Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Looks like one of the backdoor authors even went and disabled the feature the exploit relied on directly on oss-fuzz to prevent accidental discovery: https://social.treehouse.systems/@Aissen/112180302735030319 https://github.com/google/oss-fuzz/pull/10667

But luckily there was some serendipity: "I accidentally found a security issue while benchmarking postgres changes." https://mastodon.social/@AndresFreundTec/112180083704606941



This is getting addressed here: https://github.com/google/oss-fuzz/issues/11760


This in of itself can be legitimate. ifunc has real uses and it indeed does not work when sanitizer is enabled. Similar change in llvm: https://github.com/llvm/llvm-project/commit/1ef3de6b09f6b21a...


Because of the exploit, so, why should we use configurations in production that were not covered by these tests?


Could that commit also be made by a bad actor?


and that was in mid 2023. Very funny that Wikipedia on this issue says

> It is unknown whether this backdoor was intentionally placed by a maintainer or whether a maintainer was compromised

Yeah, if you've been compromised for a year your attacker is now your identity. Can't just wave hands, practice infosec hygiene




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: