[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] backdoor in upstream xz/liblzma leading to ssh server compromise
From:       Michael Tokarev <mjt () tls ! msk ! ru>
Date:       2024-03-31 21:40:14
Message-ID: 209944de-d819-43e2-8228-e2c94aaf748c () tls ! msk ! ru
[Download RAW message or body]

31.03.2024 23:55, Solar Designer:

>> poettering 2 days ago (2024-03-29)
>> Libselinux pulls in liblzma too and gets linked into tons more programs
>> than libsystemd. And will end up in sshd too (at the very least via
>> libpam/pam_selinux). And most of the really big distros tend do support
>> selinux at least to some level. Hence systemd or not, sshd remains
>> vulnerable by this specific attack.
>>
>> With that in mind libsystemd git dropped the dep on liblzma actually,
>> all compressors are now dlopen deps and thus only pulled in when needed.
> 
> The libselinux concern is important.  I've just checked a few systems
> where libsystemd does pull liblzma, and on those libselinux does not.
> However, I guess such systems do exist too?  PAM modules would have been
> too late for the current backdoor, but the backdoor could be different
> if that were the vector it needed to target.

As has been said elsewhere, apparently libselinux dependency on liblzma
is actually an error coming from here:

https://src.fedoraproject.org/rpms/libselinux/blob/rawhide/f/libselinux.spec#_22

which is just a .spec file remnant from redhat-specific patch from some
distant past which has been dropped long ago.

/mjt
[prev in list] [next in list] [prev in thread] [next in thread]