Personal Log »

Backdoor in upstream xz/liblzma

Long story short: someone added a backdoor to upstream xz/liblzma that will compromise a SSH server in some conditions. And it got to places, for example xz-utils in Debian unstable and testing (it has been reverted now).

There’s a great in-detail summary by Evan Boehs: Everything I Know About the XZ Backdoor. I recommend reading it, because there is a lot to learn from this situation.

For example: how many single maintainers are out there taking care of vital pieces of open source software, without help, and that may even be in a specially bad place personally?

Alan Cox was commenting on mastodon:

At a certain level I am amused that probably millions of dollars of careful espionage work has been pissed away by a fraction of a second delay in an exploit.

Far more of a problem though are systems that dynamically assemble stuff from latest versions of things. We can be sure that some maintainers of those thousands of tiny pieces are careful, reliable maintainers funded by various governments who if the call comes will use that trust to flip them for bad causes.

The first part makes reference to how the backdoor was detected –it made sshd slower and someone was looking–, and the second is one that has been bothering me a lot since I started working on the JVM professionally –with Scala–. It is common practice to update and include lots and lots of dependencies directly from different upstream providers, without appropriate scrutiny. Does it compile? Do your test pass? I don’t think people really read the changelog, and we are live!

Which makes sense. It isn’t possible to review all your dependencies, because that is how industrial software is built today. And as we can see, the fact that a distribution like Debian is providing your packages is not bullet-proof –although the issue was in unstable/testing, it never got to stable–, but I generally trust the distribution maintainers to do the right thing. If anything, it is another layer of security.

It is not if but when more things like these will happen, be it because the maintainers are overstretched and make an honest mistake –see Log4Shell as an example–, or because there’s malicious intent.

Would you like to discuss the post? You can send me an email!