On 2024-03-29 Alberto Abrao wrote:
Nasty one...
Wunderbar!
I ran the detect script (after dissecting and rewriting manually for tcsh) on muug (deb) and my own box (f39) and neither is vulnerable.
It looks like you had to be using a uber-bleeding edge distro (like a -testing) to have this hole.
To be a problem for most of the world, the culprits would have to hope the hack wouldn't have been caught for months.
Once again we can see the fragility of the entire FOSS ecosystem if every cog doesn't do its due diligence, especially on commits and build/packaging systems. (Maybe those "reproduceable builds" guys are on to something?)
One obfuscated line injected is all it takes. It's scary that this required a dude who was seeing symptoms on his live system to get exposed.
And talk about obfuscated... hiding this among m4 code that virtually no one understands now (except us sendmail geeks!). And in what looks like the test code that is like the last thing programmers want to think about.
Even worse, so many programs, packaging systems, and even the kernel rely on xz now. Would this have worked its way into a kernel vulnerability?
Sounds like the hack has been in there for a couple of weeks as per the original reporter, but convenient how this comes out right at the start of a 3 or 4 day weekend for most IT workers, virtually guaranteeing slow or no response until mid next week.
P.S. Great work by the Andres Freund dude who pieced this all together and reported it. That's some major geek cred.