[xz] Remove JiaT75 as a contact, determine correct contacts #11760
Comments
Zenexer
changed the title
|
This should almost certainly be reverted: 6403e93 |
|
cc @Larhzu |
In light of https://www.openwall.com/lists/oss-security/2024/03/29/4 we will change the contact of the xz projects back to the original maintainer. Related: #11760
In light of https://www.openwall.com/lists/oss-security/2024/03/29/4 we will change the contact of the xz projects back to the original maintainer. Related: #11760
|
Thanks. I've removed the account as a contact and I've also (temporarily?) disabled the projects out of an abundance of caution.
|
|
This PR should potentially be reverted #10667 because it was basically done to hide the exploit which was done through ifunc resolvers lol |
|
Interesting, I've removed the projects from oss-fuzz for now, but we should make sure to do this., if/when we reinstate the projects. |
The exploit uses ifuncs based on the openwall report
|
|
Appreciate it. Just curious, is it possible the issue would have been found by a sanitizer were it not for this PR? I don't have an understanding of the backdoor yet. |
|
Yes, that seems to be the consensus. Allegedly, the threat actor went to great lengths to circumvent sanitizers. I haven't verified this claim myself. |
Wow, I'm surprised fuzzing could have found a backdoor. |
|
I also disabled liblzma for now though I suspect the version running on OSS-Fuzz was not compromised: #11762 |
|
CVE-2024-3094 is the associated CVE. |
The backdoor is part of a test file. It is a precompiled binary object that is being linked into the binary if it was built from the published tarball rather than git and only if a large number of specific conditions are passing. The conditions were amongst other things checking whether it's a debian or rpm package build. A plain build will not activate the backdoor. While turning off ifunc is another way to protect the exploit from unpacking, in the backdoors current form it would not be necessary. Maybe it was necessary in a previous version of the backdoor that wasn't actually committed. |
|
Just some additional information: It looks like the Edited to add: To be clear, I am not accusing any person in particular, that is why I did not use full names. These are accounts that may have been compromised or misused. Either way I think an abundance of caution should be exercised about who is a reliable point of contact until someone can verify them.
|
|
That means #9960 was never approved by the previous maintainer. @jonathanmetzman, you may want to look into whether that has happened for other projects. |
|
Please be careful. Larzhu is a long-term maintainer of xz-utils and xz-utils migrated to github a little while ago. It is not therefore unreasonable that accounts got made around the same time. There is a lot going on here, speculation is making things harder. |
|
For context, Lasse has been working on XZ for decades, long before the github account got created. See this as an example: https://sourceforge.net/p/sevenzip/discussion/45797/thread/09814bb2/?limit=25#d81a |
|
That being said, @JiaT75 was also an active maintainer. Here's where an email attributed to @Larhzu was added: #1919 It references this: https://www.mail-archive.com/[email protected]/msg00307.html
I seem recall a discussion attributing that exact patch to the threat actor in question. There's inevitably going to be confusion and speculation. It would be best to figure out one responsible, known-good maintainer for Should that be @Larhzu? Do we know that the GitHub account is actually Lasse? |
|
@Traneptora hm, where do you see, that both users were created in 2022? For me it seems the GitHub user hansjansen was created in May 2023. And the other in 2022. |
Per Fedora dev list Lol. I suppose this is might be why the disable-ifuncs got passed to oss-fuzz |
At the moment, there is no active Github account available that would qualify. |
|
@desu-anon I doubt that, the PR in the other repo is coincidence and there was no 1password takeover. People are quick to jump to conclusions. |
|
I think we're probably moving well beyond the scope of this issue now. My intention was to find a responsible maintainer. From what I've gathered, that appears to be Lasse, although I'm unable to verify that the GitHub account claiming to represent him is actually him. I have other work I need to do and don't have enough knowledge of this project to make such a call. |
|
I'm not confident about this, either. I did find this, however. If you check out @Larhzu's fork/branch, the commit has his email address, and the commit on Github references the account, so it appears that the account is under his email address. So it would seem to probably match, but everything is suspect at this point. I'm hoping Lasse's email isn't compromised. |
|
Well. Aaand Microsoft Thanos-snapped the project out of existence ... nice one. Good job. /s |
They have a policy that malware can't be distributed using Github so they've probably just shut down the repo until they figure out who's actually maintaining it and who can audit and remove the malicious code. |
|
Until the xz project will be audited it should be removed from existence |
|
There hasn't been any indication that any accounts were compromised. The remaining question I had was whether @Larhzu was actually created by and controlled by Lasse, but he's since stated that it's his account: https://tukaani.org/xz-backdoor/ I haven't seen any reasonable claims that takaani.org is compromised, so I'm inclined to trust that claim. Reverting the commit that added Jia Tan as a contact should be sufficient to close this issue. |
That's outside the scope of this project and issue. |
Thanks Zenexer. I think we will eventually give control back to Lasse if he wants. But I assume he has more important things to deal with now. I agree we can close this issue. |
Given that the recent backdoor of xz/libzma is being attributed to the GitHub account @JiaT75, their contact info should probably be removed from google/oss-fuzz and the correct contacts should be determined.
References:
The text was updated successfully, but these errors were encountered: