undefined | Better HN

0 pointsfullstop2y ago0 comments

Also thanks to Debian for modifying openssh.

0 comments

6 comments · 1 top-level

cassianoleal2y ago· 5 in thread

You're not wrong. Had Debian not patched it in this way, OP might have never found it, leaving all other distros who do the same vulnerable.

Note that OP found this in Debian sid as well, which means it's highly unlikely this issue will find its way into any Debian stable systems.

fullstopOP2y ago

Right, the systemd notification framework is very simple and I've used it in my projects. I didn't even know that libsystemd provided an implementation.

My Arch system was not vulnerable because openssh was not linked to xz.

IMO every single commit from JiaT75 should be reviewed and maybe even rolled back, as they have obliterated their trust.

edit:

https://github.com/google/oss-fuzz/pull/10667

Even this might be nefarious.

gopher_space2y ago

> the systemd notification framework is very simple and I've used it in my projects

Have you come across an outline or graph of systemd that you really like, or maybe a good example of a minimal setup?

SAI_Peregrinus2y ago

If they hadn't been modifying SSH their users would never have been hit by this backdoor. Of course if it is actually intended to target SSH on Debian systems, the attacker would likely have picked a different dependency. But adding dependencies like Debian did here means that those dependencies aren't getting reviewed by the original authors. For security-critical software like OpenSSH such unaudited dependencies are prime targets for attacks like this.

cassianoleal2y ago

My point was, this is not "Debian did a thing". Lots of other distros do the same thing. In this particular case, it was in fact fortunate for users of all these other distros that Debian did it, lest this vulnerability might have never been found!

Also, only users on sid (unstable) and maybe testing seem to have been affected. I doubt there are many Debian servers out there running sid.

Debian stable (bookworm) has xz-utils version 5.4.1: https://packages.debian.org/bookworm/xz-utils

2 more replies

sitkack2y ago

It takes a village.

j / k navigate · click thread line to collapse