Hey, I’ve been hearing a LOT about the xz backdoor. Crazy story, but rather than reading 10 different articles about it from 3 days ago when the story was quite new, does anybody know a high quality write-up that has all the juicy details and facts? I really like in-depth guides that cover every aspect of the story.

Thanks in advance guys!

  • kbal@fedia.io
    link
    fedilink
    arrow-up
    25
    ·
    edit-2
    9 months ago

    Not everything is known yet, so you won’t find a comprehensive summary. The latest news I’ve seen: https://www.openwall.com/lists/oss-security/2024/03/30/36

    I’m watching some folks reverse engineer the xz backdoor, sharing some preliminary analysis with permission. The hooked RSA_public_decrypt verifies a signature on the server’s host key by a fixed Ed448 key, and then passes a payload to system(). It’s RCE, not auth bypass, and gated/unreplayable.

    All the technical details that are widely known (and some that aren’t yet) seem to be in that thread, including the original report from Andres Freund. For rumours about who might be behind it and high-level speculation about what it all means, you’d have to look elsewhere.