A backdoor in xz

Well a commit that generates a configure script is very unlikely to get seriously reviewed

The build scene is unfortunately ripe for exploits because mainstream tools are old and crufty and the FAANGS, GitHubs and GNOMEs of the world only care about giant monorepos and static builds and vendoring and containers & flatpacks which all basically mean pile up as much code as you can to avoid any dev porting effort and someone else (never defined) will somehow manage to audit the giant pile of stuff and detect malware.

Safe practices are well known that’s small auditable reusable components, that build from signed archives with no third party altered code dropped in, and frugal acyclic dependency graphs but that‘s exactly the reverse of where we’ve been doing those past years. Devs understand code modularity not build modularity.

The pile of junk has been avoiding any catastrophic collapse so far (apart from the log4j episode with every one else pretending it’s java-specific while replicating the very same build workflows) but that’s only a question of time.

commit IDs are their own checksum, of course - providing you use git to grab them

it almost sounds as if github should not be used as a release mechanism

Debian's "orig.tar.gz" is itself an anachronism that should be tossed into the garbage bin of history sooner rather than later.

They should check out the appropriately-tagged "debian" git branch, build binaries, package them. Done. No more "grab an orig.tar which you didn't build, then apply patches with poissibly-traceable provenance" dances. PLEASE.

> can you give me some tips?

An example of this is darktable: "As always, please don't use the autogenerated tarball provided by github, but only our tar.xz file."

> and why not upload these scripts to GitHub

They pretty much always are, typically called something like "./bootstrap.sh" . But to generate the distribution tarball, you usually need additional dependencies or tools.

Another example of this is gutenprint; As well as the autotools stuff, the distribution tarballs have a lot of other auto-generated stuff (eg supported printer lists) that would otherwise cause major issues if you are trying to cross-compile things.

In both cases the CI systems auto-generates a release tarball after every commit.

It may or may not have been a pseudonym for a person or a group of people.

The pseudonym may or may not point to a specific country.

The pseudonym holder may or may not have his own credentials compromised.

The pseudonym holder may of may not have had a visit from criminal groups or some agency that made him a proposal he could not refuse.

The pseudonym holder may have been working all this time for those groups, that may be as much interested in securing their own systems as in compromising the systems of others. Or he may be a disgrunted (ex-)employee, retaliating for something we do not know about.

Someday soon it may be an emergent malicious AI masquerading as a person (or just some catastrophic mistake in the way someone trained his model).

The possibilities in the brave new world we live in are endless. It is pointless to speculate or try to audit people at this point. Making builds more transparent and easier to check and audit is what is needed.

They sort of are, since GitHub introduced mandatory SMS 2FA for anyone it considers important enough.

> But what if GitHub required all contributors to use their real name and strongly verified their identity?

That is meaningless when GitHub is used just as a mirror and real commits happen elsewhere.
You would need to require that in every repository for everyone contributing.

Something having PGP/X.509 signature for every committer and commit would be part of the solution, but in case someone decides to turn to the dark side you still need to review every change.

And key here is that these changes were not sufficiently reviewed since we don't know if the account was compromised or not.

> resident in a Western country where they could be prosecuted for maliciously introducing backdoors.

Crypto AG was a Swiss encryption company that turned out to be owned by the CIA and West German Federal Intelligence Service (BND) between 1970 and 1993, with the CIA owning it until 2018, that sold backdoored encryption systems to many nations. The NSA produced and promoted the Dual_EC_DRBG CSPRNG that could be used with SSL, with the general consensus being that they had a backdoor, as the possibility of an undetectable backdoor existing was well-known and there was little other reason to use it.

Even if we trust the CIA and NSA (and friends; the Crypto AG story also implicates Germany and Switzerland) blindly, the history of espionage says little for the security of blindly trusting people resident in western nations.

> ... and accepting the fact that we will never have enough reviewers to check every commit, ...

This is the main problem right here and the "solution" is to just SLOW DOWN. No xz maintainer? Fine, no xz software at all. The world will keep spinning.

This site is never short of very valid criticism of greedy corporations exploiting exhausted maintainers. But sometimes it would also be good to look in the mirror and at the attitude of some maintainers. Scratching your own itch and sharing your random and insecure musings on the Internet is great. But when that pet project becomes popular hubris kicks in. Then comes the desire to become popular and successful too and to avoid a fork at all costs: someone else more "active" and more lax could fork and reap all the fame! Quick, quick, let's merge all these great new features that I have barely the time to look at. Who knows: someone somewhere could be interested in them?

The number 1 job of a good maintainer is to say "no" or even (the horror!) completely ignore some ideas and submissions. The Linux kernel is not perfect but actually decent at this. The rest of what runs on a Linux desktop... not so much.

It's not just corporations: many consumers, developers and generally _people_ generally don't want to pay for quality. We just want more and more for less and less money. With just one exception: security. Because a device that grants criminals access to your data and passwords is much scarier than a device that stops working. So security has been saving quality and it will keep slowing things down. That's a good thing.

> Then for key roles you could require someone with a clear track record and resident in a Western country where they could > be prosecuted for maliciously introducing backdoors.

Was NSA prosecuted?

Let's suppose somebody add drivers for yet another Chinese SBC or making QEMU's COLO feature (VMware FT equivalent, at least partially developed by Huawei as far as I understood) really working or just new and improved quantization format for LLMs to textgenweb ui. Or just some new improvments to Linux network stack (Huawei did this as far as I remember)

They are not from Western country (they are likely from China). Shouldn't github just refuse their access? They just use their own services, blame it on github being unwelcoming to them. West will not be able to use and learn their could and they would still be able to do so. This likely mean that all major opensources projects will be forked and it it's possible that github 'original' will not be most maintained branch anymore.

Funny, it was this way until v209 in 2014. sd-daemon was a collection of functions like sd_notify() and so on, it got merged into libsystemd then.

It doesn't prevent that at all? Unless you use text relocations, .text should only be mapped read only. And .got would have been remapped ro at start if you use -z now -z relro. Dlopen() doesn't change any of that?

Perhaps it should be possible to set some sort of link-time tag to instruct ld.so to disable the LD_AUDIT infrastructure for particular binaries? Not sure that's doable for specific shared libraries, but at least this would let one mark critical system daemons as "hands-off" for this application, so their own libraries can't compromise them like this. It's enough like AT_SECURE or coredump/ptrace prevention that there should probably be one mechanism to turn all this stuff on at the same time... (For userspace stuff latrace and the things that it enables are actually quite useful, but I can't imagine ever running latrace on sshd, and if I did I'm debugging it anyway and would be at the very least foregrounding it and could presumably manually turn auditing back on. For that matter, latrace could be modified to do that to the programs it invokes, since it knows its own use of LD_AUDIT is non-malicious.)

Yep, and it was broken all the time because everybody did it differently and slightly wrong, until systemd came along.
But let's not distract from the discussion: systemd ist *not* why this backdoor was possible. It could have been any other library. It could even have been any other server application. It's not restricted to sshd.

The real problem is that patches that have not been understood/reviewed have been applied.
This is a social problem. Not a technical one.

Yeah, and it sucked. It sucked 35 years ago. It still sucks.

This whole thing has nothing to do with service management, and everything to do with large corporations relying on volunteers writing critical software apparently just for something to do.

> If it didn't actually start, then it shouldn't have forked off and backgrounded itself, which is how services notified the service manager that they had successfully started for literal decades before systemd came along.

I have run UNIX systems throughout those literal decades that you are talking about, and your faith in this half-assed, failure-prone mechanism is badly misplaced. I cannot count the number of ways I have seen this fail: the process does not actually start listening to the network until after the fork, the process starts listening before the fork but isn't really ready to accept connections because there is setup that has to be done after the fork, the process forks but doesn't fork twice and thus isn't properly reparented, the process didn't write a PID file and now you have no idea which process is actually running the service, the process did write a PID file and wrote the wrong PID to that file, you end up with multiple backgrounded copies of the same service running and interfering weirdly with each other... the list goes on.

We figured out that this was a bad way to run services by at least the early 2000s, when support for a foreground model with none of this self-daemonization nonsense badly copied into every service became widely available (and as someone who was managing UNIX systems all through that period, that was a delightful revelation). But you do not want to assume that the service is ready simply because the process has started. You need some mechanism for signaling that the service really has fully started, has allocated all of its resources, and is listening to network connections (if that is its job). Otherwise, you risk starting services that depend on it too soon.

Even upstart (the alternative preferred by some of the folks who disliked systemd) had a mechanism for doing this. (It was worse than systemd's, at least in my opinion.)

The impact is reduced, because dlopen only happens if and when the API using the library is called by the program linking to libsystemd, rather than by default. So in this case it would not have happened, because sshd does not read compressed journal files, which is the reason compressed libs are linked in libsystemd.

Dependency chain of a full-feature build of libsystemd from main (plus a PR under review):

build/libsystemd.so.0 (interpreter => None)
libcap.so.2 => /lib/x86_64-linux-gnu/libcap.so.2
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6
ld-linux-x86-64.so.2 => /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2

We want to remove the need for libcap too, but that's a bit more complex.

This specific exploit I believe relied on being loaded into the process namespace early so that it could set up IFUNCs. I am very far from an expert in how this works, but if I'm understanding this correctly, it would be too late to do this during dlopen (if the library were even dlopened; the primary mitigation is that sshd would have never dlopened liblzma at all with this new systemd design).

> The main promise of zstd over the other options is faster decompression, so I think it would only be fair to include that in the comparison.

Sure, one could do that, and zstd is probably going to be faster when it comes to decompression. But my original point was not to bash zstd - I was replying to the statement that zstd is always better than xz and that there's no reason to use xz at all. My second response where I posted my measurements was a little hyperbolic to underline that point.

Personally, I do quite like zstd - and if you look at my table, using the standard compression algorithm, you can reduce a filesystem image of 554 MiB down to 182 MiB (~32% of the original size) within just 2 seconds, which is a lot faster than what many other tools can do. (~60 times faster than xz in its default settings.) I do think zstd is an excellent algorithm to use as a default when no further constraints have been applied, because the tradeoffs it has chosen are very sensible for many applications.

The only point I'm trying to drive home is that if you have certain constraints - such as that the compressed size is to be as small as reasonably possible - then zstd might not be the algorithm you want to use in all cases (probably depending on what kind of data you want to compress), and that rhetoric such as "always use zstd, xz is obsolete" is not helpful. And while the broader public now knows a lot more about the past hardships of xz maintenance, hindsight is always 20/20, and I don't think the problems there were immediately obvious to most people just using xz themselves. I think that after-the-fact statements such as "people should not have used xz anymore anyway" are extremely unhelpful - not only because it's easy to say so after the fact, but also because I do think xz has some advantages in some situations and will remain a good choice when constraints require it.

There will be a MIT-0 (so it can be copy/pasted with impunity) self-contained example in the documentation where the protocol is defined

ssh-agent (or its emulation) is basically just the public key authentication.

PAM was useful for custom authentication, such as LDAP-based auth or something similar. These days a fairly typical workflow is to use some kind of a daemon/utility on the developer's machine to get a temporary SSH certificate, and then just use this certificate to log in using the SSH.

No, most of us are discussing the result of a multi-year-long sophisticated social engineering attack that preyed on underfunded and overworked unpaid maintainers to inject a complex backdoor. Yes, a handful of people are missing the wood for the trees because they are unable or unwilling to run a simple command to check the attack surface gained by backdooring xz:

$ apt-cache rdepends liblzma5 | wc -l
354

If it hadn't been libsystemd in the middle of the dependency chain, it would have been something else. The exploit was primed and ready to add more backdoors for other arbitrary workflows, with pre-prepared and unused "test files" signatures that we'll now never know what would have attacked.

> This is mostly what I was thinking of - have a human-readable language designed to specify the binary formats, and use that to generate the test data.

So... you have this human-readable language generate a malicious file that contains the payload for an exploit. What have you gained here?

The problem is that the binary data is "hostile", not "how the binary data was generated".

> >That enforcement enables the agency to recover costs

> In the US at least, I don't believe any agency works this way.

It surely varies by jurisdiction, but regulatory agencies here in Netherlands don't live off fines. They'd die if that were the case. To give some examples how it works:

- NVWA (think food safety) charges per food inspection certificate issued, time spent auditing a business, etc for example.

- AFM (like the SEC) basically has a budget, which is divided by a formula over all the banks, insurance companies, etc within the Netherlands.

The principle is straight forward: regulatory authorities are paid for by the businesses they are regulating. The health agency is funded by the hospitals, GPs and pharmaceutical companies within their jurisdiction. If a sector complains the regulatory agency is too expensive, then politicians can simply argue that the sector should get its act together so they there's less enforcement work required.

It doesn't work for everything. Stuff like GDPR enforcement, it's not clear who should pay for that. But for a lot of regulatory agencies it does work reasonably well.

> If any agency *were* incentivized to levy fines, because their operating budget had to come out of the fines, this would be a perverse incentive for them to just levy fines willy-nilly. Much like the "speed traps" operated by local police agencies near the end of the month

What you *want* to achieve, is for the person paying to want to pay the minimum possible, but for them to have two (at least) different ways of minimising the cost.

My preferred example is with things like insurance companies. Why shouldn't the police have a "burglary investigation department" paid for by the insurance companies? You then hopefully get a "steady state" where the police catch enough burglars to keep the crime rate down, but barring outright fraud the system isn't going to get out of hand.

Unfortunately, capitalism tends to sabotage such neat systems, another example is the mess we have of utilities - it makes sense for the infrastructure to be owned by the customers, but all too often it's treated as a profit centre by suppliers :-( As a result you get the horror stories we of from America of people locked into cable monopolies, or stuck with dial-up speeds. In a first world state !?!?

(I won't say we're much better - in theory we're a lot better off, but it still fails horribly ...)

Cheers,
Wol