this post was submitted on 11 Apr 2024
486 points (96.0% liked)

Programmer Humor

32365 readers
515 users here now

Post funny things about programming here! (Or just rant about your favourite programming language.)

Rules:

founded 5 years ago
MODERATORS
 

transcriptScreenshot of github showing part of the commit message of this commit with this text:

Remove the backdoor found in 5.6.0 and 5.6.1 (CVE-2024-3094).

While the backdoor was inactive (and thus harmless) without inserting
a small trigger code into the build system when the source package was
created, it's good to remove this anyway:

  - The executable payloads were embedded as binary blobs in
    the test files. This was a blatant violation of the
    Debian Free Software Guidelines.

  - On machines that see lots bots poking at the SSH port, the backdoor
    noticeably increased CPU load, resulting in degraded user experience
    and thus overwhelmingly negative user feedback.

  - The maintainer who added the backdoor has disappeared.

  - Backdoors are bad for security.

This reverts the following without making any other changes:

The sentence "This was a blatant violation of the Debian Free Software Guidelines" is highlighted.

Below the github screenshot is a frame of the 1998 film The Big Lebowski with the meme caption "What, are you a fucking park ranger now?" from the scene where that line was spoken.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 64 points 6 months ago* (last edited 6 months ago) (2 children)

I heard that person actively contributed for something like 2 years, providing actually useful contributions, to gain the level of trust needed to plant that backdoor. Feels a bit too much to chalk it up to boredom.

As for the second part, that's an interesting question. Are there lots of backdoors and we just happened to notice this one, or are backdoors very rare exactly because we'd have found them out soon like in this case?

[–] [email protected] 18 points 6 months ago* (last edited 6 months ago) (1 children)

You'd be surprised what I manage with motivation and boredom.
You'd be surprised what a highly skilled ~~scalled~~ person can manage to achieve.

Boredom, Skills and Motivation are dangerous things to have if improperly handled.

[–] [email protected] 7 points 6 months ago

highly scalled person

You might be on to something, it might have been the lizzard people!

[–] [email protected] 1 points 6 months ago* (last edited 6 months ago)

Another speculation from the suse team was a private company with intent to sell the exploit to state ~~across~~ actors

I think there's lots of known backdoors that are not publicly disclosed and privately sold.

But given the history of cves in inclined to believe most come from well intentioned developers. When you read the blogs from the Google security team for example, it's interesting to see how you need to chain a couple exploits at least, to get a proper attack going. Not in this case, it would make it very straightforward to accomplish very intrusive actions.