@leeloo @sjuvonen @GossiTheDog @wdormann
(obligatory "I'm not an expert, but...")
The patch to OpenSSH makes it work with systemd-notify, which comes from a trusted source, which relies on lzma, also from a trusted source, which is used as a vector to load the backdoor from xz (also from a supposedly-trusted-until-now source) into sshd.
The same or similar patch is applied to OpenSSH in most systemd-based distros. It was noticed on Debian but affects pretty much any distro using deb or rpm packages. Other distros patch OpenSSH but the exploit only triggers on deb/rpm distros since most servers use one of the two package formats.
This is a long con, and honestly the only people at fault are the bad actors themselves. Assuming Jia Tan's GitHub identity and pgp key weren't compromised by someone else, this backdoor appears to be the culmination of three years of work.
@emberquill @leeloo @sjuvonen @wdormann yep, good take I think based on what we know so far, disclaimer that I am an idiot
In mid 2023 the presumed attacker got OSS Fuzzer to decrease detection on XZ, in 2022 it looks like significant pressure from multiple accounts was used against the then maintainer and creator to hand over the project.
To me it looks like a lot of work went into this over an extended period, and it all got rumbled due to one person being bored and looking into performance.