transcript
Screenshot of github showing part of the commit message of this commit with this text:
Remove the backdoor found in 5.6.0 and 5.6.1 (CVE-2024-3094).
While the backdoor was inactive (and thus harmless) without inserting
a small trigger code into the build system when the source package was
created, it's good to remove this anyway:
- The executable payloads were embedded as binary blobs in
the test files. This was a blatant violation of the
Debian Free Software Guidelines.
- On machines that see lots bots poking at the SSH port, the backdoor
noticeably increased CPU load, resulting in degraded user experience
and thus overwhelmingly negative user feedback.
- The maintainer who added the backdoor has disappeared.
- Backdoors are bad for security.
This reverts the following without making any other changes:
The sentence “This was a blatant violation of the Debian Free Software Guidelines” is highlighted.
Below the github screenshot is a frame of the 1998 film The Big Lebowski with the meme caption “What, are you a fucking park ranger now?” from the scene where that line was spoken.
Seriously. If you are going to do it, write in assembly or something else no one understands.
Tbh jia tan really wasn’t lucky some mf at Microsoft noticed a 500ms delay in ssh. The backdoor was so incredibely clever and Well hidden and ingenious i almost feel bad for him lmao
A really good point I heard is: this was likely a state actor attack, so how many others just like this are out there, undiscovered?
Unpopular opinion: what if it was not a state actor and just some bored person somewhere that thought it would be cool to own a bot net?
What if this is just one of many backdoors and it’s just the only one we found?
It’s scary to think about… a lot of people are now thinking about how we can best isolate our build test process so it works as a test suite but doesn’t have any way to interact with the output or environment.
It’s just blows my mind to think of the levels of obfuscation this process used and how easy it would be to miss it.
Neither does the blob it downloaded. Would you think twice about AVX10 support if it was commented as AVX10 support in a compression library? Some might, but would they be the ones reviewing the code? A lot of programs that can take advantage of “handwritten” optimizations, like video decoders/encoders and compression, have assembly pathways so it will take advantage of the hardware when it is available but run when it isn’t. If the reviewers are not familiar with assembly enough something could be snuck in.
systemD is using dlopens for libraries now and I am not convinced malware couldn’t modify the core executable memory and stay resident even after the dl is unloaded. Difficult, yes, but not impossible.