Received: by 2002:ab2:6203:0:b0:1f5:f2ab:c469 with SMTP id o3csp532297lqt;
        Fri, 19 Apr 2024 03:15:39 -0700 (PDT)
X-Forwarded-Encrypted: i=2; AJvYcCU6ClWpV06o1viynV1dROu9l0xzve0apIqx2m+uusOxIQ7ez51vcyB4NgFNNRkYXBZfQY3RnxF9RAFjv/nTAhVZ+N4a5r7jF8Fu49SpWQ==
X-Google-Smtp-Source: AGHT+IG7U6pnhS8JhQwEdi3gI0kh84cvHV7Caz6KExqJAghi7e51HvvYvUKml3qlrBT5PLYKNk0Z
X-Received: by 2002:a17:906:365b:b0:a52:67ce:c64d with SMTP id r27-20020a170906365b00b00a5267cec64dmr1067088ejb.66.1713521739151;
        Fri, 19 Apr 2024 03:15:39 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1713521739; cv=none;
        d=google.com; s=arc-20160816;
        b=08QsV9drUAIQp2giR//J8rnRbvTmgoIzApaygooeKSu8BOR4mgNxGWY5BusswiLTue
         RpnMoGhHE5Re7ClZK4TSp2EmZEorreEhT3GX4+OAwGGhV66tY78xRH9ghvIXdi+aMbYR
         8f0L3RJwD404YPxRZ9iwB8/Y2GaCdhkGAOv5DNWnL7LvjncAJ2uuxJ2Px4DZQA/KNFXu
         QHvhWLYktgwDBMVgOliR9dUHcP3JGksBGWd3dNxwuS0sCRFWjKzLDt5cOdxIqXEh0cXW
         8BhvZGwUtnmyC4hkNYdkQqumR+RM7TJ0BzoVwyIP3+2puyODU/tdOTfmp1lnoN6b6il3
         bPlQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=subject:content-transfer-encoding:in-reply-to:references:to
         :mime-version:user-agent:from:date:message-id:dkim-signature
         :delivered-to:delivered-to:reply-to:list-id:list-subscribe
         :list-unsubscribe:list-help:list-post:precedence:mailing-list;
        bh=VLcSY1cqepGvS9Se4Wv3QfWDXMCrH3odmG5fcY3k9+k=;
        fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=;
        b=eXmo2vBCGWTGA00IHQ86IVYN8/U0JarbrjAA6xGd1k6y4CCIFjokFhzvU6sXkOCUO4
         6jXZAEJoBSfKsZ75qpPoQUYfexflbg13pK9vtFOD0sisRXpt1iomTJfTf4HUpwgZAirJ
         HaoqvYm4yDoLEqDcOTDnKcMy9NaOfuNGQSd4FjbVXiATSyFSOuAh0jgV6Rr73jObs2O1
         //5QHUoziAbe/qP3UnaEnbC5f7T2QOo7eouDHJt/LxdnFaIMEhzQ69CgF1O1D+6JGoao
         Nyp1K/WiGrtvhxgQLoVPehlyxov5CyrBm1q+eoWl7vmgADmRThxLxuyup+8X10mHsrPq
         9E5Q==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@gmail.com header.s=20230601 header.b=l5J7FSts;
       spf=pass (google.com: domain of oss-security-return-30054-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30054-linux.lists.archive=gmail.com@lists.openwall.com";
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <oss-security-return-30054-linux.lists.archive=gmail.com@lists.openwall.com>
Received: from second.openwall.net (second.openwall.net. [193.110.157.125])
        by mx.google.com with SMTP id a24-20020a1709065f9800b00a5257104d6bsi2013122eju.986.2024.04.19.03.15.39
        for <linux.lists.archive@gmail.com>;
        Fri, 19 Apr 2024 03:15:39 -0700 (PDT)
Received-SPF: pass (google.com: domain of oss-security-return-30054-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@gmail.com header.s=20230601 header.b=l5J7FSts;
       spf=pass (google.com: domain of oss-security-return-30054-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30054-linux.lists.archive=gmail.com@lists.openwall.com";
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (qmail 9463 invoked by uid 550); 19 Apr 2024 10:08:54 -0000
Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:oss-security@lists.openwall.com>
List-Help: <mailto:oss-security-help@lists.openwall.com>
List-Unsubscribe: <mailto:oss-security-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:oss-security-subscribe@lists.openwall.com>
List-ID: <oss-security.lists.openwall.com>
Reply-To: oss-security@lists.openwall.com
Delivered-To: mailing list oss-security@lists.openwall.com
Delivered-To: moderator for oss-security@lists.openwall.com
Received: (qmail 14324 invoked from network); 19 Apr 2024 02:17:39 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1713493051; x=1714097851; darn=lists.openwall.com;
        h=content-transfer-encoding:in-reply-to:references:subject:to
         :mime-version:user-agent:reply-to:from:date:message-id:from:to:cc
         :subject:date:message-id:reply-to;
        bh=VLcSY1cqepGvS9Se4Wv3QfWDXMCrH3odmG5fcY3k9+k=;
        b=l5J7FStsTh4S9jYOBUK6rsACJ65avbUIOgYdQL3oMj7ifjEI3cJJu1eAGmbDlsQbEn
         mct8II9An3ndMjotyOpUjt4EK9Gnk3VX9gyYuS0hz0D+lvRgShIw1NgIHR4mIiLsjsKP
         trORInoZNf9bdDTbWFNLnahuOVQ+5+qpS69dYAgib0JbvnPnzvEfkcdXYQJ3rm+Xt6sf
         4gDdIyj+5fr6f8QbV1tJPTAqJPt/zKvLjS1D2zsXGeNQEZ4EkAecXkNDO3jdeRGNSzRO
         PLHESBvgibIsFhKq3wkM4P8OeKomEDx5UA5Pcjas/zGGL8fRgMeDkKLpK1/ToLfg4qPL
         s3aA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1713493051; x=1714097851;
        h=content-transfer-encoding:in-reply-to:references:subject:to
         :mime-version:user-agent:reply-to:from:date:message-id
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=VLcSY1cqepGvS9Se4Wv3QfWDXMCrH3odmG5fcY3k9+k=;
        b=K7PnMQOkEx47UqoUQmvCYBHaBIVrvWyqp8L30KcsX1ANPNupsWCFRBq3SoNF2VOyUV
         5P42/44RJwKu8WUoZd5Ye2VtQVL+PmTytgn3dYzljsXRRQE91n+jO0RhKO55X+B3NjDJ
         sSsT8XsKPXQH/zGhJiumPYQlhelxzjV6J4M9Kzqr9tJAuB72hKdKX3YlDMFpcfZMDYfD
         PPdxRkYEGGzALf//MltAACCV6Q8Fi4OKdnbtL3h6srCYoIn8iKHVwiXQBtrQqCU7SlXM
         OP5Uh/Q2Td4/6eK4KnuAAgTbQfyJi+TO0IChrkvdJbGkZPqV/9PD13krc1fE6mmN4BTJ
         bEmg==
X-Gm-Message-State: AOJu0Yx1KDoXwKrlDyaI/ILUftl2MHOWt2dBTk44V0vy53lfcBrAg7hH
	vgKUbFN6PbH1GDaQZCGdO7yVLWWVwoqMOMmckui5VvAJgoJcDi5/FXDdfQ==
X-Received: by 2002:a05:6830:12cc:b0:6eb:6046:ff17 with SMTP id a12-20020a05683012cc00b006eb6046ff17mr786382otq.36.1713493050927;
        Thu, 18 Apr 2024 19:17:30 -0700 (PDT)
Message-ID: <6621D438.5080005@gmail.com>
Date: Thu, 18 Apr 2024 21:17:28 -0500
From: Jacob Bachmeyer <jcb62281@gmail.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.22) Gecko/20090807 MultiZilla/1.8.3.4e SeaMonkey/1.1.17 Mnenhy/0.7.6.0
MIME-Version: 1.0
To: oss-security@lists.openwall.com
References: <20240329155126.kjjfduxw2yrlxgzm@awork3.anarazel.de> <ed2715be-e7a0-4a7f-a3fd-7041f6c6fa49@fu-berlin.de> <Zgmn06K3C-nY83YH@codewreck.org> <20240331202502.GA21116@openwall.com> <20240416225900.GA23474@openwall.com> <661F3331.3020408@gmail.com> <4eaf6a34fd8459284e1a6967c68db93f@ucc.asn.au>
In-Reply-To: <4eaf6a34fd8459284e1a6967c68db93f@ucc.asn.au>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [oss-security] backdoor in upstream xz/liblzma leading to ssh
 server compromise

Matt Johnston wrote:
> On 2024-04-17 10:25 am, Jacob Bachmeyer wrote:
>
>> see that particular slowdown?  (Not the backdoor initialization making
>> sshd take longer to start up---a running sshd taking longer to reject
>> a session for a nonexistent account, unless Andres Freund forgot to
>> tell us that he was running sshd from inetd and thereby including sshd
>> startup latency in his measurements.)
>
> Recent OpenSSH always re-execs for each incoming connection (for fresh 
> ASLR) so it's always similar to inetd startup.

Aha!  That explains it.  There may not be another backdoor after all:  
if sshd always reinitializes by exec, it would incur the full startup 
delay for each connection, and the backdoor may actually be inert if the 
client requests publickey auth.

Thank you for filling in the missing detail.


-- Jacob