Very annoying - the apparent author of the backdoor was in communication with me over several weeks trying to get xz 5.6.x added to Fedora 40 & 41 because of it's "great new features". We even worked with him to fix the valgrind issue (which it turns out now was caused by the backdoor he had added). We had to race last night to fix the problem after an inadvertent break of the embargo.
He has been part of the xz project for 2 years, adding all sorts of binary test files, and to be honest with this level of sophistication I would be suspicious of even older versions of xz until proven otherwise.
Yikes! Do you have any info on the individual's background or possible motivations?
Yikes indeed. This fix is being rolled out very fast, but what about the entire rest of the codebase? And scripts? I mean, years of access? I'd trust no aspect of this code until a full audit is done, at least of every patch this author contributed.
(note: not referring to fedora here, a current fix is required. But just generally. As in, everyone is rolling out this fix, but... I mean, this codebase is poison in my eyes without a solid audit)
This seems to be the account, correct me if wrong (linked from the security email commit link):
https://github.com/JiaT75
I hope authors of all these projects have been alerted.
STest - Unit testing framework for C/C++. Easy to use by simply dropping stest.c and stest.h into your project!
libarchive/libarchive - Multi-format archive and compression library
Seatest - Simple C based Unit Testing
Everything this account has done should be investigated.
Woha, is this legit or some sort of scam on Google in some way?:
https://github.com/google/oss-fuzz/pull/11587
edit: I have to be missing something, or I'm confused. The above author seems to be primary contact for xz? Have they just taken over?? Or did the bad commit come from another source, and a legit person applied it?
A bit confused here.
The concern about other projects is fine, but let's be careful with attacks directed at the person.
Maybe their account is compromised, maybe the username borrows the identity of an innocent person with the same name.
Focus on the code, not people. No point forming a mob.
(e: post above was edited and is no longer directed at the person. thanks for the edit.)
They appear to have moved carefully to set this up over the course of weeks by setting up the framework to perform this attack.
I would now presume this person to be a hostile actor and their contributions anywhere and everywhere must be audited. I would not wait for them to cry 'but my bother did it', because an actual malicious actor would say the same thing. The 'mob' should be pouring over everything they've touched.
Audit now and audit aggressively.
My above post shows the primary domain for xz moving from tukaani.org to xz.tukaani.org. While it's hosted on github:
$ host xz.tukaani.org
host xz.tukaani.org is an alias for tukaani-project.github.io.
And originally it was not:
$ host tukaani.org
tukaani.org has address 5.44.245.25 (seemingly in Finland)
It was moved there in Jan of this year, as per the commit listed in my prior post. By this same person/account. This means that instead of Lasse Collin's more restrictive webpage, an account directly under the control of the untrusted account, is now able to edit the webpage without anyone else's involvement.
For example, to make subtle changes in where to report security issues to, and so on.
So far I don't see anything nefarious, but at the same time, isn't this the domain/page hosting bad tarballs too?
Hetzner?
No:
Interesting, seems to be a tiny finnish hosting company: https://www.zoner.fi/english/
This account changed the instructions for reporting security issues in the xz github as their very last commit:
Seems innocuous, but maybe they were planning further changes.Seems like an attempt to get 90 days of "use" of this vulnerability after discovery. If they only had checked performance before!
It's important to focus on people, not just code, when suspecting an adversary. Now, I have no idea if this is the right account, and if it has recently been compromised/sold/lost, or if it has always been under the ownership of the person who committed the backdoor. But IF this is indeed the right account, then it's important to block any further commit from it to any project, no matter how innocuous it seems, and to review thoroughly any past commit. For the most security-conscious projects, it would be a good idea to even consider reverting and re-implementing any work coming from this account if it's not fully understood.
An account that has introduced a backdoor is not the same thing as an account who committed a bug.
I agree we should look at the account and its contributions, I make a distinction between the account and the person.
Sometimes the distinction is not meaningful, but better safe than sorry.
If the owner of the account is innocent and their account was compromised, it's on them to come out and say that. All signs currently point to the person being a malicious actor, so I'll proceed on that assumption.
Does the person exist at all? Maybe they're a persona of a team working at some three letter agency...
Oh no, not libarchive! GitHub search shows 6 pull requests were merged back in 2021.
https://github.com/search?q=repo%3Alibarchive%2Flibarchive+j...
It does look innocent enough though. Let's hope there's no unicode trickery involved...
Maybe not. They removed safe_fprintf() here and replaced it with the (unsafe) fprintf().
https://github.com/libarchive/libarchive/commit/e37efc16c866...
If libarchive is also backdoored, would that allow specifically crafted http gzip encoded responses to do bad things?
What software is using libarchive to decode HTTP responses?
I don't know, way outside my domain. Possibly none I guess?
The PR is pretty devious.
JiaT75 claims is "Added the error text when printing out warning and errors in bsdtar when untaring. Previously, there were cryptic error messages" and cites this as fixing a previous issue.
https://github.com/libarchive/libarchive/pull/1609
However it doesn't actually do that!
The PR literally removes a new line between 2 arguments on the first `safe_fprintf()` call, and converts the `safe_fprintf()` to unsafe direct calls to `fprintf()`. In all cases, the arguments to these functions are exactly the same! So it doesn't actually make the error messages any different, it doesn't actually solve the issue it references. And the maintainer accepted it with no comments!
tldr: holy shit we need to audit every PR this account has ever made to a public project.
But I see the "strerror" call is added
reread it...
It does remove the safe prefixes... But it also adds one print statement to "strerror()", which could plausibly give better explanations for the error code...
The only suspicious thing here is the lack for safe_ prefix (and the potential for the strerror() function to already be backdoored elsewhere in another commit)
JiaT75 also has commits in wasmtime according to https://hachyderm.io/@joeyh/112180082372196735
per https://hachyderm.io/@bjorn3/112180226784517099, "The only contribution by them to Wasmtime is a doc change. No actual code or binary blobs have been changed by them."
Just a documentation change, fortunately:
https://github.com/bytecodealliance/wasmtime/commits?author=...
They've submitted little documentation tweaks to other projects, too; for example:
https://learn.microsoft.com/en-us/cpp/overview/whats-new-cpp...
I don't know whether this is a formerly-legitimate open source contributor who went rogue, or a deep-cover persona spreading innocuous-looking documentation changes around to other projects as a smokescreen.
They made themselves the primary contact for xz for Google oss-fuzz about one year ago: https://github.com/google/oss-fuzz/commit/6403e93344476972e9...
That looks like a repo that would sound alarms if you look at it from a security standpoint.
Well that account also did most of the releases since 5.4.0.
There is zero web presence for this person and associated email address.
Looks more likely a fake identity than compromised account.
Actually the "jiat0218" user part in his email address jiat0218@gmail.com has a bunch of matches on Taiwanese sites:
https://char.tw/blog/post/24397301
https://forum.babyhome.com.tw/topic/167439
https://bmwcct.com.tw/forums/thread1828.html
Did you check Chinese social media?
I handed over all the emails I received to the security team, who I guess will send them "higher". I'll let them analyse it.
Given the recent ( not so recent ) attacks/"bugs" I feel there is a need to do more than the already hard task of investigating and detecting attacks but also to bring IRL consequences to these people.
My understanding is that right now it's pretty much a name and shame of people who most of the time aren't even real "people" but hostile agents either working for governments or criminal groups ( or both )
Getting punched in the face is actually a necessary human condition for a healthy civilization.
In the article it says CISA was notified - that sounds like it's going to be a federal investigation if nothing else. If I was this person, I wouldn't be in the USA (or any US friendly nation) ASAP.
One of Jia Tan's recent contributions is "Speed up CRC32 calculation on LoongArch" I would guess the odds are that this is not someone in the US.
Yeah I saw that - I wouldn't bet on them being in the US but who knows. Maybe they just really love CRC32 ;) And introducing backdoors (if it that was them not an account takeover).
Those tarballs are PGP signed, too..
I think this has been in the making for almost a year. The whole ifunc infrastructure was added in June 2023 by Hans Jansen and Jia Tan. The initial patch is "authored by" Lasse Collin in the git metadata, but the code actually came from Hans Jansen: https://github.com/tukaani-project/xz/commit/ee44863ae88e377...
https://github.com/tukaani-project/xz/pull/53
There were a ton of patches by these two subsequently because the ifunc code was breaking with all sorts of build options and obviously caused many problems with various sanitizers. Subsequently the configure script was modified multiple times to detect the use of sanitizers and abort the build unless either the sanitizer was disabled or the use of ifuncs was disabled. That would've masked the payload in many testing and debugging environments.
The hansjans162 Github account was created in 2023 and the only thing it did was add this code to liblzma. The same name later applied to do a NMU at Debian for the vulnerable version. Another "<name><number>" account (which only appears here, once) then pops up and asks for the vulnerable version to be imported: https://www.mail-archive.com/search?l=debian-bugs-dist@lists...
Also I see this PR: https://github.com/tukaani-project/xz/pull/64
Also I saw this hans jansen user pushing for merging the 5.6.1 update in debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067708
for example, https://github.com/google/oss-fuzz/pull/10667
I wonder who the target was!
Unfortunately, this is how good bad actors work: with a very long-term point of view. There is no “harmless” project any more.
Fascinating. Just yesterday the author added a `SECURITY.md` file to the `xz-java` project.
Reading that in a different light, it says give me time to adjust my exploits and capitalize on any targets. Makes me wonder what other vulns might exist in the author's other projects.
Yesterday sure was fun wasn't it :p Thanks for all your help/working with me on getting this cleaned up in Fedora.
Sleeper.