-utils, and affects sshd when it is linked into sshd at runtime, as happens in most Linux distributions. The backdoor could conceivably be designed to affect other programs in addition to sshd. (Of course, affecting sshd is bad enough). It's a pretty sophisticated "supply chain" attack. Sadly, the upstream xz-utils project maintainer is either complicit or compromised. nostr:note1mqvnsk7me3wt3xd2pqyu04chlvygdphkt5p8sm56wxa28agxtc5stt2l5q
Impressive how this was caught within three weeks of the first malicious commit.
Which if true could mean that updating your system now might actually pull in the exploit, if this isn't shipped for the particular distro.
Honestly that’s mostly cause the exploit was kinda shitty, though…
According to this, it only made it to test systems? https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/ The University of Minnesota did something similar as a PoC a few years ago with the kernel. https://www.theverge.com/2021/4/30/22410164/linux-kernel-university-of-minnesota-banned-open-source