full report: https://www.openwall.com/lists/oss-security/2024/03/29/4
tl;dr: liblzma/xz has been compromised upstream. the github releases 5.6.0/5.6.1 (since feb 24) contain malicious code, significantly slows down sshd and runs code on pubkey login. checker script is available, please check your distro's repository to see if you have those versions of xz, and if yes upgrade if a rollback is packaged or roll it back yourself.
here is how you can tell if you're running the affected version:
it started on January 26, 2021
JiaT75 was hunting around multiple compression libraries including l4z and libarchive to fork and contribute code to, with many attempts being rejected, but eventually some making it in
on October 18 2022 they finally were given direct access to the "Tukaani" project which hosts xz's repositories
2 months later on December 12, 2022 the account Larhzu was created and added to the project the same day, becoming a co-admin of the project
Larhzu is also the username used by a previous maintainer of the xz project, who had been active with it since 2009* on its previous home on SourceForge, saying on a mailing list in 2022:
Recently I've worked off-list a bit with Jia Tan on XZ Utils and perhaps he will have a bigger role in the future, we'll see.
JiaT75 would also make many contributions to other projects, primarily focused on reducing security and hiding the exploit months in advance of its deployment, including changes to Google's Open Source fuzzing project that detects security issues and bugs
hansjans162 appeared on Github in May 2023 and began working on a new implementation based on something called IFUNC - which allows the same binary to run differently optimized code on different CPU microarchitectures - this would later provide part of the hook that the malicious code would use to load itself
all three were extremely polite to each other and other developers, JiaT75 in particular verbose in an odd way that i do not often see, with most comments structured almost like a formal letter
hansjans162 disappeared off of Github after their code went in, but their name was used last week to push Debian to merge in the malicious package
Larhzu and JiaT75 were both active with the project until 4 days ago
some believe that Larhzu is innocent and is just taking an inopportune break from the internet
i do not expect we will see more from the JiaT75 moniker who is the clear malicious actor in all of this that certainly abused the trust of multiple people
i have seen people from multiple projects express feelings of betrayal as they worked with JiaT75 to help solve issues - issues which it turned out were due to the malicious payload
while the known malicious payload was only deployed a few weeks ago, a lot of changes to the code over the last year, and more research will need to be done in order to understand what all was truly affected
the hansjans162 account is the only one not suspended by Github, and they marked their profile private at one point while i was doing some follow up research, so they are active today, despite having only contributed the code for the IFUNC implementation several months ago
update 2024-03-30 00:00 UTC
hansjans162's account has also been suspended by Github within the last hour or so
update 2024-03-30 13:00 UTC
the official Tukaani website has been updated with a warning about the malicious packages in a post signed "Lasse Collins", where he also takes ownership of the Larhzu username on Github
Larhzu on Libera IRC (chat service used by many open source communities) is now active and responding to people about the incident as well
unfortunately due to the events of 2021 where Freenode was taken over by a hostile far-right corporation (the same one that owns the "Private Internet Access" VPN) there is no meaningful long-term tenure to tie to the Libera account - Larhzu was created 2 days after my own on 2021-05-21 UTC and during the same tumultuous week that Libera was founded
the jiatan Libera account however was also created on December 12th 2022, possibly to connect with Larhzu
all of the Tukaani repositories on Github have also been suspended for terms of service violations, but the org still exists and the repository links are visible
update 2023-04-02 04:00 UTC
Lasse Collin's GitHub account Larhzu has been reinstated but the Tukaani org remains locked, hansjans162 and JiaT75 remain suspended
additional notes
* i have seen posts by someone with that username from 2010 on SourceForge and i got the 2009 date from a thread on Github, the actual date is not super important in this case
it seems like Lasse was dealing with mental health problems and was hoping that JiaT75 was going to take up the mantle of maintaining the project, and his trust was betrayed
when i started this it seemed obvious that all 3 were in on it from the beginning, i went through all of their profile and code, but i made an error when i copied the account creation dates into my notes and the same date got copied twice which provided (invalid) circumstantial evidence that they were actively collaborating, but now i can only say with confidence that the JiaT75 account was acting intentionally and maliciously to craft a complex and highly indirect attack
i have found a couple other people with their own writeups on the incident:
this post has been updated several times as i learn more, if you have any insights, please share them!
