undefined | Better HN

0 pointsb1122y ago0 comments

Yikes indeed. This fix is being rolled out very fast, but what about the entire rest of the codebase? And scripts? I mean, years of access? I'd trust no aspect of this code until a full audit is done, at least of every patch this author contributed.

(note: not referring to fedora here, a current fix is required. But just generally. As in, everyone is rolling out this fix, but... I mean, this codebase is poison in my eyes without a solid audit)

0 comments

b112OP2y ago

This seems to be the account, correct me if wrong (linked from the security email commit link):

https://github.com/JiaT75

I hope authors of all these projects have been alerted.

STest - Unit testing framework for C/C++. Easy to use by simply dropping stest.c and stest.h into your project!

libarchive/libarchive - Multi-format archive and compression library

Seatest - Simple C based Unit Testing

Everything this account has done should be investigated.

Woha, is this legit or some sort of scam on Google in some way?:

https://github.com/google/oss-fuzz/pull/11587

edit: I have to be missing something, or I'm confused. The above author seems to be primary contact for xz? Have they just taken over?? Or did the bad commit come from another source, and a legit person applied it?

A bit confused here.

tux32y ago

The concern about other projects is fine, but let's be careful with attacks directed at the person.

Maybe their account is compromised, maybe the username borrows the identity of an innocent person with the same name.

Focus on the code, not people. No point forming a mob.

(e: post above was edited and is no longer directed at the person. thanks for the edit.)

simiones2y ago

It's important to focus on people, not just code, when suspecting an adversary. Now, I have no idea if this is the right account, and if it has recently been compromised/sold/lost, or if it has always been under the ownership of the person who committed the backdoor. But IF this is indeed the right account, then it's important to block any further commit from it to any project, no matter how innocuous it seems, and to review thoroughly any past commit. For the most security-conscious projects, it would be a good idea to even consider reverting and re-implementing any work coming from this account if it's not fully understood.

An account that has introduced a backdoor is not the same thing as an account who committed a bug.

tux32y ago

I agree we should look at the account and its contributions, I make a distinction between the account and the person.

Sometimes the distinction is not meaningful, but better safe than sorry.

1 more reply

kevin_b_er2y ago

They appear to have moved carefully to set this up over the course of weeks by setting up the framework to perform this attack.

I would now presume this person to be a hostile actor and their contributions anywhere and everywhere must be audited. I would not wait for them to cry 'but my bother did it', because an actual malicious actor would say the same thing. The 'mob' should be pouring over everything they've touched.

Audit now and audit aggressively.

b112OP2y ago

My above post shows the primary domain for xz moving from tukaani.org to xz.tukaani.org. While it's hosted on github:

$ host xz.tukaani.org

host xz.tukaani.org is an alias for tukaani-project.github.io.

And originally it was not:

$ host tukaani.org

tukaani.org has address 5.44.245.25 (seemingly in Finland)

It was moved there in Jan of this year, as per the commit listed in my prior post. By this same person/account. This means that instead of Lasse Collin's more restrictive webpage, an account directly under the control of the untrusted account, is now able to edit the webpage without anyone else's involvement.

For example, to make subtle changes in where to report security issues to, and so on.

So far I don't see anything nefarious, but at the same time, isn't this the domain/page hosting bad tarballs too?

3 more replies

mort962y ago

If the owner of the account is innocent and their account was compromised, it's on them to come out and say that. All signs currently point to the person being a malicious actor, so I'll proceed on that assumption.

londons_explore2y ago

Does the person exist at all? Maybe they're a persona of a team working at some three letter agency...

2 more replies

ikmckenz2y ago

> The above author seems to be primary contact for xz?

They made themselves the primary contact for xz for Google oss-fuzz about one year ago: https://github.com/google/oss-fuzz/commit/6403e93344476972e9...

bed992y ago

A SourceGraph search like this shows https://sourcegraph.com/search?q=context:global+JiaT75&patte...

- Jia Tan <jiat75@gmail.com>

- jiat75 <jiat0218@gmail.com>

``` amap = generate_author_map("xz")

        test_author = amap.get_author_by_name("Jia Cheong Tan")

        self.assertEqual(
            test_author.names, {"Jia Cheong Tan", "Jia Tan", "jiat75"}

        )

        self.assertEqual(

            test_author.mail_addresses,

            {"jiat0218@gmail.com", "jiat75@gmail.com"}

        )

```

berdario2y ago

I tried to understand the significance of this (parent maybe implied that they reused a completely fictitious identity generated by some test code), and I think this is benign.

That project just includes some metadata about a bunch of sample projects, and it links directly to a mirror of the xz project itself:

https://github.com/se-sic/VaRA-Tool-Suite/blob/982bf9b9cbf64...

I assume it downloads the project, examines the git history, and the test then ensures that the correct author name and email addresses are recognized.

(that said, I haven't checked the rest of the project, so I don't know if the code from xz is then subsequently built, and or if this other project could use that in an unsafe manner)

pryce2y ago

additionally, even though the commit messages they've made are mostly plain, there may be features of their commit messages that could provide leads, such as his using what looks like a very obscure racist joke of referring to a gitignore file as a 'gitnigore'. There's barely a handful of people on the whole planet making this 'joke'.

berdario2y ago

Can you point to where you saw that racist joke?

I don't see anything at https://sourcegraph.com/search?q=context:global+author:jiat0...

1 more reply

Bulat_Ziganshin2y ago

i think it's American trauma. outside of the Western hemisphere, sexist and racist jokes are just jokes

AnarchismIsCool2y ago

Pretty sure this is just a typo...

KomoD2y ago

Interesting thing about this jiat75@gmail.com email is that it seems to not exist?

The google account: "Couldn't find your Google Account"

The email: "50 5.1.1 The email account that you tried to reach does not exist"

But then when you try to register it says it's taken.

Was it disabled?

bed992y ago

I'd say at this point all major tech companies, ISPs and authorities should have more enough information and disabling and freezing their accounts would be the first step.

Flame2y ago

This can happen if you delete your old gmail account. Source: I deleted a gmail account I shouldn't have years ago. It will say taken if it previously existed, and was deleted.

soraminazuki2y ago

Oh no, not libarchive! GitHub search shows 6 pull requests were merged back in 2021.

https://github.com/search?q=repo%3Alibarchive%2Flibarchive+j...

It does look innocent enough though. Let's hope there's no unicode trickery involved...

steelframe2y ago

Maybe not. They removed safe_fprintf() here and replaced it with the (unsafe) fprintf().

https://github.com/libarchive/libarchive/commit/e37efc16c866...

dchest2y ago

That seems to be fine. safe_fprintf() takes care of non-printable characters. It's used for archive_entry_pathname, which can contain them, while "unsafe" fprintf is used to print out archive_error_string, which is a library-provided error string, and strerror(errno) from libc.

2 more replies

buildbot2y ago

If libarchive is also backdoored, would that allow specifically crafted http gzip encoded responses to do bad things?

2 more replies

billyhoffman2y ago

EDIT: Ahh, I was wrong and missed the addition of "strerror"

The PR is pretty devious.

JiaT75 claims is "Added the error text when printing out warning and errors in bsdtar when untaring. Previously, there were cryptic error messages" and cites this as fixing a previous issue.

https://github.com/libarchive/libarchive/pull/1609

However it doesn't actually do that!

The PR literally removes a new line between 2 arguments on the first `safe_fprintf()` call, and converts the `safe_fprintf()` to unsafe direct calls to `fprintf()`. In all cases, the arguments to these functions are exactly the same! So it doesn't actually make the error messages any different, it doesn't actually solve the issue it references. And the maintainer accepted it with no comments!

3 more replies

davexunit2y ago

JiaT75 also has commits in wasmtime according to https://hachyderm.io/@joeyh/112180082372196735

mintplant2y ago

Just a documentation change, fortunately:

https://github.com/bytecodealliance/wasmtime/commits?author=...

They've submitted little documentation tweaks to other projects, too; for example:

https://learn.microsoft.com/en-us/cpp/overview/whats-new-cpp...

I don't know whether this is a formerly-legitimate open source contributor who went rogue, or a deep-cover persona spreading innocuous-looking documentation changes around to other projects as a smokescreen.

bombcar2y ago

Minor documentation change PRs is a well known tactic used to make your GitHub profile look better (especially to potential employers).

He could be doing the same thing for other reasons; nobody really digs into anything very deep so I could see someone handing over co-maintenance to a project based on a decent looking Github graph and some reasonability.

mysidia2y ago

Consider the possibility those type of submissions were part of the adversary's strategy in order to make their account appear more legitimate rather than appearing out of nowhere wanting to become the maintainer of some project.

pinko2y ago

per https://hachyderm.io/@bjorn3/112180226784517099, "The only contribution by them to Wasmtime is a doc change. No actual code or binary blobs have been changed by them."

metzmanj2y ago

>Woha, is this legit or some sort of scam on Google in some way?:

I work on OSS-Fuzz.

As far as I can tell, the author's PRs do not compromise OSS-Fuzz in any way.

OSS-Fuzz doesn't trust user code for this very reason.

packetlost2y ago

It looks more like they disabled a feature of oss-fuzz that would've caught the exploit, no?

metzmanj2y ago

That's what people are saying though I haven't had the chance to look into this myself.

Fuzzing isn't really the best tool for catching bugs the maintainer intentionally inserted though.

1 more reply

jnxx2y ago

There is also a variety of new, parallelized implementations of compression algorithms which would be good to have a close look at. Bugs causing undefined behaviour in parallel code are notoriously hard to see, and the parallel versions (which are actually much faster) could be take the place of well-established programs which have earned a lot of trust.

Zetobal2y ago

That looks like a repo that would sound alarms if you look at it from a security standpoint.

formerly_proven2y ago

Well that account also did most of the releases since 5.4.0.

alwaysbeconsing2y ago

+1 Can see from project homepage http://web.archive.org/web/20240329165859/https://xz.tukaani... they have some release responsibility from 5.2.12.

> Versions 5.2.12, 5.4.3 and later have been signed with Jia Tan's OpenPGP key . The older releases have been signed with Lasse Collin's OpenPGP key .

It must be assume that before acquiring that privilege, they also contributed code to project. Probably most was to establish respectable record. Still could be malicious code going back someways.

0x02y ago

Looks like the Jia Tan OpenPGP key was replaced a few months ago as well: https://github.com/tukaani-project/tukaani-project.github.io...

j / k navigate · click thread line to collapse

0 comments

b112OP2y ago

This seems to be the account, correct me if wrong (linked from the security email commit link):

https://github.com/JiaT75

I hope authors of all these projects have been alerted.

STest - Unit testing framework for C/C++. Easy to use by simply dropping stest.c and stest.h into your project!

libarchive/libarchive - Multi-format archive and compression library

Seatest - Simple C based Unit Testing

Everything this account has done should be investigated.

Woha, is this legit or some sort of scam on Google in some way?:

https://github.com/google/oss-fuzz/pull/11587

A bit confused here.

tux32y ago

The concern about other projects is fine, but let's be careful with attacks directed at the person.

Maybe their account is compromised, maybe the username borrows the identity of an innocent person with the same name.

Focus on the code, not people. No point forming a mob.

(e: post above was edited and is no longer directed at the person. thanks for the edit.)

simiones2y ago

An account that has introduced a backdoor is not the same thing as an account who committed a bug.

tux32y ago

I agree we should look at the account and its contributions, I make a distinction between the account and the person.

Sometimes the distinction is not meaningful, but better safe than sorry.

1 more reply

kevin_b_er2y ago

They appear to have moved carefully to set this up over the course of weeks by setting up the framework to perform this attack.

Audit now and audit aggressively.

b112OP2y ago

My above post shows the primary domain for xz moving from tukaani.org to xz.tukaani.org. While it's hosted on github:

$ host xz.tukaani.org

host xz.tukaani.org is an alias for tukaani-project.github.io.

And originally it was not:

$ host tukaani.org

tukaani.org has address 5.44.245.25 (seemingly in Finland)

For example, to make subtle changes in where to report security issues to, and so on.

So far I don't see anything nefarious, but at the same time, isn't this the domain/page hosting bad tarballs too?

3 more replies

mort962y ago

londons_explore2y ago

Does the person exist at all? Maybe they're a persona of a team working at some three letter agency...

2 more replies

ikmckenz2y ago

> The above author seems to be primary contact for xz?

They made themselves the primary contact for xz for Google oss-fuzz about one year ago: https://github.com/google/oss-fuzz/commit/6403e93344476972e9...

bed992y ago

A SourceGraph search like this shows https://sourcegraph.com/search?q=context:global+JiaT75&patte...

- Jia Tan <jiat75@gmail.com>

- jiat75 <jiat0218@gmail.com>

``` amap = generate_author_map("xz")

        test_author = amap.get_author_by_name("Jia Cheong Tan")

        self.assertEqual(
            test_author.names, {"Jia Cheong Tan", "Jia Tan", "jiat75"}

        )

        self.assertEqual(

            test_author.mail_addresses,

            {"jiat0218@gmail.com", "jiat75@gmail.com"}

        )

```

berdario2y ago

I tried to understand the significance of this (parent maybe implied that they reused a completely fictitious identity generated by some test code), and I think this is benign.

That project just includes some metadata about a bunch of sample projects, and it links directly to a mirror of the xz project itself:

https://github.com/se-sic/VaRA-Tool-Suite/blob/982bf9b9cbf64...

I assume it downloads the project, examines the git history, and the test then ensures that the correct author name and email addresses are recognized.

(that said, I haven't checked the rest of the project, so I don't know if the code from xz is then subsequently built, and or if this other project could use that in an unsafe manner)

pryce2y ago

berdario2y ago

Can you point to where you saw that racist joke?

I don't see anything at https://sourcegraph.com/search?q=context:global+author:jiat0...

1 more reply

Bulat_Ziganshin2y ago

i think it's American trauma. outside of the Western hemisphere, sexist and racist jokes are just jokes

AnarchismIsCool2y ago

Pretty sure this is just a typo...

KomoD2y ago

Interesting thing about this jiat75@gmail.com email is that it seems to not exist?

The google account: "Couldn't find your Google Account"

The email: "50 5.1.1 The email account that you tried to reach does not exist"

But then when you try to register it says it's taken.

Was it disabled?

bed992y ago

I'd say at this point all major tech companies, ISPs and authorities should have more enough information and disabling and freezing their accounts would be the first step.

Flame2y ago

This can happen if you delete your old gmail account. Source: I deleted a gmail account I shouldn't have years ago. It will say taken if it previously existed, and was deleted.

soraminazuki2y ago

Oh no, not libarchive! GitHub search shows 6 pull requests were merged back in 2021.

https://github.com/search?q=repo%3Alibarchive%2Flibarchive+j...

It does look innocent enough though. Let's hope there's no unicode trickery involved...

steelframe2y ago

Maybe not. They removed safe_fprintf() here and replaced it with the (unsafe) fprintf().

https://github.com/libarchive/libarchive/commit/e37efc16c866...

dchest2y ago

2 more replies

buildbot2y ago

If libarchive is also backdoored, would that allow specifically crafted http gzip encoded responses to do bad things?

2 more replies

billyhoffman2y ago

EDIT: Ahh, I was wrong and missed the addition of "strerror"

The PR is pretty devious.

JiaT75 claims is "Added the error text when printing out warning and errors in bsdtar when untaring. Previously, there were cryptic error messages" and cites this as fixing a previous issue.

https://github.com/libarchive/libarchive/pull/1609

However it doesn't actually do that!

3 more replies

davexunit2y ago

JiaT75 also has commits in wasmtime according to https://hachyderm.io/@joeyh/112180082372196735

mintplant2y ago

Just a documentation change, fortunately:

https://github.com/bytecodealliance/wasmtime/commits?author=...

They've submitted little documentation tweaks to other projects, too; for example:

https://learn.microsoft.com/en-us/cpp/overview/whats-new-cpp...

bombcar2y ago

Minor documentation change PRs is a well known tactic used to make your GitHub profile look better (especially to potential employers).

mysidia2y ago

pinko2y ago

per https://hachyderm.io/@bjorn3/112180226784517099, "The only contribution by them to Wasmtime is a doc change. No actual code or binary blobs have been changed by them."

metzmanj2y ago

>Woha, is this legit or some sort of scam on Google in some way?:

I work on OSS-Fuzz.

As far as I can tell, the author's PRs do not compromise OSS-Fuzz in any way.

OSS-Fuzz doesn't trust user code for this very reason.

packetlost2y ago

It looks more like they disabled a feature of oss-fuzz that would've caught the exploit, no?

metzmanj2y ago

That's what people are saying though I haven't had the chance to look into this myself.

Fuzzing isn't really the best tool for catching bugs the maintainer intentionally inserted though.

1 more reply

jnxx2y ago

Zetobal2y ago

That looks like a repo that would sound alarms if you look at it from a security standpoint.

formerly_proven2y ago

Well that account also did most of the releases since 5.4.0.

alwaysbeconsing2y ago

+1 Can see from project homepage http://web.archive.org/web/20240329165859/https://xz.tukaani... they have some release responsibility from 5.2.12.

> Versions 5.2.12, 5.4.3 and later have been signed with Jia Tan's OpenPGP key . The older releases have been signed with Lasse Collin's OpenPGP key .

It must be assume that before acquiring that privilege, they also contributed code to project. Probably most was to establish respectable record. Still could be malicious code going back someways.

0x02y ago

Looks like the Jia Tan OpenPGP key was replaced a few months ago as well: https://github.com/tukaani-project/tukaani-project.github.io...

j / k navigate · click thread line to collapse