Email or username:

Password:

Forgot your password?
Dave Anderson

The poor original maintainer of xz is on it now, and has already found another "fun" thing: git.tukaani.org/?p=xz.git;a=co . The configure check for enabling the Landlock sandboxing facility was subtly broken, so that Landlock support would never get enabled. The original malicious commit landed around the same timeframe as the main backdoor, also at an abnormal time of day compared to the new maintainer's historical activity pattern.

9 comments
David Andersen

@danderson that one is deliciously clever. I didn't see it when I looked at the diff despite having been primed to look for something evil.

any maw

@dave_andersen @danderson
so how does it work? I guess CMake passes that chunk of C to the compiler, but then the build script assumes that if that compilation fails for any reason, including a syntax error, then the system doesn't actually support landlock?

and are you in fact two different people?

Dave Anderson

@anymaw @dave_andersen Yeah, these feature checks usually work by compiling (and maybe running) a test program, to check that everything required is present. The original malicious commit that added this check explained that on some systems the header files for Landlock are present but Landlock doesn't actually work, so the configuration builds a test program to check if it actually works.

And yes, any failure is interpreted as the feature being unavailable :/

Dave Anderson

@anymaw @dave_andersen And yes, different people. The joy of having a very common name :)

Pusher of Pixels

@danderson @anymaw @dave_andersen There was a Mrs. Smith in our church growing up. She got divorced and when she remarried became....Mrs Jones ;-)

David Andersen

@pixelpusher220 @danderson @anymaw I probably should have taken my wife's name when we got married, but by then she and I both had extensive publication records under our original names.

Knud Jahnke

@dave_andersen @pixelpusher220 @danderson @anymaw

We always wanted to coax a bunch of Danish astronomer colleagues to write a joint paper. It could have been at least 6 Andersens, some even with the same initials...

Samantaz Fox

@danderson That one is tricky!

I'm so sorry for Lasse, who now has double the amount of work, to review again every line of code added by the malicious actor.

Matt Campbell

@danderson I want to support the original maintainer or show my appreciation if I can. But I feel like sending an email just to say thanks or ask how to help would just add to the stress; there must be a ton of emails coming in already.

Go Up