Looking back at the promotion of the xz package through backdoor tactics

Presumably a backdoor into the xz package was implemented developer Jia Tan, who received maintainer status in 2022 and has been releasing releases since version 5.4.2. In addition to the xz project, the alleged author of the backdoor also participated in the development of packages xz-java And xz-embeddedand was included among the project maintainers XZ Embeddedused in the Linux kernel.

Two more participants were also seen organizing the promotion of the backdoor – Jigar Kumar and Hans Jansen, who, apparently, are virtual characters. Jigar Kumar in April 2022 contributed adoption of early Jia Tan patches in xz with implementation of support string filters And provided moral pressure on Lasse Collin, the then maintainer, criticizing that he was unable to perform his duties and was not accepting useful patches. In June, Lasse Collin agreed that the project needed a new maintainer, complained for burnout and mental health issues, and handed over the responsibility to maintainer Jia Tan. After this, the user Jigar Kumar no longer appeared in the mailing list.


Having received the rights of a maintainer, Jia Tan began to actively add changes to the project and, according to statistics, for two years took second place among developers in terms of number of changes. In March 2023, the person responsible for testing the xz package in the oss-fuzz service was replaced from Lasse Collin to Jia Tan, and in June, xz was hired changesadding support for the mechanism to liblzma IFUNC (the crc64_fast constructor was replaced by ifunc), which was later used to intercept functions in the backdoor. The change was proposed by Hans Jansen, and Jia Tan accepted him into xz. The Hans Jansen account was created immediately before submitting the pull request.

In July 2023, Jia Tan sent oss-fuzz to the developers request to disable ifunc check due to its incompatibility with the “-fsanitize=address” mode. At the beginning of February 2024, a link to the project website in oss-fuzz and on the main page of tukaani.org was changed from “tukaani.org/xz/” to “xz.tukaani.org”, where the subdomain “xz.tukaani.org” was hosted in the GitHub Pages service and controlled personally by Jia Tan. On February 23rd in the xz repository there were posted archives for testing the decoder, among which were the files bad-3-corrupt_lzma2.xz and good-large_compressed.lzma with a hidden backdoor.

On March 17, Hans Jansen, who had previously developed patches with IFUNC support, was registered as a member of the Debian project, and on March 25 he was sent request to update the version of the xz-utils package in the Debian repository. Developers have also received requests to update the version. Fedora And Ubuntu (in Ubuntu the repository was frozen and the change was rejected).

Requests to update the xz version were also joined by some users, who stated that the new version eliminated the bugs that interfered with work, detected during debugging in valgrind (the problems arose due to incorrect determination of the stack layout in the backdoor handler, and the backdoor developers tried to eliminate these problems in version xz 5.6 .1). Also interested in the glitch was Andres Freund, a Microsoft employee involved in the development of PostgreSQL, who revealed the presence of a backdoor and notified community about this.


Thanks for reading: