GitHub User Involved in xz backdoor may have attempted to change to clang in order to help hide the exploit [42410066]

Fixed

Bug

Status Update

No update yet.

Description

ts...@redhat.com

created issue #1

Mar 29, 2024 10:52PM

For more information about the xz backdoor see:

https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

https://www.openwall.com/lists/oss-security/2024/03/29/4

GitHub user JiaT75 who was responsible (or had their credentials compromised) for committing malicious code to the xz repository. Filed an issue[1] in July of 2023 asking that a warning for certain code containing ifuncs to be removed. The backdoor for xz relied on ifuncs, so it's possible this was an attempt to mask the backdoor for users building xz with clang.

We should review our codebase to ensure that this user has not made any commits or other contributions to the project.

[1]

https://github.com/llvm/llvm-project/issues/63957

Comments

ts...@redhat.com <ts...@redhat.com> #2Mar 29, 2024 11:24PM

Red

kr...@arm.com <kr...@arm.com> #3Apr 5, 2024 08:03AM

Thank you for reporting this here, Tom.
It seems to me that this does not need to be coordinated in private?
If so, I think it would be best to close this ticket and instead coordinate the work that might still be needed in public in our regular channels such as the regular issue tracker, Discourse, etc.
Do you think so too?

ts...@redhat.com <ts...@redhat.com> #4Apr 5, 2024 12:58PM

OK that's fine with me.

kr...@arm.com <kr...@arm.com> #5Apr 5, 2024 01:14PM

[Empty comment from Monorail migration]

ts...@redhat.com <ts...@redhat.com> #6Apr 8, 2024 06:48PM

Using the script from

https://github.com/llvm/llvm-admin/pull/10, which looks at issues, pull requests, and commits, this is the user's activity in the last year with the LLVM org:

Created Issues:

https://github.com/llvm/llvm-project/issues/63957
Issue Comments:

https://github.com/llvm/llvm-project/issues/67779#issuecomment-1740960310
Created Pull Requests:
None
Commits:
None

kr...@arm.com <kr...@arm.com> #7May 22, 2024 12:06PM

The last comment indicates that Tom did review the codebase appropriately to ensure that this user has not made any commits or other contributions to the project.
Tom, could you confirm that?
If so, we can close this ticket.

kr...@arm.com <kr...@arm.com> #8Jun 21, 2024 07:05AM

Marked as fixed, reassigned to kr...@arm.com.

Tom has confirmed in private communication that he also thinks this ticket can be closed.

is...@google.com <is...@google.com> #9Jun 21, 2024 07:05AM

This issue was migrated from

crbug.com/llvm/71?no_tracker_redirect=1

[Auto-CCs applied]

Issue 42410066

Description

Issue summary

Comments

ts...@redhat.com <ts...@redhat.com> #2Mar 29, 2024 11:24PM

kr...@arm.com <kr...@arm.com> #3Apr 5, 2024 08:03AM

ts...@redhat.com <ts...@redhat.com> #4Apr 5, 2024 12:58PM

kr...@arm.com <kr...@arm.com> #5Apr 5, 2024 01:14PM

ts...@redhat.com <ts...@redhat.com> #6Apr 8, 2024 06:48PM

kr...@arm.com <kr...@arm.com> #7May 22, 2024 12:06PM

kr...@arm.com <kr...@arm.com> #8Jun 21, 2024 07:05AM

is...@google.com <is...@google.com> #9Jun 21, 2024 07:05AM

Add comment

Issue metadata