jwildeboer, 2 months ago

@cstross I have read the whole thing and understood most of it. It's a really interesting pile of obfuscation that is however not that relevant, once we knew what we are looking for. Reverse engineering the binary blob that got added this way is the more interesting part, IMHO :) And that work is being done and commented at several places as we speak. "Analysis of the payload" at https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27

Steveg58, 2 months ago

@cstross
As someone else pointed out this is an exploit of the GNU autoconf suite not an exploit of xz.

cstross, 2 months ago

@Steveg58 Yes, this is simply how they smuggle the payload into the xz binary at build time without being noticed.

It's just that autoconf predates Posix, never mind LSB, and I can't help thinking a lot of what it does is thoroughly obsolescent cruft that provides camouflage for this kind of fuckery rather than doing anything anyone needs any more.

Di4na, 2 months ago

@cstross tbf this is quite expected even of legitimate use of autoconf in any reasonably sized C project. Sadly

cstross, 2 months ago

@Di4na It was careless meddling with a Beyond version of GNU autoconf that unleashed The Blight in "A Fire Upon The Deep", wasn't it.

Di4na, 2 months ago

@cstross I mean. We are still paying the price of letting C escape out of containment