In days of yore (Fri, 05 Apr 2024), Daniel Leidert thus quoth: > Am Freitag, dem 29.03.2024 um 23:20 +0100 schrieb Moritz Mühlenhoff: > > Russ Allbery <r...@debian.org> wrote: > > > I think this question can only be answered with reverse-engineering of the > > > backdoors, and I personally don't have the skills to do that. > > > > In the pre-disclosure discussion permission was asked to share the payload > > with a company specialising in such reverse engineering. If that went > > through, I'd expect results to be publicly available in the next days. > > If there is a final result, can we as a project share the results on a > prominent place? Or at least under d-devel-announce and/or d-security- > announce? I was also wondering about what could have been compromised, > what data might have been stolen, etc. And there is so many sources to > follow right now. So sharing the final results would be great.
If you have followed the discussion on Openwall ML, there have been a couple of posts that points at both a general overview of what the code did, an analysis of how the data was hidden in the 'corrupt' xz archive under testing and some analysis of the actual .o which suggested this was not just a backdoor but a remote-code-execution portal almost. It has been interesting reading for sure, and the way they hid it, it does really not look like your average script-kiddie doing this. I have my own private suspicions about potential culprits being behind this but I figure it is wiser to keep that under my hat as it were. By the looks of things, both here and elsewhere, this was caught just in the nick of time, meaning it did not make it out into the wild (at least true for Debian and Fedora) so nothing was compromised. It it eerie the parallels to Clifford Stoll and The Cuckoo's Egg though. I second the request for sharing "final results" but I recognise that it may be weeks still before that may happen. -- Kind regards, /S
