Received: by 2002:a05:6500:1b45:b0:1f5:f2ab:c469 with SMTP id cz5csp669127lqb; Wed, 17 Apr 2024 07:39:33 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUULjvYHPNUq2WA3evbgYuk6jqvadbht6+UjPsfbkqGP45xo6MgOZ22lkF1PuF4NM+mTDnvlrDP3ebcpPWtOKc9ZutroaQX07zOZ4ehBw== X-Google-Smtp-Source: AGHT+IGENk1RsUVwE0R2Oq+6GhXMWofVPJnyC9MvoU7VqqGHdCOq6TbLmV4FGO9uZOu+3zb5M7R0 X-Received: by 2002:a05:620a:5623:b0:78a:3ccc:8140 with SMTP id vv3-20020a05620a562300b0078a3ccc8140mr8323531qkn.28.1713364772828; Wed, 17 Apr 2024 07:39:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1713364772; cv=none; d=google.com; s=arc-20160816; b=KTS5SX2RUec8hJFFZ/IMrt87Xon3fYjIhl6NRxPGJoJO2/ulfZHlPQSP796hD3bHoR 4GOeMAbUPk8TeZScpzT2DgnT3h1La9uLd1P63Y8RNsI45hLFA3M0LJSpg8ue9ifdPGZG SNlynl+lBVPo04SrwQJdpmxC7Y0kcbPDybUgUhOzzp2Pdzc0t13+vMz/tF0llfhjYcVk OapeC6R1YAyoLDCUnV5L1L0HjvClxovEzyGJ8EcFEkUhRH3fwdDtRbdMyfYV2KIBKmJ5 4MXmDKGuKpvt5+Fvy0yWxjZl9QJRLxiJQEvyw2voOprT3SnhOs8O+vti2pJBhgCBQBb/ iSCQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:in-reply-to:content-disposition:mime-version:references :mail-followup-to:message-id:to:from:date:delivered-to:reply-to :list-id:list-subscribe:list-unsubscribe:list-help:list-post :precedence:mailing-list; bh=arpAPrO4imx6om4IoqXlPmquCOU3XF+8nPZL7/2EpXQ=; fh=qBhSZbkMeWnNDPc3y+ghxxcqsFJk1NM0fUuz8SqoieA=; b=C5FVC/heCadTwYvXtI9IybgB4DE+MtkoYDSZURAc3WiyjY010YOjzOe5s2/ymq1QkO R7KxAYs6gy8udqKW48/G9mAm4z62c+WQvUED+SWWtjlIDfhLFBCxNKp51BVa1obA488b 402N4S1sF3SRoNjG12fUPdePK2Sxz/fPuQsgAoP9jhBC+xSCEaRx7fuwhYCWZD8E4Bqv 0eB/LHFAOAhWbyrDEOMXc6r6MU/PQNJFh/vcJw00sDb5nw+T3DpnwstqqeTe2e4M+vSt 6XD3Dq2ED0rJhrs4QwyPNgRN6xlyhQLYhHhLRNjZb9bEeRjDugTEh33/HOl/vkzLEJut QwfQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of oss-security-return-30043-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30043-linux.lists.archive=gmail.com@lists.openwall.com" Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id s19-20020ae9f713000000b0078d77b30812si14919178qkg.501.2024.04.17.07.39.32 for ; Wed, 17 Apr 2024 07:39:32 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30043-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; spf=pass (google.com: domain of oss-security-return-30043-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30043-linux.lists.archive=gmail.com@lists.openwall.com" Received: (qmail 32531 invoked by uid 550); 17 Apr 2024 14:39:12 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Received: (qmail 32510 invoked from network); 17 Apr 2024 14:39:12 -0000 Authentication-Results: garm.ovh; auth=pass (GARM-101G004bec8e5ed-921d-40b3-a781-315e93c09494, 5DD29A3285C2AD332903474785A3CCA8CD8448F3) smtp.auth=jwilk@jwilk.net X-OVh-ClientIp: 37.248.224.215 Date: Wed, 17 Apr 2024 16:38:54 +0200 From: Jakub Wilk To: Message-ID: <20240417143854.66rgilsjticr3cp5@jwilk.net> Mail-Followup-To: oss-security@lists.openwall.com References: <20240329155126.kjjfduxw2yrlxgzm@awork3.anarazel.de> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Content-Disposition: inline In-Reply-To: <20240329155126.kjjfduxw2yrlxgzm@awork3.anarazel.de> X-Originating-IP: [37.59.142.101] X-ClientProxiedBy: DAG9EX1.mxp6.local (172.16.2.81) To DAG4EX1.mxp6.local (172.16.2.31) X-Ovh-Tracer-GUID: e30550ba-2f83-46a9-9883-541089a87c8f X-Ovh-Tracer-Id: 16070813798819485463 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 0 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedvledrudejkedgjeelucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttdenucenucfjughrpeffhffvuffkfhggtggujghisehttdertddttddvnecuhfhrohhmpeflrghkuhgsucghihhlkhcuoehjfihilhhksehjfihilhhkrdhnvghtqeenucggtffrrghtthgvrhhnpeekgfekveeiffeftefghffgfeevhedugedvvdehudfgudeugfffhfekjeejvedtudenucffohhmrghinhepghhithhhuhgsrdgtohhmnecukfhppeduvdejrddtrddtrddupdefjedrheelrddugedvrddutddupdefjedrvdegkedrvddvgedrvdduheenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpeduvdejrddtrddtrddupdhmrghilhhfrhhomhepjhifihhlkhesjhifihhlkhdrnhgvthdpnhgspghrtghpthhtohepuddprhgtphhtthhopehoshhsqdhsvggtuhhrihhthieslhhishhtshdrohhpvghnfigrlhhlrdgtohhmpdfovfetjfhoshhtpehmohehhedvpdhmohguvgepshhmthhpohhuth Subject: Re: [oss-security] backdoor in upstream xz/liblzma leading to ssh server compromise * Andres Freund , 2024-03-29 08:51: >d) LANG needs to be set If timing "sshd -h" is a reliable method of checking if the backdoor is active, then this is not correct. It seems all you need is non-empty environment: # time env -i /usr/sbin/sshd -h 2>/dev/null real 0m0.009s user 0m0.004s sys 0m0.005s # time env -i X= /usr/sbin/sshd -h 2>/dev/null real 0m0.345s user 0m0.337s sys 0m0.009s Further evidence that LANG doesn't matter: * LANG is not on the list of extracted strings[0]. * Some folks[1][2] misspelled LANG as LC_LANG, and apparently it still worked. [0] https://gist.github.com/q3k/af3d93b6a1f399de28fe194add452d01 [1] https://gist.github.com/smx-smx/a6112d54777845d389bd7126d6e9f504 [2] https://github.com/binarly-io/binary-risk-intelligence/tree/master/xz-backdoor >I am *not* a security researcher, nor a reverse engineer. Congrats, you've just made a lot of people feel inadequate. :P -- Jakub Wilk