|
|
|
|
|
|
by db48x
815 days ago
|
|
|
Xz is an open–source compression program, as well as a library that can be used to help you write your own program that deals with compressed data. It is used by a fairly large number of other programs, one of which is OpenSSH. OpenSSH is an open–source program that allows remote users to access a computer, usually a server, provided they have the correct credentials (such as a valid password or encryption key). Xx has a reasonably venerable history, and has passed from maintaner to maintainer several times in the past. A few years ago, a new maintainer stepped in to take the job. A few weeks ago he released a new version of the Xz library. This new version crashed a number of times when it was incorporated into Debian (an open–source Linux distribution of similar venerability). These crashes were investigated, and a back door was discovered. The new version of Xz detects that it has been compiled in to OpenSSH and adds it's own code to the part of the program that checks the credentials of the user who is logging in. When an incoming connection is encrypted, the back door code checks the encrypted data for a message signed by the back–door’s author. If one is discovered, the the message is executed immediately, instead of logging anyone in. The allows anyone with the right key to secretly execute arbitrary instructions on the targeted computer, usually with full root access. Obviously that's not something the Debian or OpenSSH developers want included in their programs. |
|
|
"It is used by a fairly large number of other programs, one of which is OpenSSH." <-- This is false
Have a look:
https://ftp.OpenBSD.org/pub/OpenBSD/OpenSSH/portable/openssh...
If a person compiles sshd from source using above source code, then there is no vulnerability. OpenSSH does not use xz/liblzma.
Beware HN commenters/voters making false statements (and even trying to defend them against true statements).