top | item 40984754

(no title)

hiisukun | 1 year ago

I guess for those not sure of the context: The user Jia Tan added exploit code to the 'xz' tool as part of a larger deal. Wikipedia has a page on it here [1].

In this post, they are discussing some changes to print code specifically for the libarchive project, and some notable personalities in the security community chime in, including Colin Percival (Tarsnap among others) and Taviso (Google project zero among others).

[1] https://en.wikipedia.org/wiki/XZ_Utils_backdoor

discuss

throw0101c|1 year ago

> The user Jia Tan added exploit code to the 'xz' tool as part of a larger deal.

Various discussions on this backdoor (in rough chronological order):

* Backdoor in upstream xz/liblzma leading to SSH server compromise:† https://news.ycombinator.com/item?id=39865810

* What we know about the xz Utils backdoor that almost infected the world: https://news.ycombinator.com/item?id=39891607

* How the XZ Backdoor Works: https://news.ycombinator.com/item?id=39911311

* The xz sshd backdoor rabbithole goes quite a bit deeper: https://news.ycombinator.com/item?id=39956455

* XZ backdoor story – Initial analysis: https://news.ycombinator.com/item?id=40017310

† Original report, AFAICT.

r721|1 year ago

>XZ backdoor story – Initial analysis

Here are parts 2 and 3 (weren't discussed on HN):

>Part 2: Assessing the Y, and How, of the XZ Utils incident (social engineering)

https://securelist.com/xz-backdoor-story-part-2-social-engin...

>Part 3: XZ backdoor. Hook analysis

https://securelist.com/xz-backdoor-part-3-hooking-ssh/113007...