From: Christian Weisgerber <naddy@mips.inka.de>
Subject: Re: archivers/xz: update to 5.6.1
To: ports@openbsd.org
Date: Fri, 29 Mar 2024 22:55:26 +0100

Christian Weisgerber:

> > It sounds like a backdoor made it into the upstream repository:
> > https://www.openwall.com/lists/oss-security/2024/03/29/4
> 
> Yes, I just learned.  I am investigating.

The xz 5.6.1 update hasn't been committed yet, so this mostly
concerns only me anyway.

* A malicious m4/build-to-host.m4 has been inserted and its code
  is used in the generated configure script.

* This extracts and executes a shell script from
  tests/files/bad-3-corrupt_lzma2.xz.
  That script aborts if $(uname) is not Linux.  <=== IT ENDS HERE.
  If the script continued, it would fail because it uses "head -c"
  and "tail -c" which are a nonstandard extension that the corresponding
  OpenBSD commands don't support.

* The script extracts the next stage shell script from
  tests/files/good-large_compressed.lzma.
  This stage aborts again early when $(uname) is not Linux.
  It then proceeds to manipulate the build in some way I won't waste
  my time to figure out.

In short, it's a supply chain attack on Linux that doesn't concern
OpenBSD.


PS:
If anybody wants to compare build-to-host.m4, here's the GNU upstream:
https://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob;f=m4/build-to-host.m4;h=f928e9ab403b3633e3d1d974abcf478e65d4b0aa;hb=HEAD

-- 
Christian "naddy" Weisgerber                          naddy@mips.inka.de