Received: by 2002:ab2:69cc:0:b0:1f4:be93:e15a with SMTP id n12csp30107lqp; Fri, 12 Apr 2024 09:38:14 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWOso8uVP7lLxLf/zJ3g7OKsdxmnWDVUKo1Ef3cHs+loTETOkRojq73fjwTsEl+sjXmIsNlGreKpD+akJpb2Wm++TbI3mCQxre3qPNSWA== X-Google-Smtp-Source: AGHT+IEof7VW2U5NBFw1fEqX9QSxtTDDpABjeAqnwuA+Rpogv7qgN4sRZlWlyAj7u2nrQO/OmNQ5 X-Received: by 2002:a05:6830:1646:b0:6ea:52e5:9c91 with SMTP id h6-20020a056830164600b006ea52e59c91mr3914227otr.8.1712939894721; Fri, 12 Apr 2024 09:38:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1712939894; cv=none; d=google.com; s=arc-20160816; b=gUy37oIoNhH9VkeDn3n/1f+/8SAWUsmS0JFs51k6bBTIVGG1Bxh3xe7vyX9YQ932F3 wUaZQf75oL3MsWGKsldfe4UhJI1ECWrPOOKsUrfuhs5+uKjvKLWUIJzJtf5w2VtL+Avn cF+92cDeXy5+7cAAf2fWhdfrV8ijmj+kc23MB41rML0ssCCIlg6LnHx8lUu9pOne+4je fVFNuYvqG7+PbnbOfwnPM3bQ7JzKGmlt0BdO+aLvsuTTO6Zwa45TRrwexi8KxalfD5DX pdYYN0ke53eXDQaPQCUM1YOhIPR3lRWwKr2haBs1QnjQDo+ART7x/m/k09HIuMTQ7HTF BsEQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:in-reply-to:content-disposition:mime-version:references :mail-followup-to:message-id:to:from:date:delivered-to:reply-to :list-id:list-subscribe:list-unsubscribe:list-help:list-post :precedence:mailing-list; bh=WXq3O+K856fDy13wFr5UjSYfh1JeBUxwGaPNVBL4/rI=; fh=qBhSZbkMeWnNDPc3y+ghxxcqsFJk1NM0fUuz8SqoieA=; b=zG8oDRbISPnQxfM6on/4X6ndzatVfxIdy681pTd0XCgZi1IhPMAWxrhRnri3K+xX5g NErZHKACN5VokrqaakJf8WKOmI5QjIl/4TBv+wR4j0dOHvCTJWKvFRaAAB3Ht1+oqYKF WoKfQDh9l9JmyaltmiZVMCcDXeUTZ7PAuxC8u6yKQoNP0bdPbyaDdV4NS6b0N0MxwNpj Ok+UBOhlhizcd1lPdgTxGbVp0EwGQXaMmex+DpeVdVUTYwjudF0gO+Ey2NNKaUAUxLSs kydbKw6LqyziMW6DgbuTuiW9zfvK8Ym00U31sCQPyCvkSdg1m2+n0U0ljPM5XZa+tUjv rnag==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of oss-security-return-30020-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30020-linux.lists.archive=gmail.com@lists.openwall.com" Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id d30-20020a05620a205e00b0078d63afdfc7si4064565qka.737.2024.04.12.09.38.14 for ; Fri, 12 Apr 2024 09:38:14 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30020-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; spf=pass (google.com: domain of oss-security-return-30020-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30020-linux.lists.archive=gmail.com@lists.openwall.com" Received: (qmail 7584 invoked by uid 550); 12 Apr 2024 16:37:56 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Received: (qmail 7560 invoked from network); 12 Apr 2024 16:37:56 -0000 Authentication-Results: garm.ovh; auth=pass (GARM-106R0065c8b13b1-6745-47c8-a56f-65e0a252eb6d, 85A3E892C6963C1368CED7EEBE9CFA9DF350C9AD) smtp.auth=jwilk@jwilk.net X-OVh-ClientIp: 31.0.177.240 Date: Fri, 12 Apr 2024 18:37:44 +0200 From: Jakub Wilk To: Message-ID: <20240412163744.6z5n5fhqdu27jybj@jwilk.net> Mail-Followup-To: oss-security@lists.openwall.com References: <12bfdf5d8ee20d341ce5ac206dc72b7b@purelymail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Content-Disposition: inline In-Reply-To: X-Originating-IP: [37.59.142.106] X-ClientProxiedBy: DAG4EX2.mxp6.local (172.16.2.32) To DAG4EX1.mxp6.local (172.16.2.31) X-Ovh-Tracer-GUID: 310b8abb-e253-4598-956b-04b76c31854e X-Ovh-Tracer-Id: 7159316035437582103 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 0 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedvledrudeiuddguddtgecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecunecujfgurhepfffhvffukfhfgggtuggjihesthdtredttddtvdenucfhrhhomheplfgrkhhusgcuhghilhhkuceojhifihhlkhesjhifihhlkhdrnhgvtheqnecuggftrfgrthhtvghrnhepleffudeuleehvefhvdejjeefuddvhfeuvdejtddtheegudfgteeggfdugfejffdunecukfhppeduvdejrddtrddtrddupdefjedrheelrddugedvrddutdeipdefuddrtddrudejjedrvdegtdenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpeduvdejrddtrddtrddupdhmrghilhhfrhhomhepjhifihhlkhesjhifihhlkhdrnhgvthdpnhgspghrtghpthhtohepuddprhgtphhtthhopehoshhsqdhsvggtuhhrihhthieslhhishhtshdrohhpvghnfigrlhhlrdgtohhmpdfovfetjfhoshhtpehmohehvdelpdhmohguvgepshhmthhpohhuth Subject: Re: [oss-security] Re: backdoor in upstream xz/liblzma leading to ssh server compromise * Jonathan Schleifer , 2024-03-30 17:17: >I replaced the sed in here: > >sed \"r\n\" $gl_am_configmake | eval $gl_path_map | >$gl_localedir_prefix -d 2>/dev/null > >With a simple cat, as I could not make sed work. This worries me as it >means there is probably some other transformation that I'm missing that >would have made the sed work. It's confusing because there are two layers of eval involved. You actually end up running: sed rn ... The "r" command means "read from file"; but there's no file named "n", so this is no-op. The sed command is not completely equivalent to cat though: it appends a newline, because the original file didn't end with one. This trailing garbage slightly upsets xz(1): xz: (stdin): Unexpected end of input (You normally wouldn't see this warning, thanks to generous use of "2>/dev/null" in build-to-host.m4.) -- Jakub Wilk