Everything I know about the XZ backdoor xz-utils backdoor situation
A summary of the xz-utils backdoor incident is as follows
- On March 29, 2024, a backdoor was discovered in the widely used compression software xz-utils.
- The backdoor is believed to have been planted by Jia Tan, the maintainer of xz-utils, who became involved in the development of xz-utils about two years ago and gradually gained its trust.
- The backdoor was very cleverly designed and was only triggered under certain conditions. The main targets were Linux systems using systemd and openssh.
- Once the backdoor is triggered, it will be possible to bypass ssh authentication and enter the system. However, no other effects are known at this time.
- Jia Tan also exhibited suspicious behavior, including using another account to strongly push a patch containing a backdoor.
- The main maintainer, Lasse Collin, was on vacation and could not stop Jia Tanās activities. Some have pointed out that the harsh conditions of open source developers are behind the situation.
- Jia Tanās GitHub account has been frozen and the backdoor removed, but other impacts are being investigated; numerous systems, including xz-utils, are being investigated and updated. As described above, this was an attack from within by a developer with whom we have established a long-term relationship of trust, and it is an incident that once again highlights the vulnerability of open source software.
dmikurube Amazing. Three years of building trust and planting backdoors. Itās like a thousand years of work to trick the demon tribe, but thereās actually an incentive to do thisā¦ [Everything I know about the XZ backdoor https://boehs.org/node/everything-i-know- about-the-xz-backdoor] dmikurube The fact that the maintenance of these things is on the shoulders of individuals, and the fact that it was almost entirely the work of individual craftsmanship that detected themā¦ What can I say? dmikurube But the fact that there was one of these, I guess I should see that there are others. Ugh. dmikurube In the open source culture, there are many people who say āIām waiting for your contributionā, but it is difficult to see examples like this. But when I see examples like this, itās difficult. But as a maintainer, I canāt accept it so lightly. dmikurube (I am quite bitter about people who complain like that. Even if I am not the maintainer.) dmikurube In fact, with Embulk, if you can sneak in a little work, you can probably divert data from one company to another. Iām watching it carefully. Many plug-ins are out of our jurisdiction, though. dmikurube I try not to carelessly use third-party actions like GitHib Actions. Itās a good target to do something. And typically, Gradle pluginsā¦ dmikurube āIn April 2022, Jia Tan submits a patch via a mailing list. The patch is A new persona - Jigar Kumar enters, and begins pressuring for this patch to be merged.ā Wow. I guess those who pressure people to āmerge thisā should be classified as the same. āIn April 2022, Jia Tan submitted a patch via the mailing list. The patch is irrelevant, but the events that follow are irrelevant. A new persona - Jigar Kumar - comes in and starts pressuring us to merge this patch. Wow. I guess those who pressure you to āmerge thisā should be judged the same way. dmikurube āSoon after, Jigar Kumar begins pressuring Lasse Collin to add another In the fallout, we learn a little bit about mental health in open source. āShortly thereafter, Jigar Kumar began pressuring Lasse Collin to add another maintainer to XZ. As a result, we can learn a bit about mental health in open sourceā Hmmmā¦
izutorishima wow, they spent 3 years contributing to xz-utils to win their trust and then put a backdoor inā¦ too egregious! ā¦ I can only say that it was a coincidence that I found it, and if it had gone around to Ubuntu or something, Iād be scared to log in to any public server that sshdās out to without a password.
piro_or The colors.js debacle was about the developers themselves messing things up, not necessarily because it was open source, [WinGroove Incident WinGroove, but it is a story that only open source can tell, where the developer has gained trust through contributions and even commit privileges, and then becomes an attacker. piro_or WinGroove case, could it now be the subject of an investigation for unauthorized electromagnetic recording?
nishio Given the law of āa fraud that is found is a fraud that is poorly covered upā, you found a remote login backdoor in xz and dealt with it while you still can. Iām glad you were able to do it. ā¦, but itās more likely that a similar backdoor was planted in something that isnāt known and is spreading.
This page is auto-translated from /nishio/xz-utilsćććÆćć¢äŗ件 using DeepL. If you looks something interesting but the auto-translated English is not good enough to understand it, feel free to let me know at @nishio_en. Iām very happy to spread my thought to non-Japanese readers.