Email or username:

Password:

Forgot your password?
Dave's posts Post Back to profile
Dave Anderson

The poor original maintainer of xz is on it now, and has already found another "fun" thing: git.tukaani.org/?p=xz.git;a=co . The configure check for enabling the Landlock sandboxing facility was subtly broken, so that Landlock support would never get enabled. The original malicious commit landed around the same timeframe as the main backdoor, also at an abnormal time of day compared to the new maintainer's historical activity pattern.

30 March at 17:10 | Open on hachyderm.io
9 comments
David Andersen

@danderson that one is deliciously clever. I didn't see it when I looked at the diff despite having been primed to look for something evil.

30 March at 17:20 | Open on hachyderm.io
any maw

@dave_andersen @danderson
so how does it work? I guess CMake passes that chunk of C to the compiler, but then the build script assumes that if that compilation fails for any reason, including a syntax error, then the system doesn't actually support landlock?

and are you in fact two different people?

30 March at 17:37 | Open on polyglot.city
Dave Anderson

@anymaw @dave_andersen Yeah, these feature checks usually work by compiling (and maybe running) a test program, to check that everything required is present. The original malicious commit that added this check explained that on some systems the header files for Landlock are present but Landlock doesn't actually work, so the configuration builds a test program to check if it actually works.

And yes, any failure is interpreted as the feature being unavailable :/

30 March at 17:42 | Open on hachyderm.io
Dave Anderson

@anymaw @dave_andersen And yes, different people. The joy of having a very common name :)

30 March at 17:43 | Open on hachyderm.io
Pusher of Pixels

@danderson @anymaw @dave_andersen There was a Mrs. Smith in our church growing up. She got divorced and when she remarried became....Mrs Jones ;-)

30 March at 18:31 | Open on dmv.community
David Andersen

@pixelpusher220 @danderson @anymaw I probably should have taken my wife's name when we got married, but by then she and I both had extensive publication records under our original names.

30 March at 19:36 | Open on hachyderm.io
Knud Jahnke

@dave_andersen @pixelpusher220 @danderson @anymaw

We always wanted to coax a bunch of Danish astronomer colleagues to write a joint paper. It could have been at least 6 Andersens, some even with the same initials...

30 March at 20:57 | Open on mastodon.social
Samantaz Fox

@danderson That one is tricky!

I'm so sorry for Lasse, who now has double the amount of work, to review again every line of code added by the malicious actor.

30 March at 18:39 | Open on infosec.exchange
Matt Campbell

@danderson I want to support the original maintainer or show my appreciation if I can. But I feel like sending an email just to say thanks or ask how to help would just add to the stress; there must be a ton of emails coming in already.

31 March at 0:33 | Open on toot.cafe
Go Up