* Andres Freund <[email protected]>, 2024-03-29 08:51:
>d) LANG needs to be set
If timing "sshd -h" is a reliable method of checking if the backdoor is
active, then this is not correct. It seems all you need is non-empty
environment:
# time env -i /usr/sbin/sshd -h 2>/dev/null
real 0m0.009s
user 0m0.004s
sys 0m0.005s
# time env -i X= /usr/sbin/sshd -h 2>/dev/null
real 0m0.345s
user 0m0.337s
sys 0m0.009s
Further evidence that LANG doesn't matter:
* LANG is not on the list of extracted strings[0].
* Some folks[1][2] misspelled LANG as LC_LANG, and apparently it still
worked.
[0] https://gist.github.com/q3k/af3d93b6a1f399de28fe194add452d01
[1] https://gist.github.com/smx-smx/a6112d54777845d389bd7126d6e9f504
[2] https://github.com/binarly-io/binary-risk-intelligence/tree/master/xz-backdoor
>I am *not* a security researcher, nor a reverse engineer.
Congrats, you've just made a lot of people feel inadequate. :P
--
Jakub Wilk