From 16a6332f32b7560ec254fe67b13a7ae0151b8479 Mon Sep 17 00:00:00 2001 From: "W. Kosior" Date: Sat, 1 Jun 2024 20:58:27 +0200 Subject: Initial commit. --- .reuse/dep5 | 17 + Awesome.svg | 256 +++++++ Awesome.svg.license | 3 + LICENSES/CC-BY-SA-4.0.txt | 170 +++++ LICENSES/CC0-1.0.txt | 121 +++ Makefile | 29 + autotools-and-backdoor.svg | 1395 ++++++++++++++++++++++++++++++++++ autotools-and-backdoor.svg.license | 10 + autotools.svg | 351 +++++++++ autotools.svg.license | 8 + avatar-jia.png | Bin 0 -> 70915 bytes avatar-larhzu.png | Bin 0 -> 1522 bytes incident-response-xz.tex | 635 ++++++++++++++++ openssh-exploitation.svg | 370 +++++++++ screenshots/andres-mastodon.png | Bin 0 -> 45719 bytes screenshots/lasse-cleanup-commit.png | Bin 0 -> 45144 bytes screenshots/news-theregister.png | Bin 0 -> 45312 bytes screenshots/reactions-cisa.png | Bin 0 -> 43524 bytes screenshots/reactions-dsa.png | Bin 0 -> 52073 bytes screenshots/reactions-fedora.png | Bin 0 -> 25804 bytes screenshots/reactions-gentoo.png | Bin 0 -> 51217 bytes screenshots/reactions-kali.png | Bin 0 -> 62928 bytes screenshots/reactions-microsoft.png | Bin 0 -> 49132 bytes screenshots/reactions-opensuse.png | Bin 0 -> 37749 bytes screenshots/reactions-ubuntu.png | Bin 0 -> 39858 bytes target-audience-distros.svg | 142 ++++ timeline.svg | 420 ++++++++++ xz-logo.png | Bin 0 -> 35032 bytes xz-logo.png.license | 3 + 29 files changed, 3930 insertions(+) create mode 100644 .reuse/dep5 create mode 100644 Awesome.svg create mode 100644 Awesome.svg.license create mode 100644 LICENSES/CC-BY-SA-4.0.txt create mode 100644 LICENSES/CC0-1.0.txt create mode 100644 Makefile create mode 100644 autotools-and-backdoor.svg create mode 100644 autotools-and-backdoor.svg.license create mode 100644 autotools.svg create mode 100644 autotools.svg.license create mode 100644 avatar-jia.png create mode 100644 avatar-larhzu.png create mode 100644 incident-response-xz.tex create mode 100644 openssh-exploitation.svg create mode 100644 screenshots/andres-mastodon.png create mode 100644 screenshots/lasse-cleanup-commit.png create mode 100644 screenshots/news-theregister.png create mode 100644 screenshots/reactions-cisa.png create mode 100644 screenshots/reactions-dsa.png create mode 100644 screenshots/reactions-fedora.png create mode 100644 screenshots/reactions-gentoo.png create mode 100644 screenshots/reactions-kali.png create mode 100644 screenshots/reactions-microsoft.png create mode 100644 screenshots/reactions-opensuse.png create mode 100644 screenshots/reactions-ubuntu.png create mode 100644 target-audience-distros.svg create mode 100644 timeline.svg create mode 100644 xz-logo.png create mode 100644 xz-logo.png.license diff --git a/.reuse/dep5 b/.reuse/dep5 new file mode 100644 index 0000000..21dbdb1 --- /dev/null +++ b/.reuse/dep5 @@ -0,0 +1,17 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: xz backdoor presentation +Upstream-Contact: Wojtek Kosior +Source: https://git.koszko.org/AGH-xz-backdoor-presentation + +Files: screenshots/* +Copyright: 2024 Wojtek Kosior +License: CC0-1.0 diff --git a/Awesome.svg b/Awesome.svg new file mode 100644 index 0000000..a6ce0e0 --- /dev/null +++ b/Awesome.svg @@ -0,0 +1,256 @@ + + + + + + + + + + + + + + + + + + + + + + + + + image/svg+xml + + + + + Openclipart + + + Awesome + 2011-04-03T10:13:42 + http://encyclopediadramatica.es/Awesome + https://openclipart.org/detail/130657/awesome-by-rones + + + rones + + + + + awesome + meme + smile + smiley + smileys + smilies + + + + + + + + + + + diff --git a/Awesome.svg.license b/Awesome.svg.license new file mode 100644 index 0000000..36c6dee --- /dev/null +++ b/Awesome.svg.license @@ -0,0 +1,3 @@ +SPDX-License-Identifier: CC0-1.0 + +Copyright (C) 2011 Openclipart user rones diff --git a/LICENSES/CC-BY-SA-4.0.txt b/LICENSES/CC-BY-SA-4.0.txt new file mode 100644 index 0000000..835a683 --- /dev/null +++ b/LICENSES/CC-BY-SA-4.0.txt @@ -0,0 +1,170 @@ +Creative Commons Attribution-ShareAlike 4.0 International + + Creative Commons Corporation (“Creative Commons”) is not a law firm and does not provide legal services or legal advice. Distribution of Creative Commons public licenses does not create a lawyer-client or other relationship. Creative Commons makes its licenses and related information available on an “as-is” basis. Creative Commons gives no warranties regarding its licenses, any material licensed under their terms and conditions, or any related information. Creative Commons disclaims all liability for damages resulting from their use to the fullest extent possible. + +Using Creative Commons Public Licenses + +Creative Commons public licenses provide a standard set of terms and conditions that creators and other rights holders may use to share original works of authorship and other material subject to copyright and certain other rights specified in the public license below. The following considerations are for informational purposes only, are not exhaustive, and do not form part of our licenses. + +Considerations for licensors: Our public licenses are intended for use by those authorized to give the public permission to use material in ways otherwise restricted by copyright and certain other rights. Our licenses are irrevocable. Licensors should read and understand the terms and conditions of the license they choose before applying it. Licensors should also secure all rights necessary before applying our licenses so that the public can reuse the material as expected. Licensors should clearly mark any material not subject to the license. This includes other CC-licensed material, or material used under an exception or limitation to copyright. More considerations for licensors. + +Considerations for the public: By using one of our public licenses, a licensor grants the public permission to use the licensed material under specified terms and conditions. If the licensor’s permission is not necessary for any reason–for example, because of any applicable exception or limitation to copyright–then that use is not regulated by the license. Our licenses grant only permissions under copyright and certain other rights that a licensor has authority to grant. Use of the licensed material may still be restricted for other reasons, including because others have copyright or other rights in the material. A licensor may make special requests, such as asking that all changes be marked or described. + +Although not required by our licenses, you are encouraged to respect those requests where reasonable. More considerations for the public. + +Creative Commons Attribution-ShareAlike 4.0 International Public License + +By exercising the Licensed Rights (defined below), You accept and agree to be bound by the terms and conditions of this Creative Commons Attribution-ShareAlike 4.0 International Public License ("Public License"). To the extent this Public License may be interpreted as a contract, You are granted the Licensed Rights in consideration of Your acceptance of these terms and conditions, and the Licensor grants You such rights in consideration of benefits the Licensor receives from making the Licensed Material available under these terms and conditions. + +Section 1 – Definitions. + + a. Adapted Material means material subject to Copyright and Similar Rights that is derived from or based upon the Licensed Material and in which the Licensed Material is translated, altered, arranged, transformed, or otherwise modified in a manner requiring permission under the Copyright and Similar Rights held by the Licensor. For purposes of this Public License, where the Licensed Material is a musical work, performance, or sound recording, Adapted Material is always produced where the Licensed Material is synched in timed relation with a moving image. + + b. Adapter's License means the license You apply to Your Copyright and Similar Rights in Your contributions to Adapted Material in accordance with the terms and conditions of this Public License. + + c. BY-SA Compatible License means a license listed at creativecommons.org/compatiblelicenses, approved by Creative Commons as essentially the equivalent of this Public License. + + d. Copyright and Similar Rights means copyright and/or similar rights closely related to copyright including, without limitation, performance, broadcast, sound recording, and Sui Generis Database Rights, without regard to how the rights are labeled or categorized. For purposes of this Public License, the rights specified in Section 2(b)(1)-(2) are not Copyright and Similar Rights. + + e. Effective Technological Measures means those measures that, in the absence of proper authority, may not be circumvented under laws fulfilling obligations under Article 11 of the WIPO Copyright Treaty adopted on December 20, 1996, and/or similar international agreements. + + f. Exceptions and Limitations means fair use, fair dealing, and/or any other exception or limitation to Copyright and Similar Rights that applies to Your use of the Licensed Material. + + g. License Elements means the license attributes listed in the name of a Creative Commons Public License. The License Elements of this Public License are Attribution and ShareAlike. + + h. Licensed Material means the artistic or literary work, database, or other material to which the Licensor applied this Public License. + + i. Licensed Rights means the rights granted to You subject to the terms and conditions of this Public License, which are limited to all Copyright and Similar Rights that apply to Your use of the Licensed Material and that the Licensor has authority to license. + + j. Licensor means the individual(s) or entity(ies) granting rights under this Public License. + + k. Share means to provide material to the public by any means or process that requires permission under the Licensed Rights, such as reproduction, public display, public performance, distribution, dissemination, communication, or importation, and to make material available to the public including in ways that members of the public may access the material from a place and at a time individually chosen by them. + + l. Sui Generis Database Rights means rights other than copyright resulting from Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, as amended and/or succeeded, as well as other essentially equivalent rights anywhere in the world. + + m. You means the individual or entity exercising the Licensed Rights under this Public License. Your has a corresponding meaning. + +Section 2 – Scope. + + a. License grant. + + 1. Subject to the terms and conditions of this Public License, the Licensor hereby grants You a worldwide, royalty-free, non-sublicensable, non-exclusive, irrevocable license to exercise the Licensed Rights in the Licensed Material to: + + A. reproduce and Share the Licensed Material, in whole or in part; and + + B. produce, reproduce, and Share Adapted Material. + + 2. Exceptions and Limitations. For the avoidance of doubt, where Exceptions and Limitations apply to Your use, this Public License does not apply, and You do not need to comply with its terms and conditions. + + 3. Term. The term of this Public License is specified in Section 6(a). + + 4. Media and formats; technical modifications allowed. The Licensor authorizes You to exercise the Licensed Rights in all media and formats whether now known or hereafter created, and to make technical modifications necessary to do so. The Licensor waives and/or agrees not to assert any right or authority to forbid You from making technical modifications necessary to exercise the Licensed Rights, including technical modifications necessary to circumvent Effective Technological Measures. For purposes of this Public License, simply making modifications authorized by this Section 2(a)(4) never produces Adapted Material. + + 5. Downstream recipients. + + A. Offer from the Licensor – Licensed Material. Every recipient of the Licensed Material automatically receives an offer from the Licensor to exercise the Licensed Rights under the terms and conditions of this Public License. + + B. Additional offer from the Licensor – Adapted Material. Every recipient of Adapted Material from You automatically receives an offer from the Licensor to exercise the Licensed Rights in the Adapted Material under the conditions of the Adapter’s License You apply. + + C. No downstream restrictions. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, the Licensed Material if doing so restricts exercise of the Licensed Rights by any recipient of the Licensed Material. + + 6. No endorsement. Nothing in this Public License constitutes or may be construed as permission to assert or imply that You are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by, the Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i). + + b. Other rights. + + 1. Moral rights, such as the right of integrity, are not licensed under this Public License, nor are publicity, privacy, and/or other similar personality rights; however, to the extent possible, the Licensor waives and/or agrees not to assert any such rights held by the Licensor to the limited extent necessary to allow You to exercise the Licensed Rights, but not otherwise. + + 2. Patent and trademark rights are not licensed under this Public License. + + 3. To the extent possible, the Licensor waives any right to collect royalties from You for the exercise of the Licensed Rights, whether directly or through a collecting society under any voluntary or waivable statutory or compulsory licensing scheme. In all other cases the Licensor expressly reserves any right to collect such royalties. + +Section 3 – License Conditions. + +Your exercise of the Licensed Rights is expressly made subject to the following conditions. + + a. Attribution. + + 1. If You Share the Licensed Material (including in modified form), You must: + + A. retain the following if it is supplied by the Licensor with the Licensed Material: + + i. identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable manner requested by the Licensor (including by pseudonym if designated); + + ii. a copyright notice; + + iii. a notice that refers to this Public License; + + iv. a notice that refers to the disclaimer of warranties; + + v. a URI or hyperlink to the Licensed Material to the extent reasonably practicable; + + B. indicate if You modified the Licensed Material and retain an indication of any previous modifications; and + + C. indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this Public License. + + 2. You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or hyperlink to a resource that includes the required information. + + 3. If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent reasonably practicable. + + b. ShareAlike.In addition to the conditions in Section 3(a), if You Share Adapted Material You produce, the following conditions also apply. + + 1. The Adapter’s License You apply must be a Creative Commons license with the same License Elements, this version or later, or a BY-SA Compatible License. + + 2. You must include the text of, or the URI or hyperlink to, the Adapter's License You apply. You may satisfy this condition in any reasonable manner based on the medium, means, and context in which You Share Adapted Material. + + 3. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, Adapted Material that restrict exercise of the rights granted under the Adapter's License You apply. + +Section 4 – Sui Generis Database Rights. + +Where the Licensed Rights include Sui Generis Database Rights that apply to Your use of the Licensed Material: + + a. for the avoidance of doubt, Section 2(a)(1) grants You the right to extract, reuse, reproduce, and Share all or a substantial portion of the contents of the database; + + b. if You include all or a substantial portion of the database contents in a database in which You have Sui Generis Database Rights, then the database in which You have Sui Generis Database Rights (but not its individual contents) is Adapted Material, including for purposes of Section 3(b); and + + c. You must comply with the conditions in Section 3(a) if You Share all or a substantial portion of the contents of the database. +For the avoidance of doubt, this Section 4 supplements and does not replace Your obligations under this Public License where the Licensed Rights include other Copyright and Similar Rights. + +Section 5 – Disclaimer of Warranties and Limitation of Liability. + + a. Unless otherwise separately undertaken by the Licensor, to the extent possible, the Licensor offers the Licensed Material as-is and as-available, and makes no representations or warranties of any kind concerning the Licensed Material, whether express, implied, statutory, or other. This includes, without limitation, warranties of title, merchantability, fitness for a particular purpose, non-infringement, absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not known or discoverable. Where disclaimers of warranties are not allowed in full or in part, this disclaimer may not apply to You. + + b. To the extent possible, in no event will the Licensor be liable to You on any legal theory (including, without limitation, negligence) or otherwise for any direct, special, indirect, incidental, consequential, punitive, exemplary, or other losses, costs, expenses, or damages arising out of this Public License or use of the Licensed Material, even if the Licensor has been advised of the possibility of such losses, costs, expenses, or damages. Where a limitation of liability is not allowed in full or in part, this limitation may not apply to You. + + c. The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability. + +Section 6 – Term and Termination. + + a. This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with this Public License, then Your rights under this Public License terminate automatically. + + b. Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates: + + 1. automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or + + 2. upon express reinstatement by the Licensor. + + c. For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek remedies for Your violations of this Public License. + + d. For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate terms or conditions or stop distributing the Licensed Material at any time; however, doing so will not terminate this Public License. + + e. Sections 1, 5, 6, 7, and 8 survive termination of this Public License. + +Section 7 – Other Terms and Conditions. + + a. The Licensor shall not be bound by any additional or different terms or conditions communicated by You unless expressly agreed. + + b. Any arrangements, understandings, or agreements regarding the Licensed Material not stated herein are separate from and independent of the terms and conditions of this Public License. + +Section 8 – Interpretation. + + a. For the avoidance of doubt, this Public License does not, and shall not be interpreted to, reduce, limit, restrict, or impose conditions on any use of the Licensed Material that could lawfully be made without permission under this Public License. + + b. To the extent possible, if any provision of this Public License is deemed unenforceable, it shall be automatically reformed to the minimum extent necessary to make it enforceable. If the provision cannot be reformed, it shall be severed from this Public License without affecting the enforceability of the remaining terms and conditions. + + c. No term or condition of this Public License will be waived and no failure to comply consented to unless expressly agreed to by the Licensor. + + d. Nothing in this Public License constitutes or may be interpreted as a limitation upon, or waiver of, any privileges and immunities that apply to the Licensor or You, including from the legal processes of any jurisdiction or authority. + +Creative Commons is not a party to its public licenses. Notwithstanding, Creative Commons may elect to apply one of its public licenses to material it publishes and in those instances will be considered the “Licensor.” Except for the limited purpose of indicating that material is shared under a Creative Commons public license or as otherwise permitted by the Creative Commons policies published at creativecommons.org/policies, Creative Commons does not authorize the use of the trademark “Creative Commons” or any other trademark or logo of Creative Commons without its prior written consent including, without limitation, in connection with any unauthorized modifications to any of its public licenses or any other arrangements, understandings, or agreements concerning use of licensed material. For the avoidance of doubt, this paragraph does not form part of the public licenses. + +Creative Commons may be contacted at creativecommons.org. diff --git a/LICENSES/CC0-1.0.txt b/LICENSES/CC0-1.0.txt new file mode 100644 index 0000000..0e259d4 --- /dev/null +++ b/LICENSES/CC0-1.0.txt @@ -0,0 +1,121 @@ +Creative Commons Legal Code + +CC0 1.0 Universal + + CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE + LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN + ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS + INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES + REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS + PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM + THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED + HEREUNDER. + +Statement of Purpose + +The laws of most jurisdictions throughout the world automatically confer +exclusive Copyright and Related Rights (defined below) upon the creator +and subsequent owner(s) (each and all, an "owner") of an original work of +authorship and/or a database (each, a "Work"). + +Certain owners wish to permanently relinquish those rights to a Work for +the purpose of contributing to a commons of creative, cultural and +scientific works ("Commons") that the public can reliably and without fear +of later claims of infringement build upon, modify, incorporate in other +works, reuse and redistribute as freely as possible in any form whatsoever +and for any purposes, including without limitation commercial purposes. +These owners may contribute to the Commons to promote the ideal of a free +culture and the further production of creative, cultural and scientific +works, or to gain reputation or greater distribution for their Work in +part through the use and efforts of others. + +For these and/or other purposes and motivations, and without any +expectation of additional consideration or compensation, the person +associating CC0 with a Work (the "Affirmer"), to the extent that he or she +is an owner of Copyright and Related Rights in the Work, voluntarily +elects to apply CC0 to the Work and publicly distribute the Work under its +terms, with knowledge of his or her Copyright and Related Rights in the +Work and the meaning and intended legal effect of CC0 on those rights. + +1. Copyright and Related Rights. A Work made available under CC0 may be +protected by copyright and related or neighboring rights ("Copyright and +Related Rights"). Copyright and Related Rights include, but are not +limited to, the following: + + i. the right to reproduce, adapt, distribute, perform, display, + communicate, and translate a Work; + ii. moral rights retained by the original author(s) and/or performer(s); +iii. publicity and privacy rights pertaining to a person's image or + likeness depicted in a Work; + iv. rights protecting against unfair competition in regards to a Work, + subject to the limitations in paragraph 4(a), below; + v. rights protecting the extraction, dissemination, use and reuse of data + in a Work; + vi. database rights (such as those arising under Directive 96/9/EC of the + European Parliament and of the Council of 11 March 1996 on the legal + protection of databases, and under any national implementation + thereof, including any amended or successor version of such + directive); and +vii. other similar, equivalent or corresponding rights throughout the + world based on applicable law or treaty, and any national + implementations thereof. + +2. Waiver. To the greatest extent permitted by, but not in contravention +of, applicable law, Affirmer hereby overtly, fully, permanently, +irrevocably and unconditionally waives, abandons, and surrenders all of +Affirmer's Copyright and Related Rights and associated claims and causes +of action, whether now known or unknown (including existing as well as +future claims and causes of action), in the Work (i) in all territories +worldwide, (ii) for the maximum duration provided by applicable law or +treaty (including future time extensions), (iii) in any current or future +medium and for any number of copies, and (iv) for any purpose whatsoever, +including without limitation commercial, advertising or promotional +purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each +member of the public at large and to the detriment of Affirmer's heirs and +successors, fully intending that such Waiver shall not be subject to +revocation, rescission, cancellation, termination, or any other legal or +equitable action to disrupt the quiet enjoyment of the Work by the public +as contemplated by Affirmer's express Statement of Purpose. + +3. Public License Fallback. Should any part of the Waiver for any reason +be judged legally invalid or ineffective under applicable law, then the +Waiver shall be preserved to the maximum extent permitted taking into +account Affirmer's express Statement of Purpose. In addition, to the +extent the Waiver is so judged Affirmer hereby grants to each affected +person a royalty-free, non transferable, non sublicensable, non exclusive, +irrevocable and unconditional license to exercise Affirmer's Copyright and +Related Rights in the Work (i) in all territories worldwide, (ii) for the +maximum duration provided by applicable law or treaty (including future +time extensions), (iii) in any current or future medium and for any number +of copies, and (iv) for any purpose whatsoever, including without +limitation commercial, advertising or promotional purposes (the +"License"). The License shall be deemed effective as of the date CC0 was +applied by Affirmer to the Work. Should any part of the License for any +reason be judged legally invalid or ineffective under applicable law, such +partial invalidity or ineffectiveness shall not invalidate the remainder +of the License, and in such case Affirmer hereby affirms that he or she +will not (i) exercise any of his or her remaining Copyright and Related +Rights in the Work or (ii) assert any associated claims and causes of +action with respect to the Work, in either case contrary to Affirmer's +express Statement of Purpose. + +4. Limitations and Disclaimers. + + a. No trademark or patent rights held by Affirmer are waived, abandoned, + surrendered, licensed or otherwise affected by this document. + b. Affirmer offers the Work as-is and makes no representations or + warranties of any kind concerning the Work, express, implied, + statutory or otherwise, including without limitation warranties of + title, merchantability, fitness for a particular purpose, non + infringement, or the absence of latent or other defects, accuracy, or + the present or absence of errors, whether or not discoverable, all to + the greatest extent permissible under applicable law. + c. Affirmer disclaims responsibility for clearing rights of other persons + that may apply to the Work or any use thereof, including without + limitation any person's Copyright and Related Rights in the Work. + Further, Affirmer disclaims responsibility for obtaining any necessary + consents, permissions or other rights required for any use of the + Work. + d. Affirmer understands and acknowledges that Creative Commons is not a + party to this document and has no duty or obligation with respect to + this CC0 or use of the Work. diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..3ec8884 --- /dev/null +++ b/Makefile @@ -0,0 +1,29 @@ +# SPDX-License-Identifier: CC0-1.0 +# +# Copyright (C) 2024 Wojtek Kosior + +all: incident-response-xz.pdf +.PHONY: all + +.SUFFIXES: .tex .pdf + +.tex.pdf: + pdflatex --shell-escape $< + +GRAPHICS = \ + xz-logo.png \ + avatar-larhzu.png \ + avatar-jia.png \ + Awesome.svg \ + timeline.svg \ + target-audience-distros.svg \ + autotools.svg \ + autotools-and-backdoor.svg \ + openssh-exploitation.svg + +incident-response-xz.pdf: $(GRAPHICS) screenshots + +clean: + rm -rf *.pdf *.toc *.vrb *.snm *.out *.log *.aux *.nav + rm -rf svg-inkscape +.PHONY: clean diff --git a/autotools-and-backdoor.svg b/autotools-and-backdoor.svg new file mode 100644 index 0000000..30db892 --- /dev/null +++ b/autotools-and-backdoor.svg @@ -0,0 +1,1395 @@ + + + +configure.acautoconfOften handled +by upstreamShipped in +a tarballMakefile.inMakefileconfigureMakefile.amautomakemakeprogram./configure && make && sudo make installbuild-to-host.m4 diff --git a/autotools-and-backdoor.svg.license b/autotools-and-backdoor.svg.license new file mode 100644 index 0000000..7440eef --- /dev/null +++ b/autotools-and-backdoor.svg.license @@ -0,0 +1,10 @@ +SPDX-License-Identifier: CC-BY-SA-4.0 and CC0-1.0 + +Copyright (C) 2001-2024 Gentoo authors +Copyright (C) 2012 Openclipart user utrescu +Copyright (C) 2024 Wojtek Kosior + +The original autotools diagram has been taken from Gentoo wiki under CC BY-SA. +The virus vector has been taken from Openclipart under CC0. Wojtek also waives +his copyright to the result (although it is still covered by the copyright of +Gentoo authors). diff --git a/autotools.svg b/autotools.svg new file mode 100644 index 0000000..6edb3f3 --- /dev/null +++ b/autotools.svg @@ -0,0 +1,351 @@ + + + +configure.acautoconfOften handled +by upstreamShipped in +a tarballMakefile.inMakefileconfigureMakefile.amautomakemakeprogram./configure && make && sudo make install diff --git a/autotools.svg.license b/autotools.svg.license new file mode 100644 index 0000000..e419cf9 --- /dev/null +++ b/autotools.svg.license @@ -0,0 +1,8 @@ +SPDX-License-Identifier: CC-BY-SA-4.0 and CC0-1.0 + +Copyright (C) 2001-2024 Gentoo authors +Copyright (C) 2024 Wojtek Kosior + +The original autotools diagram has been taken from Gentoo wiki under CC BY-SA. +Wojtek waives his copyright to the result (although it is still covered by the +copyright of Gentoo authors). diff --git a/avatar-jia.png b/avatar-jia.png new file mode 100644 index 0000000..4c47c64 Binary files /dev/null and b/avatar-jia.png differ diff --git a/avatar-larhzu.png b/avatar-larhzu.png new file mode 100644 index 0000000..697054b Binary files /dev/null and b/avatar-larhzu.png differ diff --git a/incident-response-xz.tex b/incident-response-xz.tex new file mode 100644 index 0000000..c4d41eb --- /dev/null +++ b/incident-response-xz.tex @@ -0,0 +1,635 @@ +%% SPDX-License-Identifier: CC0-1.0 +%% +%% Copyright (C) 2024 W. Kosior + +\documentclass{beamer} +\usetheme{Rochester} +\usecolortheme{seagull} +\usepackage{calc} +\usepackage{svg} +\usepackage{graphicx} +\usepackage[export]{adjustbox} +\usepackage{verbatimbox} +\usepackage{listings} +\usepackage{seqsplit} +\usepackage{soul} + +\setbeamertemplate{navigation symbols}{} +\setbeameroption{show notes} + +\newenvironment{prettyitemize}{% + \begin{itemize} + \itemsep0.7em +}{% + \end{itemize} +} + +\newcommand{\meme}[1]{% + \href{#1}{Meme \includesvg[height=\baselineskip]{Awesome.svg}} +} + +\newcommand{\memeframe}[2]{% + \begin{frame}{#1 (Meme)} + \begin{center} + \Huge + \meme{#2} + \end{center} + \end{frame} +} + +\newcommand{\screenshotframe}[2]{% + \begin{frame}{#1} + \includegraphics[ + height=\dimexpr\textheight-0.5cm\relax, + center + ]{screenshots/#2} + \end{frame} +} + +\title{Incident response — 2024 xz backdoor} + +\begin{document} + +\frame{ + \titlepage + \begin{figure}[h] + \includegraphics[height=0.25\textheight]{xz-logo.png} + \end{figure} +} + +\note{ + \begin{itemize} + \item a popular free software package ``xz'' + \item we'll discuss + \begin{itemize} + \item how it happened + \item briefly: how backdoor works + \item how it was discorved \& analyzed + \item various reactions, employed procedures + \item discussions and triggered changes in projects (lessons learned) + \end{itemize} + \end{itemize} +} + +\begin{frame}{Meet xz} + \begin{prettyitemize} + \item xz's what? + \pause + \item xz's who? + \vspace{0.5em} + \pause + \begin{prettyitemize} + \item + {\raisebox{-2ex}{\includegraphics[height=\dimexpr\baselineskip*2\relax]{avatar-larhzu.png}}} + Lasse Collin (\textit{Larhzu}) \pause + \item + {\raisebox{-2ex}{\includegraphics[height=\dimexpr\baselineskip*2\relax]{avatar-jia.png}}} + Jia Cheong Tan (\textit{JiaT75}) + \end{prettyitemize} + \end{prettyitemize} + \pause + \vspace{2em} + \begin{center} + \meme{https://i0.wp.com/lex-img-p.s3.us-west-2.amazonaws.com/img/5ddde247-464a-4532-bfe4-5e0a1ed16062-RackMultipart20240407-179-1kxtsc.png?ssl=1} + \end{center} +\end{frame} + +\note{ + \scalebox{0.75}{\begin{minipage}{1.333\textwidth} + \begin{itemize} + \item ``xz'' — a (lossless) compression tool + \begin{itemize} + \item started in 2009 + \item includes both CLI application and library ``lzma'' (which was + standalone before 2009) + \item free/libre software (developed on GitHub, viewable by anyone) + \item included by default in many operating systems (almost all + GNU+Linux distros like Debian and Ubuntu) + \end{itemize} + \item xz is Lasse Collin + \begin{itemize} + \item Lasse has been the maintainer since the beginning in 2009 + \item Lasse got less involved with the project lately (personal + problems) + \item Lasse often had internet breaks (including when backdoor got + placed) + \end{itemize} + \item xz is (was…) Jia Tan + \begin{itemize} + \item relatively new co-maintainer + \item 2-2.5 years as a contributor + \item 1.5 years with release rights + \item DO NOT \textbf{YET} explain that backdor-activating code is absent + in git nor that Jia is a fake identity + \end{itemize} + \end{itemize} + \end{minipage}} +} + +\begin{frame}{Timeline} + \includesvg[ + width=\linewidth, + inkscapelatex=false + ]{timeline.svg} +\end{frame} + +\note{ + \begin{itemize} + \item before January 2022 — contributions to other projects + \item April 2022 — certain "Jigar Kumar" and "Dennis Ens" start criticizing + Lasse on the mailing list for not being able to take care of the project + well; both appear to ba fake identities + \item XZ Utils 5.6.1 got released to hide Valgrind errors manifesting + because of the backdoor + \item April 9 — Larhzu unbanned on GitHub, starts cleaning up the GitHub + project + \item maybe explain what tarball signing is + \end{itemize} +} + +\screenshotframe{Hit the news}{news-theregister.png} + +\note{ + \begin{itemize} + \item backdoor placed by Jia in 2024 + \item XZ versions 5.6.0 and 5.6.1 + \item discovered on march 29th + \item became loud news (not just technical sites/blogs) + \end{itemize} +} + +\begin{frame}{Meet target audience} + It's best to attack the most popular… + + \begin{center} + \begin{figure}[h] + \includesvg[ + width=\linewidth, + inkscapelatex=false + ]{target-audience-distros.svg} + \end{figure} + \end{center} +\end{frame} + +\note{ + \begin{itemize} + \item affected: GNU+Linux distros using systemd, based on APT or RPM + \begin{itemize} + \item Debian, Ubuntu, Kali + \item Fedora, RedHat + \item (Open)Suse, + \item their other derivatives + \end{itemize} + \item unaffected (at this time…) + \begin{itemize} + \item Arch + \item Gentoo + \item Nix \& Guix + \item Alpine + \item non-Linux-based OS'es (BSD's, MacOS) + \end{itemize} + \end{itemize} +} + +\begin{frame}{Meet targetted programs} + \begin{prettyitemize} + \item OpenSSH (SSH daemon) + \pause + \item systemd + \pause + \item glibc + \end{prettyitemize} +\end{frame} + +\note{ + \scalebox{0.75}{\begin{minipage}{1.333\textwidth} + \begin{itemize} + \item OpenSSH (OpenBSD Secure Shell) + \begin{itemize} + \item used for remote management + \item commonly deployed on UNIX servers + \item daemon listens for connections on TCP (default port 22) + \item typically handles logins and spawns a shell (like bash) on remote host + (although other uses exist) + \item typically has great privileges (session creation as different UNIX + users) + \item often receives attention (e.g. created sessions likely to be logged) + \end{itemize} + \item systemd + \begin{itemize} + \item an init system (the first program started by the kernel when + computer boots) + \item also a service management tool + \item used on most mainstream GNU+Linux distros + \item often criticized for bloat + \end{itemize} + \item glibc (GNU C Library) + \begin{itemize} + \item used on most mainstream GNU+Linux distros + \item utilized by most of the programs on the system + \item also often criticized for bloat + \end{itemize} + \end{itemize} + \end{minipage}} +} + +\begin{frame}{Autotools} + \begin{center} + \begin{figure}[h] + \includesvg[ + width=\linewidth, + inkscapelatex=false + ]{autotools.svg} + \end{figure} + \end{center} +\end{frame} + +\begin{myverbbox}{\vMakefile}Makefile\end{myverbbox} +\begin{myverbbox}{\vconfigureAc}configure.ac\end{myverbbox} +\begin{myverbbox}{\vMakefileAm}Makefile.am\end{myverbbox} +\begin{myverbbox}{\vconfigure}configure\end{myverbbox} +\begin{myverbbox}{\vMakefileIn}Makefile.in\end{myverbbox} + +\note{ + \scalebox{0.75}{\begin{minipage}{1.333\textwidth} + \begin{itemize} + \item GNU Autotools — Autoconf + Automake + some other programs + \item used to configure how program should be built and to generate a + {\vMakefile} + \item steps: + \begin{itemize} + \item maintainer writes {\vconfigureAc} and {\vMakefileAm} + \item maintainer uses a command from Autoconf to generate a + {\vconfigure} script and a {\vMakefileIn} + \item the project together with generated files is packed into a tarball + and distributed + \item user downloads the distribution tarball + \item user runs the {\vconfigure} script to generate {\vMakefile} + \item user runs Make to build the program + \end{itemize} + \item after downloading, user can optionally re-generate the {\vconfigure} + and a {\vMakefileIn} files to avoid relying on upstream-generated ones + \item common if user $\equiv$ a distro + \item functionality often extended with custom M4 files + \item they are often simply copied from other projects + \end{itemize} + \end{minipage}} +} + +\begin{frame}{Autotools — Backdoor smuggling} + \begin{center} + \begin{figure}[h] + \includesvg[ + width=\linewidth, + inkscapelatex=false + ]{autotools-and-backdoor.svg} + \end{figure} + \end{center} +\end{frame} + +\begin{myverbbox}{\vBuildToHost}m4/build-to-host.m4\end{myverbbox} + +\begin{myverbbox}{\vBadCorruptLzma}tests/files/bad-3-corrupt_lzma2.xz\end{myverbbox} + +\begin{myverbbox}{\vGoodLargeCompressed}tests/files/good-large_compressed.lzma\end{myverbbox} + + \note{ + \scalebox{0.75}{\begin{minipage}{1.333\textwidth} + \begin{itemize} + \item extra {\vBuildToHost} copied from the gnulib project and included + in xz release tarballs + \item modified to alter the build in a malicious way + \item works even if the victim re-generates the {\vconfigure} file + \item other malicious files (not shown) hidden among test resources + \item programs have automated tests + \item xz is a compression tool — tests involve decompression of archives + \item {\vBuildToHost} extracts a hidden shell script from + {\vBadCorruptLzma} (otherwise unused) + \item extracted script further alters the build to link a binary payload + into the program + \item binary payload hidden in {\vGoodLargeCompressed} (also unused) + \item {\vBuildToHost} not present \& backdoor inactive when building + from git + \end{itemize} + \end{minipage}} + } + +\begin{frame}[fragile]{Backdoor unpacking} + \ttfamily\small + \begin{lstlisting}[breaklines] +xz -dc $top_srcdir/tests/files/$p | eval $i | LC_ALL=C sed "s/\(.\)/\1\n/g" | LC_ALL=C awk 'BEGIN{FS="\n";RS="\n";ORS="";m=256;for(i=0;i /dev/null 2>&1) && head -c +$W) > liblzma_la-crc64-fast.o || true +if ! test -f liblzma_la-crc64-fast.o; then +exit 0 +fi +cp .libs/liblzma_la-crc64_fast.o .libs/liblzma_la-crc64-fast.o || true + \end{lstlisting} +\end{frame} + +\note{ + \begin{itemize} + \item only a small part of the script shown here, some extra line-breaks added + \item the script + \begin{itemize} + \item checks the environment + \item gets the payload linked into liblzma.so + \item but only when using GCC, glibc, building an APT/RPM package, etc. + \item but even when this is not met, looks for magic numbers in other files + and tries to execute their embedded payloads if found (an entry for future + backdoors) + \end{itemize} + \item explain what shared library is + \item lots of obfuscation (as seen in the slide) + \end{itemize} +} + +\begin{myverbbox}{\vRSAPublicDecyrpt}RSA_public_decrypt\end{myverbbox} + +\begin{frame}{Backdoor loading} + \begin{itemize} + \item in many distros OpenSSH happens to be patched to use systemd + notifications + \item systemd depends on lzma + \item liblzma gets loaded into OpenSSH process and replaces function + {\vRSAPublicDecyrpt} with its own + \item uses ``IFUNC'' + \end{itemize} + + \vspace{1em} + + \itshape + ``The GNU indirect function support (IFUNC) is a feature of the GNU toolchain + that allows a developer to create multiple implementations of a given function + and to select amongst them at runtime using a resolver function which is also + written by the developer. The resolver function is called by the dynamic + loader during early startup to resolve which of the implementations will be + used by the application.'' + \normalfont +\end{frame} + +\note{ + \begin{itemize} + \item systemd depends on lzma + \item liblzma gets loaded into OpenSSH process and replaces function + {\vRSAPublicDecyrpt} with its own + \item hijacking a function in another library not normally easy — global + offset table and procedure linkage tables are made read-only after process + is initialized + \item IFUNCs abused to bypass the above and run code while said tables are + still writable + \end{itemize} +} + +\begin{frame}{Backdoor exploiting} + \begin{center} + \begin{figure}[h] + \includesvg[ + width=\linewidth, + inkscapelatex=false + ]{openssh-exploitation.svg} + \end{figure} + \end{center} +\end{frame} + +\begin{myverbbox}{\vSystem}system()\end{myverbbox} + +\note{ + \begin{itemize} + \item upon SSH connection using certificate, backdoor checks for a specific + key + \item payload extracted from cert's public key before cert's sig verification + \item theoretically, others could exploit this attack as well + \item runs code using {\vSystem} function from C library (no extra SSH session + spawned) + \item again, lots of obfuscation + \end{itemize} +} + +\screenshotframe{Discovery}{andres-mastodon.png} + +\note{ + \begin{itemize} + \item Postgres developer, employed by Miscosoft + \item had been working on Postgres using backdoored Debian Unstable + \item noticed SSH running slower + \item notified GNU+Linux distros + \item one of the most famous programmers now + \end{itemize} +} + +\memeframe{Discovery}{https://media.telefonicatech.com/telefonicatech/uploads/2024/4/downgrade-xz-meme.jpg} + +\screenshotframe{Reactions — Debian}{reactions-dsa.png} + +\note{ + \begin{itemize} + \item Debian $\equiv$ primary distro user of APT + \item Debian unstable and testing affected (i.e. releases not usually meant + for production use) + \item older xz release numbered with newer version for automatic revertion + even with an ordinary update (the ``+really-5.4.5-1'' version suffix makes + it lexicographically greater than the vulnerable package without suffix) + \item users subscribing the security mailing list were notified on the day of + discovery + \end{itemize} +} + +\screenshotframe{Reactions — Ubuntu}{reactions-ubuntu.png} + +\note{ + \begin{itemize} + \item the most popular Debian-derived distro + \item maybe the most popular GNU+Linux distro overall + \item only the not-yet-released Ubuntu 24.04 affected + \item CVE recorded and library removed from repos on the day of backdoor + discovery + \end{itemize} +} + +\screenshotframe{Reactions — Kali}{reactions-kali.png} + +\note{ + \begin{itemize} + \item one of few distros to have served the backdoored version to the general + public rather than beta testers + \item probably not the desired target of the attacker (Kali is not meant for + servers) + \item unlike OpenSUSE Tumbleweed, did not recommend affected users to + reinstall the system despite the backdoor being truly active + \end{itemize} +} + +\screenshotframe{Reactions — Fedora}{reactions-fedora.png} + +\begin{myverbbox}{\vDnfUpgradeAdvisory}sudo dnf upgrade --refresh \ +--advisory=FEDORA-2024-d02c7bb266\end{myverbbox} + +\note{ + \begin{itemize} + \item Fedora $\equiv$ primary distro user of RPM, base for RedHat + \item ``PLEASE IMMEDIATELY STOP USAGE OF ANY FEDORA RAWHIDE INSTANCES'' + \item only Fedora Linux 40 beta and Fedora Rawhide affected + \item note: Rawhide is development/testing release, Fedora Linux 40 beta is a + beta release; neither is meant for most kind of production tasks + \item users nevertheless encouraged to downgrade to a version from before + Jia'a xz maintainer access + \item package version lowered but epoch bumped (maybe smarter than Debian's + solution?) + \item {\vDnfUpgradeAdvisory} + \end{itemize} +} + +\screenshotframe{Reactions — OpenSUSE}{reactions-opensuse.png} + +\begin{myverbbox}{\vOpenSUSERevertto}5.6.1.revertto5.4\end{myverbbox} + +\note{ + \begin{itemize} + \item also an RPM user, base for commercial SUSE distro + \item OpenSUSE Tumbleweed (rolling release variant of OpenSUSE) — one of the + major affected distros (March 8 - March 28) + \item users who had SSH exposed recommended to install afresh + \item package created with version {\vOpenSUSERevertto} + \end{itemize} +} + +\screenshotframe{Reactions — Gentoo}{reactions-gentoo.png} + +\note{ + \begin{itemize} + \item reaction also on the same day + \item distro not affected + \item reverted to earlier xz release nevertheless + \item users requested to downgrade nevertheless + \item distro recently started linking lzma into packages by default which + raised suspicion (but is clearle a coincidence) + \item other unaffected distros (e.g. Arch) reacted similarly + \end{itemize} +} + +\screenshotframe{Reactions — Microsoft}{reactions-microsoft.png} + +\note{ + While not know for involovement with GNU+Linux distros, Microsoft also has + interest in them and wrote posts about the backdoor. +} + +\screenshotframe{Reactions — Official Bodies}{reactions-cisa.png} + +\note{ + \begin{itemize} + \item CISA - Cybersecurity \& Infrastructure Security Agency + \item a US agency + \item gave similar advice as distro maintainers — to downgrade xz + \end{itemize} +} + +\screenshotframe{Lasse Collin's xz repo cleanup}{lasse-cleanup-commit.png} + +\note{ + \scalebox{0.75}{\begin{minipage}{1.333\textwidth} + \begin{itemize} + \item Lasse unbanned on GitHub on April 2 (3 days after backdoor + discovery) + \item XZ repo cleaned up and reinstated on April 9 + \item Lasse has also been documenting the situation on + \href{https://tukaani.org/xz-backdoor/}{https://tukaani.org/xz-backdoor/} + \item good for Lasse, people got interested in xz, many compassionate with + him and offered donations or other help + \item Jia disappeared, it's been noticed he had been + \begin{itemize} + \item making commits on Chinese New Year which most Chinese don't + \item spells his ``second name'' in a Singaporean rather than Chinese + way + \item using a Singaporean VPN for all communication + \item using +0800 timezone for most of his commits but had also made + some with +0300 timezone + \item working on xz during typical working hours of the +0300 timezone + \item but had also often worked on weekends + \item inactive during some western holiday + \end{itemize} + \item Jia could be a fake Singaporean persona created and operated by the + Russian or Iranian government + \item but could as well be created and operated by a US agency in a way to + suggest Russian involvement + \end{itemize} + \end{minipage}} +} + +\begin{myverbbox}{\vLd}ld\end{myverbbox} +\begin{myverbbox}{\vObjdump}objdump\end{myverbbox} + +\begin{frame}{Lessons Learned} + \begin{prettyitemize} + \item Decided to change their practices to mitigate attacks of this kind: + \begin{prettyitemize} + \item CMake (the other build system supported by xz) + \item systemd (the init system rumoured to be bloated) + \item groff (typesetting system using Autotools) + \item GNU binutils (mainstream implementation of tools like {\vLd} and + {\vObjdump}) + \item openSSH + \end{prettyitemize} + \item Had interesting discussions as a result of the attack: autoconf, + automake, bug-gnulib, fedora-devel, debian-devel, oss-security + \item Universal advice: put SSH behind VPN + \end{prettyitemize} +\end{frame} + +\note{ + \begin{itemize} + \item CMake — check for feature tests made to be forcibly-failing (Jia made + Linux landlock availability check fail by introducing syntax error in test C + source) + \item systemd — has already been working on reducing dependencies like xz + \item groff — better practices: allow more files to be rebuilt by distribution + \item GNU binutils — better practices: strip dependencies + \item openSSH — look for solutions so that distros don't have to patch + anything + \end{itemize} + + Among others, supply chain hardening methods discussed. Should we rely on vcs + rather than on tarballs? Should we create our tarballs in some more + responsible way? +} + +\memeframe{Lessons Learned}{https://redlib.pussthecat.org/img/j8wcm4aajprc1.jpeg} + +\begin{frame}{References} + \small + + Resources used: + \begin{prettyitemize} + \item \href{https://tukaani.org/xz-backdoor/}{\ttfamily\seqsplit{https://tukaani.org/xz-backdoor/}} + \item \href{https://www.openwall.com/lists/oss-security/2024/03/29/4}{\ttfamily\seqsplit{https://www.openwall.com/lists/oss-security/2024/03/29/4}} + \item \href{https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27}{\ttfamily\seqsplit{https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27}} + \item \href{https://www.theregister.com/2024/03/29/malicious_backdoor_xz/}{\ttfamily\seqsplit{https://www.theregister.com/2024/03/29/malicious\_backdoor\_xz/}} + \item \href{https://bsky.app/profile/filippo.abyssdomain.expert/post/3kowjkx2njy2b}{\ttfamily\seqsplit{https://bsky.app/profile/filippo.abyssdomain.expert/post/3kowjkx2njy2b}} + \end{prettyitemize} +\end{frame} + +\begin{frame}{Credits} + \begin{center} + Thank you for your attention :) + \end{center} + + And thanks to the graphics folks… + \begin{prettyitemize} + \item XZ logo — \st{Copyright (C) 2023 Jia Tan} made by haxxors behind the + backdoor, distributed under the + \href{https://creativecommons.org/licenses/by-sa/4.0/}{CC-BY-SA-4.0} license + \item Awesome ``emoji'' — by Openclipart user rones, uploaded 2011 (released + into public domain with + \href{https://creativecommons.org/publicdomain/zero/1.0/legalcode.en}{CC + Zero v1.0}) + \item the original Autotools diagram — Copyright (C) 2001-2024 Gentoo Authors, + distributed under the + \href{https://creativecommons.org/licenses/by-sa/4.0/}{CC-BY-SA-4.0} + license + \item Virus image — by Openclipart user utrescu, uploaded 2012 (released into + public domain with + \href{https://creativecommons.org/publicdomain/zero/1.0/legalcode.en}{CC + Zero v1.0}) + \end{prettyitemize} +\end{frame} + +\end{document} diff --git a/openssh-exploitation.svg b/openssh-exploitation.svg new file mode 100644 index 0000000..2fd8c77 --- /dev/null +++ b/openssh-exploitation.svg @@ -0,0 +1,370 @@ + + + +compromised hostmalicious commandconnect, negotiate parametersextract payloadcallhookRSA_public_decrypt()send RSA "key" with payloadOpenSSH processliblzmaexecute payload diff --git a/screenshots/andres-mastodon.png b/screenshots/andres-mastodon.png new file mode 100644 index 0000000..7396cae Binary files /dev/null and b/screenshots/andres-mastodon.png differ diff --git a/screenshots/lasse-cleanup-commit.png b/screenshots/lasse-cleanup-commit.png new file mode 100644 index 0000000..798a68a Binary files /dev/null and b/screenshots/lasse-cleanup-commit.png differ diff --git a/screenshots/news-theregister.png b/screenshots/news-theregister.png new file mode 100644 index 0000000..8d9e873 Binary files /dev/null and b/screenshots/news-theregister.png differ diff --git a/screenshots/reactions-cisa.png b/screenshots/reactions-cisa.png new file mode 100644 index 0000000..45b1d42 Binary files /dev/null and b/screenshots/reactions-cisa.png differ diff --git a/screenshots/reactions-dsa.png b/screenshots/reactions-dsa.png new file mode 100644 index 0000000..23dc0f6 Binary files /dev/null and b/screenshots/reactions-dsa.png differ diff --git a/screenshots/reactions-fedora.png b/screenshots/reactions-fedora.png new file mode 100644 index 0000000..41c7400 Binary files /dev/null and b/screenshots/reactions-fedora.png differ diff --git a/screenshots/reactions-gentoo.png b/screenshots/reactions-gentoo.png new file mode 100644 index 0000000..0beaca6 Binary files /dev/null and b/screenshots/reactions-gentoo.png differ diff --git a/screenshots/reactions-kali.png b/screenshots/reactions-kali.png new file mode 100644 index 0000000..89117d1 Binary files /dev/null and b/screenshots/reactions-kali.png differ diff --git a/screenshots/reactions-microsoft.png b/screenshots/reactions-microsoft.png new file mode 100644 index 0000000..be8db38 Binary files /dev/null and b/screenshots/reactions-microsoft.png differ diff --git a/screenshots/reactions-opensuse.png b/screenshots/reactions-opensuse.png new file mode 100644 index 0000000..ebca94e Binary files /dev/null and b/screenshots/reactions-opensuse.png differ diff --git a/screenshots/reactions-ubuntu.png b/screenshots/reactions-ubuntu.png new file mode 100644 index 0000000..16975df Binary files /dev/null and b/screenshots/reactions-ubuntu.png differ diff --git a/target-audience-distros.svg b/target-audience-distros.svg new file mode 100644 index 0000000..bea9c48 --- /dev/null +++ b/target-audience-distros.svg @@ -0,0 +1,142 @@ + + + + diff --git a/timeline.svg b/timeline.svg new file mode 100644 index 0000000..b42acdb --- /dev/null +++ b/timeline.svg @@ -0,0 +1,420 @@ + + + +November 2021January 2022April 2022May 2023February 24March 9March 29April 9GitHub user JiaT75 createdFirst xz contributionstrangers start criticizing Lasse on the mailing listJia gets direct git accessJia signs a release for the first timeXZ Utils 5.6 releasedbackdoor got publicxz again on GitHubXZ Utils 5.6.1 releasedDecember 2022 diff --git a/xz-logo.png b/xz-logo.png new file mode 100644 index 0000000..718fda6 Binary files /dev/null and b/xz-logo.png differ diff --git a/xz-logo.png.license b/xz-logo.png.license new file mode 100644 index 0000000..ef6e209 --- /dev/null +++ b/xz-logo.png.license @@ -0,0 +1,3 @@ +SPDX-License-Identifier: CC-BY-SA-4.0 + +Copyright (C) 2023 Jia Tan -- cgit v1.2.3