Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I guess for those not sure of the context: The user Jia Tan added exploit code to the 'xz' tool as part of a larger deal. Wikipedia has a page on it here [1].

In this post, they are discussing some changes to print code specifically for the libarchive project, and some notable personalities in the security community chime in, including Colin Percival (Tarsnap among others) and Taviso (Google project zero among others).

[1] https://en.wikipedia.org/wiki/XZ_Utils_backdoor



> The user Jia Tan added exploit code to the 'xz' tool as part of a larger deal.

Various discussions on this backdoor (in rough chronological order):

* Backdoor in upstream xz/liblzma leading to SSH server compromise:† https://news.ycombinator.com/item?id=39865810

* What we know about the xz Utils backdoor that almost infected the world: https://news.ycombinator.com/item?id=39891607

* How the XZ Backdoor Works: https://news.ycombinator.com/item?id=39911311

* The xz sshd backdoor rabbithole goes quite a bit deeper: https://news.ycombinator.com/item?id=39956455

* XZ backdoor story – Initial analysis: https://news.ycombinator.com/item?id=40017310

† Original report, AFAICT.


>XZ backdoor story – Initial analysis

Here are parts 2 and 3 (weren't discussed on HN):

>Part 2: Assessing the Y, and How, of the XZ Utils incident (social engineering)

https://securelist.com/xz-backdoor-story-part-2-social-engin...

>Part 3: XZ backdoor. Hook analysis

https://securelist.com/xz-backdoor-part-3-hooking-ssh/113007...


Something tells me that somewhere deep in a millitary facility somewhere, somebody is getting court marshalled, if not downright worse (after having been found out, I mean ...)

  PS. Or some "unaffiliated" group somewhere is getting their SOF cut off ...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: