undefined | Better HN

0 pointsb1122y ago0 comments

Yikes indeed. This fix is being rolled out very fast, but what about the entire rest of the codebase? And scripts? I mean, years of access? I'd trust no aspect of this code until a full audit is done, at least of every patch this author contributed.

(note: not referring to fedora here, a current fix is required. But just generally. As in, everyone is rolling out this fix, but... I mean, this codebase is poison in my eyes without a solid audit)

0 comments

22 comments · 2 top-level

b112OP2y ago· 18 in thread

This seems to be the account, correct me if wrong (linked from the security email commit link):

https://github.com/JiaT75

I hope authors of all these projects have been alerted.

STest - Unit testing framework for C/C++. Easy to use by simply dropping stest.c and stest.h into your project!

libarchive/libarchive - Multi-format archive and compression library

Seatest - Simple C based Unit Testing

Everything this account has done should be investigated.

Woha, is this legit or some sort of scam on Google in some way?:

https://github.com/google/oss-fuzz/pull/11587

edit: I have to be missing something, or I'm confused. The above author seems to be primary contact for xz? Have they just taken over?? Or did the bad commit come from another source, and a legit person applied it?

A bit confused here.

tux32y ago

The concern about other projects is fine, but let's be careful with attacks directed at the person.

Maybe their account is compromised, maybe the username borrows the identity of an innocent person with the same name.

Focus on the code, not people. No point forming a mob.

(e: post above was edited and is no longer directed at the person. thanks for the edit.)

simiones2y ago

It's important to focus on people, not just code, when suspecting an adversary. Now, I have no idea if this is the right account, and if it has recently been compromised/sold/lost, or if it has always been under the ownership of the person who committed the backdoor. But IF this is indeed the right account, then it's important to block any further commit from it to any project, no matter how innocuous it seems, and to review thoroughly any past commit. For the most security-conscious projects, it would be a good idea to even consider reverting and re-implementing any work coming from this account if it's not fully understood.

An account that has introduced a backdoor is not the same thing as an account who committed a bug.

1 more reply

kevin_b_er2y ago

They appear to have moved carefully to set this up over the course of weeks by setting up the framework to perform this attack.

I would now presume this person to be a hostile actor and their contributions anywhere and everywhere must be audited. I would not wait for them to cry 'but my bother did it', because an actual malicious actor would say the same thing. The 'mob' should be pouring over everything they've touched.

Audit now and audit aggressively.

2 more replies

mort962y ago

If the owner of the account is innocent and their account was compromised, it's on them to come out and say that. All signs currently point to the person being a malicious actor, so I'll proceed on that assumption.

1 more reply

ikmckenz2y ago

> The above author seems to be primary contact for xz?

They made themselves the primary contact for xz for Google oss-fuzz about one year ago: https://github.com/google/oss-fuzz/commit/6403e93344476972e9...

bed992y ago

A SourceGraph search like this shows https://sourcegraph.com/search?q=context:global+JiaT75&patte...

- Jia Tan <jiat75@gmail.com>

- jiat75 <jiat0218@gmail.com>

``` amap = generate_author_map("xz")

        test_author = amap.get_author_by_name("Jia Cheong Tan")

        self.assertEqual(
            test_author.names, {"Jia Cheong Tan", "Jia Tan", "jiat75"}

        )

        self.assertEqual(

            test_author.mail_addresses,

            {"jiat0218@gmail.com", "jiat75@gmail.com"}

        )

```

berdario2y ago

I tried to understand the significance of this (parent maybe implied that they reused a completely fictitious identity generated by some test code), and I think this is benign.

That project just includes some metadata about a bunch of sample projects, and it links directly to a mirror of the xz project itself:

https://github.com/se-sic/VaRA-Tool-Suite/blob/982bf9b9cbf64...

I assume it downloads the project, examines the git history, and the test then ensures that the correct author name and email addresses are recognized.

(that said, I haven't checked the rest of the project, so I don't know if the code from xz is then subsequently built, and or if this other project could use that in an unsafe manner)

pryce2y ago

additionally, even though the commit messages they've made are mostly plain, there may be features of their commit messages that could provide leads, such as his using what looks like a very obscure racist joke of referring to a gitignore file as a 'gitnigore'. There's barely a handful of people on the whole planet making this 'joke'.

3 more replies

KomoD2y ago

Interesting thing about this jiat75@gmail.com email is that it seems to not exist?

The google account: "Couldn't find your Google Account"

The email: "50 5.1.1 The email account that you tried to reach does not exist"

But then when you try to register it says it's taken.

Was it disabled?

2 more replies

soraminazuki2y ago

Oh no, not libarchive! GitHub search shows 6 pull requests were merged back in 2021.

https://github.com/search?q=repo%3Alibarchive%2Flibarchive+j...

It does look innocent enough though. Let's hope there's no unicode trickery involved...

steelframe2y ago

Maybe not. They removed safe_fprintf() here and replaced it with the (unsafe) fprintf().

https://github.com/libarchive/libarchive/commit/e37efc16c866...

3 more replies

davexunit2y ago

JiaT75 also has commits in wasmtime according to https://hachyderm.io/@joeyh/112180082372196735

mintplant2y ago

Just a documentation change, fortunately:

https://github.com/bytecodealliance/wasmtime/commits?author=...

They've submitted little documentation tweaks to other projects, too; for example:

https://learn.microsoft.com/en-us/cpp/overview/whats-new-cpp...

I don't know whether this is a formerly-legitimate open source contributor who went rogue, or a deep-cover persona spreading innocuous-looking documentation changes around to other projects as a smokescreen.

2 more replies

pinko2y ago

per https://hachyderm.io/@bjorn3/112180226784517099, "The only contribution by them to Wasmtime is a doc change. No actual code or binary blobs have been changed by them."

metzmanj2y ago

>Woha, is this legit or some sort of scam on Google in some way?:

I work on OSS-Fuzz.

As far as I can tell, the author's PRs do not compromise OSS-Fuzz in any way.

OSS-Fuzz doesn't trust user code for this very reason.

packetlost2y ago

It looks more like they disabled a feature of oss-fuzz that would've caught the exploit, no?

1 more reply

jnxx2y ago

There is also a variety of new, parallelized implementations of compression algorithms which would be good to have a close look at. Bugs causing undefined behaviour in parallel code are notoriously hard to see, and the parallel versions (which are actually much faster) could be take the place of well-established programs which have earned a lot of trust.

Zetobal2y ago

That looks like a repo that would sound alarms if you look at it from a security standpoint.

formerly_proven2y ago· 2 in thread

Well that account also did most of the releases since 5.4.0.

alwaysbeconsing2y ago

+1 Can see from project homepage http://web.archive.org/web/20240329165859/https://xz.tukaani... they have some release responsibility from 5.2.12.

> Versions 5.2.12, 5.4.3 and later have been signed with Jia Tan's OpenPGP key . The older releases have been signed with Lasse Collin's OpenPGP key .

It must be assume that before acquiring that privilege, they also contributed code to project. Probably most was to establish respectable record. Still could be malicious code going back someways.

0x02y ago

Looks like the Jia Tan OpenPGP key was replaced a few months ago as well: https://github.com/tukaani-project/tukaani-project.github.io...

j / k navigate · click thread line to collapse

0 comments

22 comments · 2 top-level

b112OP2y ago· 18 in thread

This seems to be the account, correct me if wrong (linked from the security email commit link):

https://github.com/JiaT75

I hope authors of all these projects have been alerted.

STest - Unit testing framework for C/C++. Easy to use by simply dropping stest.c and stest.h into your project!

libarchive/libarchive - Multi-format archive and compression library

Seatest - Simple C based Unit Testing

Everything this account has done should be investigated.

Woha, is this legit or some sort of scam on Google in some way?:

https://github.com/google/oss-fuzz/pull/11587

A bit confused here.

tux32y ago

The concern about other projects is fine, but let's be careful with attacks directed at the person.

Maybe their account is compromised, maybe the username borrows the identity of an innocent person with the same name.

Focus on the code, not people. No point forming a mob.

(e: post above was edited and is no longer directed at the person. thanks for the edit.)

simiones2y ago

An account that has introduced a backdoor is not the same thing as an account who committed a bug.

1 more reply

kevin_b_er2y ago

They appear to have moved carefully to set this up over the course of weeks by setting up the framework to perform this attack.

Audit now and audit aggressively.

2 more replies

mort962y ago

1 more reply

ikmckenz2y ago

> The above author seems to be primary contact for xz?

They made themselves the primary contact for xz for Google oss-fuzz about one year ago: https://github.com/google/oss-fuzz/commit/6403e93344476972e9...

bed992y ago

A SourceGraph search like this shows https://sourcegraph.com/search?q=context:global+JiaT75&patte...

- Jia Tan <jiat75@gmail.com>

- jiat75 <jiat0218@gmail.com>

``` amap = generate_author_map("xz")

        test_author = amap.get_author_by_name("Jia Cheong Tan")

        self.assertEqual(
            test_author.names, {"Jia Cheong Tan", "Jia Tan", "jiat75"}

        )

        self.assertEqual(

            test_author.mail_addresses,

            {"jiat0218@gmail.com", "jiat75@gmail.com"}

        )

```

berdario2y ago

I tried to understand the significance of this (parent maybe implied that they reused a completely fictitious identity generated by some test code), and I think this is benign.

That project just includes some metadata about a bunch of sample projects, and it links directly to a mirror of the xz project itself:

https://github.com/se-sic/VaRA-Tool-Suite/blob/982bf9b9cbf64...

I assume it downloads the project, examines the git history, and the test then ensures that the correct author name and email addresses are recognized.

(that said, I haven't checked the rest of the project, so I don't know if the code from xz is then subsequently built, and or if this other project could use that in an unsafe manner)

pryce2y ago

3 more replies

KomoD2y ago

Interesting thing about this jiat75@gmail.com email is that it seems to not exist?

The google account: "Couldn't find your Google Account"

The email: "50 5.1.1 The email account that you tried to reach does not exist"

But then when you try to register it says it's taken.

Was it disabled?

2 more replies

soraminazuki2y ago

Oh no, not libarchive! GitHub search shows 6 pull requests were merged back in 2021.

https://github.com/search?q=repo%3Alibarchive%2Flibarchive+j...

It does look innocent enough though. Let's hope there's no unicode trickery involved...

steelframe2y ago

Maybe not. They removed safe_fprintf() here and replaced it with the (unsafe) fprintf().

https://github.com/libarchive/libarchive/commit/e37efc16c866...

3 more replies

davexunit2y ago

JiaT75 also has commits in wasmtime according to https://hachyderm.io/@joeyh/112180082372196735

mintplant2y ago

Just a documentation change, fortunately:

https://github.com/bytecodealliance/wasmtime/commits?author=...

They've submitted little documentation tweaks to other projects, too; for example:

https://learn.microsoft.com/en-us/cpp/overview/whats-new-cpp...

2 more replies

pinko2y ago

per https://hachyderm.io/@bjorn3/112180226784517099, "The only contribution by them to Wasmtime is a doc change. No actual code or binary blobs have been changed by them."

metzmanj2y ago

>Woha, is this legit or some sort of scam on Google in some way?:

I work on OSS-Fuzz.

As far as I can tell, the author's PRs do not compromise OSS-Fuzz in any way.

OSS-Fuzz doesn't trust user code for this very reason.

packetlost2y ago

It looks more like they disabled a feature of oss-fuzz that would've caught the exploit, no?

1 more reply

jnxx2y ago

Zetobal2y ago

That looks like a repo that would sound alarms if you look at it from a security standpoint.

formerly_proven2y ago· 2 in thread

Well that account also did most of the releases since 5.4.0.

alwaysbeconsing2y ago

+1 Can see from project homepage http://web.archive.org/web/20240329165859/https://xz.tukaani... they have some release responsibility from 5.2.12.

> Versions 5.2.12, 5.4.3 and later have been signed with Jia Tan's OpenPGP key . The older releases have been signed with Lasse Collin's OpenPGP key .

It must be assume that before acquiring that privilege, they also contributed code to project. Probably most was to establish respectable record. Still could be malicious code going back someways.

0x02y ago

Looks like the Jia Tan OpenPGP key was replaced a few months ago as well: https://github.com/tukaani-project/tukaani-project.github.io...

j / k navigate · click thread line to collapse