backdoor XZ
In previous days we shared here on the blog the news about the case of backdoor that was detected in the XZ utility, which is used in a large number of Linux distributions and therefore affects all of them. The interesting thing about the case for many, including myself, is how the inclusion of the backdoor and how gender was prepared, or the circumstances were given to favor the introduction of the code and it was overlooked.
In blog post by Evan Boehs (a programmer and hacker), shared a small chronological analysis of the backdoor case in XZ. In the publication he mentions that Developer Jia Tan was responsible for introducing the backdoor in the XZ package, since Jia Tan obtained maintainer status in 2022 and began releasing versions since 5.4.2 of the XZ project. In addition to working on XZ, Jia Tan He also contributed to the xz-java and xz-embedded packages, and was recognized as a maintainer of the XZ Embedded project used in the Linux kernel.
In addition to Jia Tan, the participation of two more users, Jigar Kumar and Hans Jansen, who many assume apparently they could be virtual characters. Jigar Kumar was involved in promoting Jia Tan's first patches on XZ pressuring then-maintainer Lasse Collin to accept useful changes and implement support for string filters in April 2022.
In June 2022, Lasse Collin relinquished the role of maintainer to Jia Tan, acknowledging burnout and mental health issues. After these events, Jigar Kumar no longer appeared on the project's mailing list.
With the new status of maintainer, Jia Tan began to actively make changes to the XZ project and, according to statistics, it ranked second among developers in terms of the number of changes for two years.
In March 2023, Lasse Collin replaced the person responsible for testing the XZ package in the oss-fuzz service with Jia Tan, and in June changes to the XZ composition were implemented, including support for the IFUNC mechanism in liblzma, which was then used to organize the interception of functions in the backdoor. The suggestion for this change came from Hans Jansen, whose account was created just before submitting the pull request related to these changes.
En July 2023, Jia Tan asked oss-fuzz developers to disable ifunc checking due to its incompatibility with the «-fsanitize=address«. In February 2024, the link to the XZ project website was changed on oss-fuzz and tukaani.org, moving from the main domain to a subdomain. This last subdomain was hosted on GitHub Pages and was personally controlled by Jia Tan.
On February 23, files to test the decoder, including files with a backdoor, were published to the but they appeared in the .gitignore file.
On March 17, Hans Jansen, previously involved in patches with IFUNC support, registered as a contributor to the Debian project. The 25th of March, received a request to update the version of the xz-utils package in the repository from Debian. It is worth mentioning that similar requests came from Fedora and Ubuntu developers (although in Ubuntu, the change was rejected due to the repository freezing).
Several users joined the XZ update requests, arguing that the new version fixed errors detected during debugging in valgrind. These issues arose due to an incorrect determination of the stack layout in the backdoor controller, attempting to resolve them in the XZ 5.6.1 release.
About this, Lasse Collin issued a statement confirming that the files containing the backdoor versions were created and signed by Jia Tan. Additionally, he announced the removal of the xz.tukaani.org subdomain, indicating that the xz site will return to the main tukaani.org server. He also mentioned that his GitHub account was blocked. It is important to highlight that Lasse Collin has control only over the tukaani.org website and the git.tukaani.org repositories. On the other hand, Jia Tan only controlled the project on GitHub and the xz.tukaani.org host, but did not have access to the tukaani.org server.
If you are interested in knowing more about it, you can consult the details at the following link.