On Mon, Apr 1, 2024 at 4:34 AM Nate Bargmann <n...@n0nb.us> wrote: > > * On 2024 31 Mar 20:46 -0500, Andy Smith wrote: > > In the xz case the further you go looking for a root cause the wider > > the implications are: > > > > Q: Why was there a back door in sshd? > > A: Because some malicious code was linked to it. > > > > Q: How did malicious code get linked to it? > > A: Its lzma dependency was compromised. > > From what I have read, lzma is not a direct dependency of openssh. It > turns out that it lzma is a dependency of libsystemd and that > relationship affected openssh. > > Jacob Bachmeyer in analysis > (https://lists.gnu.org/archive/html/automake/2024-04/msg00000.html) > says: > > Lastly on this topic, some of the blame for this needs to fall on the > systemd maintainers and their "katamari" architecture. There is no good > reason for notifications of daemon startup to pull in liblzma, but using > libsystemd for that purpose does exactly that, and ended up getting > xz-utils targeted as a means of getting to sshd without the OpenSSH > maintainers noticing. > > End quote.
It looks like SELinux is a larger problem than Systemd: <https://www.openwall.com/lists/oss-security/2024/03/31/9>. Systemd already dropped the liblzma dependency, but they did it for a smaller initram image, and not to reduce attack surface. Jeff
