XZ without seatbelts ?
After the discovery of the xz backdoor by Andres Freund (https://www.openwall.com/lists/oss-security/2024/03/29/4), we, the cyberstorm.mu team, were very concerned. We started looking at xz-utils closer.
The primary maintainer of xz-utils, Lasse Collin, started auditing commits made by "Jia Tan", after CVE-2024-3094 was published. I saw some accusations against Lasse Collin and I think that he doesn't deserve such criticism. In fact, github should restore his github account immediately ! He is doing the right thing.
Lasse noticed something that caught my attention as I had worked on xz-utils sandboxing code long-time ago.
commit f9cf4c05edd14dedfe63833f8ccbe41b55823b00 (HEAD -> master, origin/master, origin/HEAD)
Author: Lasse Collin <lasse.collin@tukaani.org>
Date: Sat Mar 30 14:36:28 2024 +0200
CMake: Fix sabotaged Landlock sandbox check.
It never enabled it.
This immediately caught my attention. I wanted to know when the Linux sandboxing code had been disabled. Lasse commit deleted a single line:
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 1f019167..0e4d464f 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -1001,7 +1001,7 @@ if(NOT SANDBOX_FOUND AND ENABLE_SANDBOX MATCHES "^ON$|^landlock$")
#include <linux/landlock.h>
#include <sys/syscall.h>
#include <sys/prctl.h>
-.
+
void my_sandbox(void)
{
(void)prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
I got intrigued by this and wanted to know when this happened. Using git blame, it was fairly easy to know when:
328c52da8 (Jia Tan 2024-02-26 23:02:06 +0800 1004) .
It was added by "Jia Tan" on the 26th of February 2024. Here is the commit message:
commit 328c52da8a2bbb81307644efdb58db2c422d9ba7
Author: Jia Tan <jiat0218@gmail.com>
Date: Mon Feb 26 23:02:06 2024 +0800
Build: Fix Linux Landlock feature test in Autotools and CMake builds.
The previous Linux Landlock feature test assumed that having the
linux/landlock.h header file was enough. The new feature tests also
requires that prctl() and the required Landlock system calls are
supported.
As part of his "Fix", "Jia Tan" sabotaged the sandbox code on Linux. Why was this done ?
Did this code make it into a release ? Yes, it's part of the backdoor release of xz 5.6.1:
# Sandboxing: Landlock
if(NOT SANDBOX_FOUND AND ENABLE_SANDBOX MATCHES "^ON$|^landlock$")
# A compile check is done here because some systems have
# linux/landlock.h, but do not have the syscalls defined
# in order to actually use Linux Landlock.
check_c_source_compiles("
#include <linux/landlock.h>
#include <sys/syscall.h>
#include <sys/prctl.h>
.
Here are some speculations: There might be 0-day vulnerabilities in xz that are protected against by the sandbox code. I think it's good to run xz in some kind of sandbox, especially for decompression.
It's clear that this was done by highly experienced crackers. I remember PHK's video about "Operation Orchestra" BOYS programme.
https://www.youtube.com/watch?v=fwcl17Q0bpk&t=1385s
//Logan
(logan@Cyberstorm.mu team -- https://twitter.com/loganaden_42)