On Sat, Mar 30, 2024 at 1:08 PM Dave Ihnat <dih...@dminet.com> wrote: > > Didn't see this go by, but it looks hot enough to risk a repeat posting. > From a friend: > > It appears there's been a very serious effort to backdoor sshd on > Linux via the xz compression/decompression system. > > https://www.openwall.com/lists/oss-security/2024/03/29/4 > > If you have anything running very recent Linux, it's worth investigating > whether you're affected. > > IBM Red Hat says, if you're running Fedora 40 or Fedora Rawhide: > > > PLEASE IMMEDIATELY STOP USAGE OF ANY FEDORA > > RAWHIDE INSTANCES for work or personal activity. > > The identity that did this got to the point of being not only an xz > maintainer but a Linux kernel contributor, and contributed to a number > of other Open Source projects as well over the course of years. The > identity may have been compromised to do this, or may have been created > to do this, and may have used other contributions to build rapport or > to compromise more projects as well. > > I looked at the detection script available at the URL in the posting. It's > harmless at worst (don't know yet if it can detect anything).
It looks like more analysis has revealed this is a RCE with the payload in the modulus of a public key: "The payload is extracted from the N value (the public key) passed to RSA_public_decrypt, checked against a simple fingerprint, and decrypted with a fixed ChaCha20 key before the Ed448 signature verification..." Also see <https://www.openwall.com/lists/oss-security/2024/03/30/36>. Jeff -- _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
