Debian developer and security researcher Andres Freund reports the discovery of a possible backdoor in the source code of xz versions 5.6.0 and 5.6.1.
The backdoor is line in one of the m4 scripts, which appends obfuscated malicious code to the end of the configure script. This code then modifies one of the project's generated Makefiles, which ultimately results in malicious code (disguised as a test archive bad-3-corrupt_lzma2.xz) being introduced into the liblzma binary.
The peculiarity of the incident is that the malicious code contained only in distributed source code tarballs and is not present in the project's git repository.
It is reported that the person on whose behalf the malicious code was added to the project's repository was either directly involved in what happened, or was the victim of a serious compromise of his personal accounts (but the researcher is inclined to the first option, since this person personally participated in several discussions associated with malicious changes).
According to the link, the researcher notes that the ultimate goal of the backdoor appears to be to inject code into the sshd process and replace the RSA key verification code, and provides several ways to indirectly check whether malicious code is currently running on your system.
According to a news article openSUSE project, due to the complexity of the backdoor code and the supposed mechanism of its operation, it is difficult to determine whether it βworkedβ at least once on a given machine, and recommends a complete reinstallation of the OS with rotation of all relevant keys on all machines that have been infected with xz versions at least once.
Source: linux.org.ru