Email or username:

Password:

Forgot your password?
Top-level
Leeloo

@GossiTheDog @wdormann
What is it with Debian and patces that end up being security holes?

OpenSSH, OpenSSL...

11 comments
Sami Juvonen

@leeloo @GossiTheDog @wdormann Maybe read the announcements before spouting stupid hot takes?

Leeloo

@sjuvonen @GossiTheDog @wdormann
Are you trying to say that I missed something? Then say it, rather that throwing accusations.

As I understand it, Debian took a heavily audited piece of code (OpenSSH), added a patch to use a library from an untrusted source, who then (allegedly deliberately) added a back door.

What am I missing?

Sami Juvonen

@leeloo You’re the one throwing accusations. Explain how Fedora and openSUSE among others using the same libs and being similarly affected is Debian’s fault? Everybody’s doing it because xz is a dependency of systemd.

Clout chasing by pissing on foundational open source projects would probably fly better on LinkedIn.

Leeloo

@sjuvonen
I'm not the one making the decisions at Fedora or SuSE, why (or how) should I explain their decisions?

I'm also not the one claiming Debian added a patch, that was from the post I replied to.

And if systemd really requires non-systemd daemons to link to random compression libraries, systemd is a lot worse than I have ever claimed.

EmberQuill :v_gf:

@leeloo @sjuvonen @GossiTheDog @wdormann

(obligatory "I'm not an expert, but...")

The patch to OpenSSH makes it work with systemd-notify, which comes from a trusted source, which relies on lzma, also from a trusted source, which is used as a vector to load the backdoor from xz (also from a supposedly-trusted-until-now source) into sshd.

The same or similar patch is applied to OpenSSH in most systemd-based distros. It was noticed on Debian but affects pretty much any distro using deb or rpm packages. Other distros patch OpenSSH but the exploit only triggers on deb/rpm distros since most servers use one of the two package formats.

This is a long con, and honestly the only people at fault are the bad actors themselves. Assuming Jia Tan's GitHub identity and pgp key weren't compromised by someone else, this backdoor appears to be the culmination of three years of work.

@leeloo @sjuvonen @GossiTheDog @wdormann

(obligatory "I'm not an expert, but...")

The patch to OpenSSH makes it work with systemd-notify, which comes from a trusted source, which relies on lzma, also from a trusted source, which is used as a vector to load the backdoor from xz (also from a supposedly-trusted-until-now source) into sshd.

Kevin Beaumont

@emberquill @leeloo @sjuvonen @wdormann yep, good take I think based on what we know so far, disclaimer that I am an idiot

In mid 2023 the presumed attacker got OSS Fuzzer to decrease detection on XZ, in 2022 it looks like significant pressure from multiple accounts was used against the then maintainer and creator to hand over the project.

To me it looks like a lot of work went into this over an extended period, and it all got rumbled due to one person being bored and looking into performance.

Raven667

@GossiTheDog @emberquill I am just learning about this same as every one else, but these kinds of attacks seem to be high effort, high risk since its public with a good audit trail and all it takes is one curious soul to say "hmm that's weird" to blow the whole thing up. I don't know if there are other better hidden ops out there, but the ones that are confirmed seem to get detected within days and weeks, rarely months and years, or at least that's the layman's impression I have. Is it worth it?

EmberQuill :v_gf:

@raven667 @GossiTheDog Debian-unstable was vulnerable for a whole month, and the only reason why this exploit was noticed at all was because one person thought their ssh authentication was too slow and started investigating.

It could have easily remained unnoticed for another month or two.

Mathaetaes

@GossiTheDog @emberquill @leeloo @sjuvonen @wdormann once again, some weird nerd’s obsession saves the day.

Weird nerds are the heroes we need, but definitely don’t deserve.

Tony Hoyle

@emberquill @leeloo @sjuvonen @GossiTheDog @wdormann The question that occurs is why does compatibility with systemd-notify require any more than a write to a well known pipe? xz should not be in the picture here. *especially* with something as critical as ssh.

Go Up