[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] backdoor in upstream xz/liblzma leading to ssh server compromise
From: Michael Tokarev <mjt () tls ! msk ! ru>
Date: 2024-03-31 21:40:14
Message-ID: 209944de-d819-43e2-8228-e2c94aaf748c () tls ! msk ! ru
[Download RAW message or body]
31.03.2024 23:55, Solar Designer:
>> poettering 2 days ago (2024-03-29)
>> Libselinux pulls in liblzma too and gets linked into tons more programs
>> than libsystemd. And will end up in sshd too (at the very least via
>> libpam/pam_selinux). And most of the really big distros tend do support
>> selinux at least to some level. Hence systemd or not, sshd remains
>> vulnerable by this specific attack.
>>
>> With that in mind libsystemd git dropped the dep on liblzma actually,
>> all compressors are now dlopen deps and thus only pulled in when needed.
>
> The libselinux concern is important. I've just checked a few systems
> where libsystemd does pull liblzma, and on those libselinux does not.
> However, I guess such systems do exist too? PAM modules would have been
> too late for the current backdoor, but the backdoor could be different
> if that were the vector it needed to target.
As has been said elsewhere, apparently libselinux dependency on liblzma
is actually an error coming from here:
https://src.fedoraproject.org/rpms/libselinux/blob/rawhide/f/libselinux.spec#_22
which is just a .spec file remnant from redhat-specific patch from some
distant past which has been dropped long ago.
/mjt
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic