Open Source Supply Chain Attack: The xz Backdoor Incident
In March 2024, a backdoor was discovered in xz, a widely used compression software. A malicious maintainer, using the pseudonym Jia Tan, secretly inserted this backdoor over three years. The backdoor enabled remote code execution on machines with ssh installed. Its discovery was accidental, by a Postgres developer investigating unrelated performance issues. This article details the backdoor's mechanics and proposes using build reproducibility for detection. The backdoor involved modifying the xz build process to inject a malicious object file and leveraging glibc's ifunc mechanism to hook ssh's RSA_public_decrypt function. The author advocates building software from trusted sources and leveraging build reproducibility to enhance software supply chain security, such as comparing GitHub releases with maintainer-provided tarballs and checking binary consistency across build sources.