Some fascinating details about the xz vulnerability

The recently found vulnerability in the xz library has a really interesting back story. For starters, it was only discovered because some diligent software engineer noted a 500ms delay in a response, which had not happened with earlier versions of the library. That's half a second! Not the kind of delay most people would even notice.

Someone with much more expertise than myself did some digging, and whomever inserted the back door - likely a group rather than an individual - was both careful and extremely patient. The groundwork was laid down in early 2023, when certain new users ingratiated themselves with the one poor sod who was maintaining this library. Said fellow was in the middle of some kind of personal crisis, and probably appreciated the help.

Anyway, the vulnerability was introduced bit by bit, mostly by downgrading certain components to known less secure versions. You can read the whole story here: Everything I Know About The xz Backdoor (Evan Boehs).

I'm reminded of this comic by XKCD - Dependancy:

It does amaze me how many systems, both open source and commercial, depend on tiny little libraries, some of which are little more than a hobby for a curious developer. And then issues are discovered sometimes by pure chance!

This is not the first time something like this has happened. Back in 2016, a developer brought down chunks of the web by deleting code from NPM that left padded text. All of 11 lines!

Perhaps companies that do rely on open source, non-commercial, libraries, should think about devoting some small part of their developer and testing resources to contributing to open source projects. It might prevent back doors like this one appearing in commonly used code in the future!