RSAS: liblzma SSH backdoor status - unaffected

[Albert Santoni]

Hi all,

We've been closely following the situation regarding the SSH backdoor discovered in XZ Utils / liblzma, as this is a significant supply chain issue that has the potential for a wide impact on the software ecosystem. RSAS is unaffected by the scope of the security issue known to date.

For more information on the liblzma vulnerability, please see:

https://www.openwall.com/lists/oss-security/2024/03/29/4

https://news.ycombinator.com/item?id=39865810

liblzma 5.4.4 was introduced as a transitive dependency in RSAS 1.0.5alpha1, with the backdoor appearing only in liblzma 5.6.0 and 5.6.1. However, out of an abundance of caution, we have removed the liblzma dependency altogether and published RSAS 1.0.5 final release builds earlier than planned. The threat actor appears to have been involved in the liblzma project at the time of the liblzma 5.4.4 release, so we do not trust the source, even though that version is not known to be compromised.

For transparency, the SHA512 hash of the liblzma 5.4.4 tarball (released Aug 2, 2023) used in the build process of the 1.0.5 alpha releases was: c28461123562564e030f3f733f078bc4c840e87598d9f4b718d4bca639120d8133f969c45d7bdc62f33f081d789ec0f14a1791fb7da18515682bfe3c0c7362e0

On Windows, RSAS <= 1.0.4 shipped with an unused lzma.dll, which will be removed by installing RSAS 1.0.5.

A full changelog and release announcement for RSAS 1.0.5 will follow in the coming days. Coincidentally, significant work went into upgrading our dependencies and build system, which helped identify the transitive dependency.

If you have any questions or concerns, please let me know.

Thanks,

Albert

P.S. If you're interested in an SBOM for RSAS, please get in touch.

--

Albert Santoni (he/him)

Founder, Radio Mast | Oscillicious