For those who haven’t seen it,
A backdoor in the widely used xz Utils package was discovered on March 29. This vulnerability allowed for remote code execution during SSH operations on affected systems. The backdoor was introduced by a contributor named “Jia Tan,” who built trust over three years and persistently nagged the sole maintainer. Fortunately, the backdoor was detected before widespread adoption, which could have had catastrophic consequences for Linux and MacOS systems.
Andres highlights that the process was filled with coincidences that many might have overlooked, potentially leading to its widespread unnoticed implementation.
A large factor in uncovering this issue was the open-source nature of xz Utils, which allowed Andres to investigate further when standard tools failed to identify the problem. Had xz Utils not been open-source, Andreas might have simply filled an issue, reverted to a previous version of the package for PostgreSQL, resolving his immediate issue without uncovering the deeper problem.
However, identifying the backdoor was far from straightforward from there for Andres. It wasn’t present in the code on git but was hidden within a seemingly normal, albeit obfuscated, test file. This file was executed as part of the release process, subsequently injecting the backdoor into the actual release. This incident shows how critical it is to see what is going on inside running processes. As illustrated, numerous steps between the source code and releasing a package can alter the code, whether to introduce backdoors or to change configuration settings to production environments.
