Andres Freund detected odd symptoms around liblzma in Debian sid installations, leading to the discovery that the upstream xz repository and tarballs were backdoored. The injected code modifies the build process and impacts openssh servers, causing slowdowns in logins. The exploit targets x86-64 Linux systems with glibc, and the backdoor involves obfuscated code, dynamic linker manipulation, and symbol table parsing. Impact on sshd includes unauthorized access or remote code execution. Upgrades are recommended, and CVE-2024-3094 was assigned. Detecting vulnerability can be done using Vegard Nossum’s script. The issue was reported to CISA and various distributions.
https://seclists.org/oss-sec/2024/q1/268