[mdlug] Good Reading About XZ Backdoor
LAP
mail1 at lapiet.info
Mon Apr 8 12:09:54 EDT 2024
There is good reading available about the XZ backdoor.
If you are familiar with the GNU/Linux configure-make build process
and bash shell scripting you can check out this riveting account:
https://research.swtch.com/xz-script
It may be a bit hard to follow but the author's comments at every
step help out a lot in understanding how it all happened. This was
not a simple hack.
Also, there is the fascinating timeline itself:
https://research.swtch.com/xz-timeline
Can you spot the malicious typo in the C code of this commit for the
landlock test? I could not.
https://git.tukaani.org/?p=xz.git;a=commitdiff;h=a100f9111c8cc7f5b5f0e4a5e8af3de7161c7975
There are "Further Reading" links included after the timeline.
IMO, this cannot be the work of a lone rogue individual. It is
also obvious that the real target was systemd/sshd with XZ being
selected as the single small screw that could bring down an airplane.
https://unicornriot.ninja/2024/xz-utils-software-backdoor-uncovered-in-years-long-hacking-plot/
Happy reading!
--
LAP <mail1 at lapiet.info>
More information about the mdlug
mailing list