Conclusions from CVE-2024-3094 (libxz disaster)

Andre Heider a.heider at
Wed Apr 3 03:34:01 PDT 2024

On 03/04/2024 2:11 am, Daniel Golle wrote:
> ... and that crazy m4 script had to be noticed. As a diff one would ask:
> Why was that change necessary?

While I agree with most of your points, I couldn't disagree more with 
the "had to be noticed" part :P

I occasionally skim over treewide diffs. When I do, and there're like 
(exaggerating to illustrate my point) tens of thousand of lines of 
autohell crap in there, I skip that eye cancer part for sanity reasons.

So in that regard, the buildsystem part of this backdoor was a smart 
choice. The chances of anybody looking closely at that is tiny. You 
would need to another reason to get that masochistic. And that is what 
happened here: the bad actor dared to slow down postgresql.

This disaster exposes multiple problems. In my mind, autotools is one of 
them. But this isn't supposed to be yet another X or Y is better than 
autotools argument, my point is that the sheer amount of bundled build 
system code enlarges the attack surface by a significant degree. The 
chances of spotting the equivalent in e.g. a or 
CMakeLists.txt file are way higher.


More information about the openwrt-adm mailing list