Lin-Rexter · April 1, 2024 04:22 · Apr 1, 2024 · Apr 1, 2024 · Apr 1, 2024 · Apr 1, 2024
diff --git a/xz-backdoor.md b/xz-backdoor.md
@@ -317,7 +317,7 @@ This is for linking to interesting general discussions, rather than specific cha
 
 ### Response to questions
 
-* A few people have asked why Jia Tan followed me (@thesamesam) on GitHub. #tukaani was a small community on IRC before this kicked off. I've been in #tukaani for a few years now. When the move from self-hosted infra to github was being planned and implemented, I was around and starred & followed the new Tukaani org pretty quickly.
+* A few people have asked why Jia Tan followed me (@thesamesam) on GitHub. #tukaani was a small community on IRC before this kicked off (~10 people, currently has ~350). I've been in #tukaani for a few years now. When the move from self-hosted infra to github was being planned and implemented, I was around and starred & followed the new Tukaani org pretty quickly.
 
 * I'm referenced in one of the [commits](https://git.tukaani.org/?p=xz.git;a=commit;h=72d2933bfae514e0dbb123488e9f1eb7cf64175f) in the original oss-security post that works around noise from the IFUNC resolver. This was a legitimate issue which applies to IFUNC resolvers in general. The GCC bug it led to ([PR114115](https://gcc.gnu.org/PR114115) remains open and has a patch pending from a GCC developer.
   * On reflection, there may have been a missed opportunity as maybe I should have looked into why I couldn't hit the reported Valgrind problems from Fedora on Gentoo, but this isn't the place for my own reflections nor is it IMO the time yet.

diff --git a/xz-backdoor.md b/xz-backdoor.md
@@ -320,6 +320,7 @@ This is for linking to interesting general discussions, rather than specific cha
 * A few people have asked why Jia Tan followed me (@thesamesam) on GitHub. #tukaani was a small community on IRC before this kicked off. I've been in #tukaani for a few years now. When the move from self-hosted infra to github was being planned and implemented, I was around and starred & followed the new Tukaani org pretty quickly.
 
 * I'm referenced in one of the [commits](https://git.tukaani.org/?p=xz.git;a=commit;h=72d2933bfae514e0dbb123488e9f1eb7cf64175f) in the original oss-security post that works around noise from the IFUNC resolver. This was a legitimate issue which applies to IFUNC resolvers in general. The GCC bug it led to ([PR114115](https://gcc.gnu.org/PR114115) remains open and has a patch pending from a GCC developer.
+  * On reflection, there may have been a missed opportunity as maybe I should have looked into why I couldn't hit the reported Valgrind problems from Fedora on Gentoo, but this isn't the place for my own reflections nor is it IMO the time yet.
 
 ### TODO for this doc
 

diff --git a/xz-backdoor.md b/xz-backdoor.md
@@ -319,7 +319,7 @@ This is for linking to interesting general discussions, rather than specific cha
 
 * A few people have asked why Jia Tan followed me (@thesamesam) on GitHub. #tukaani was a small community on IRC before this kicked off. I've been in #tukaani for a few years now. When the move from self-hosted infra to github was being planned and implemented, I was around and starred & followed the new Tukaani org pretty quickly.
 
-* I'm referenced in one of the [commits]([72d2933bfae514e0dbb123488e9f1eb7cf64175f](https://git.tukaani.org/?p=xz.git;a=commit;h=72d2933bfae514e0dbb123488e9f1eb7cf64175f)) in the original oss-security post that works around noise from the IFUNC resolver. This was a legitimate issue which applies to IFUNC resolvers in general. The GCC bug it led to ([PR114115](https://gcc.gnu.org/PR114115) remains open and has a patch pending from a GCC developer.
+* I'm referenced in one of the [commits](https://git.tukaani.org/?p=xz.git;a=commit;h=72d2933bfae514e0dbb123488e9f1eb7cf64175f) in the original oss-security post that works around noise from the IFUNC resolver. This was a legitimate issue which applies to IFUNC resolvers in general. The GCC bug it led to ([PR114115](https://gcc.gnu.org/PR114115) remains open and has a patch pending from a GCC developer.
 
 ### TODO for this doc
 

diff --git a/xz-backdoor.md b/xz-backdoor.md
@@ -315,6 +315,12 @@ This is for linking to interesting general discussions, rather than specific cha
 
 ## Meta
 
+### Response to questions
+
+* A few people have asked why Jia Tan followed me (@thesamesam) on GitHub. #tukaani was a small community on IRC before this kicked off. I've been in #tukaani for a few years now. When the move from self-hosted infra to github was being planned and implemented, I was around and starred & followed the new Tukaani org pretty quickly.
+
+* I'm referenced in one of the [commits]([72d2933bfae514e0dbb123488e9f1eb7cf64175f](https://git.tukaani.org/?p=xz.git;a=commit;h=72d2933bfae514e0dbb123488e9f1eb7cf64175f)) in the original oss-security post that works around noise from the IFUNC resolver. This was a legitimate issue which applies to IFUNC resolvers in general. The GCC bug it led to ([PR114115](https://gcc.gnu.org/PR114115) remains open and has a patch pending from a GCC developer.
+
 ### TODO for this doc
 
 * Add a table of releases + signer?

diff --git a/xz-backdoor.md b/xz-backdoor.md
@@ -313,14 +313,16 @@ This is for linking to interesting general discussions, rather than specific cha
 * Xe Iaso who resummarized this page for readability.
 * Everybody who has provided me tips privately, in #tukaani, or in comments on this gist.
 
-## TODO for this doc
+## Meta
+
+### TODO for this doc
 
 * Add a table of releases + signer?
 * Include the injection script after the macro
 * Mention detection?
 * Explain the bug-autoconf thing maybe wrt serial
 
-## TODO overall
+### TODO overall
 
 Anyone can and should work on these. I'm just listing them so people have a rough idea of what's left.
 

diff --git a/xz-backdoor.md b/xz-backdoor.md
@@ -296,6 +296,8 @@ This is for suggesting specific changes which are being considered as a result o
 * systemd: [Reduce dependencies of libsystemd](https://github.com/systemd/systemd/issues/32028)
   * _Note_: There was prior work already on this in e.g. https://github.com/systemd/systemd/pull/31550. Solar Designer [suggested](https://openwall.com/lists/oss-security/2024/03/31/9) this _may_ have caused acceleration of plans to backdoor xz, as the systemd changes had not yet landed in a release. (I saw this mentioned in a few places, IIRC.)
 * groff: [[PATCH] Distribute bootstrap and bootstrap.conf](https://lists.gnu.org/archive/html/groff/2024-03/msg00211.html)
+* GNU binutils: [Remove dependency on libjansson](https://inbox.sourceware.org/binutils/CACKH++ZCwhA9n9GfsWPmBQgsSrvfeOpLha0=UCpHzPDD8vQpNQ@mail.gmail.com/T/#u)
+  * This is being proposed by @rui314, the maintainer of mold. Rui also wrote about the risks to linkers in https://x.com/rui314/status/1774286434335338965.
 
 ## Discussions in the wake of this
 

diff --git a/xz-backdoor.md b/xz-backdoor.md
@@ -1,5 +1,14 @@
 # FAQ on the xz-utils backdoor
 
+This is still a new situation. There is a lot we don't know. We don't
+know if there are more possible exploit paths. We only know about this
+one path. Please update your systems regardless. Unknown unknowns are
+safer than known unknowns.
+
+This is a living document. Everything in this document is made in good
+faith of being accurate, but like I just said; we don't know much
+about what's going on.
+
 ## Background
 
 On March 29th, 2024, a backdoor was discovered in
@@ -50,15 +59,6 @@ update, please see [this
 article](https://xeiaso.net/notes/2024/xz-vuln/) or check the
 [xz-utils page on Repology](https://repology.org/project/xz/versions).
 
-This is still a new situation. There is a lot we don't know. We don't
-know if there are more possible exploit paths. We only know about this
-one path. Please update your systems regardless. Unknown unknowns are
-safer than known unknowns.
-
-This is a living document. Everything in this document is made in good
-faith of being accurate, but like I just said; we don't know much
-about what's going on.
-
 This is not a fault of sshd, systemd, or glibc, that is just how it
 was made exploitable.
 

diff --git a/xz-backdoor.md b/xz-backdoor.md
@@ -295,6 +295,7 @@ This is for suggesting specific changes which are being considered as a result o
 * bug-autoconf: [autoreconf --force seemingly does not forcibly update everything](https://lists.gnu.org/archive/html/bug-autoconf/2024-03/msg00000.html)
 * systemd: [Reduce dependencies of libsystemd](https://github.com/systemd/systemd/issues/32028)
   * _Note_: There was prior work already on this in e.g. https://github.com/systemd/systemd/pull/31550. Solar Designer [suggested](https://openwall.com/lists/oss-security/2024/03/31/9) this _may_ have caused acceleration of plans to backdoor xz, as the systemd changes had not yet landed in a release. (I saw this mentioned in a few places, IIRC.)
+* groff: [[PATCH] Distribute bootstrap and bootstrap.conf](https://lists.gnu.org/archive/html/groff/2024-03/msg00211.html)
 
 ## Discussions in the wake of this
 

diff --git a/xz-backdoor.md b/xz-backdoor.md
@@ -329,7 +329,7 @@ Anyone can and should work on these. I'm just listing them so people have a roug
 * Checking other projects for similar injection mechanisms (e.g. similar build system lines)
 * ??? 
 
-## References
+## References and other reading material
 
 * https://lwn.net/Articles/967180/
 * https://www.openwall.com/lists/oss-security/2024/03/29/4

diff --git a/xz-backdoor.md b/xz-backdoor.md
@@ -296,7 +296,6 @@ This is for suggesting specific changes which are being considered as a result o
 * systemd: [Reduce dependencies of libsystemd](https://github.com/systemd/systemd/issues/32028)
   * _Note_: There was prior work already on this in e.g. https://github.com/systemd/systemd/pull/31550. Solar Designer [suggested](https://openwall.com/lists/oss-security/2024/03/31/9) this _may_ have caused acceleration of plans to backdoor xz, as the systemd changes had not yet landed in a release. (I saw this mentioned in a few places, IIRC.)
 
-
 ## Discussions in the wake of this
 
 This is for linking to interesting general discussions, rather than specific changes being suggested (see above).

diff --git a/xz-backdoor.md b/xz-backdoor.md
@@ -289,10 +289,19 @@ There are concerns some other projects are affected (either by themselves or cha
 
 ## Tangential efforts as a result of this incident
 
+This is for suggesting specific changes which are being considered as a result of this.
+
 * CMake: [Consider hardening check_c_source_compiles](https://gitlab.kitware.com/cmake/cmake/-/issues/25846) - [MR](https://gitlab.kitware.com/cmake/cmake/-/merge_requests/9391)
 * bug-autoconf: [autoreconf --force seemingly does not forcibly update everything](https://lists.gnu.org/archive/html/bug-autoconf/2024-03/msg00000.html)
 * systemd: [Reduce dependencies of libsystemd](https://github.com/systemd/systemd/issues/32028)
   * _Note_: There was prior work already on this in e.g. https://github.com/systemd/systemd/pull/31550. Solar Designer [suggested](https://openwall.com/lists/oss-security/2024/03/31/9) this _may_ have caused acceleration of plans to backdoor xz, as the systemd changes had not yet landed in a release. (I saw this mentioned in a few places, IIRC.)
+
+
+## Discussions in the wake of this
+
+This is for linking to interesting general discussions, rather than specific changes being suggested (see above).
+
+* automake: [GNU Coding Standards, automake, and the recent xz-utils backdoor](https://lists.gnu.org/archive/html/automake/2024-03/msg00007.html)
 * fedora-devel: [Three steps we could take to make supply chain attacks a bit harder](https://lists.fedoraproject.org/archives/list/[email protected]/thread/YWMNOEJ34Q7QLBWQAB5TM6A2SVJFU4RV/)
 
 ## Acknowledgements

diff --git a/xz-backdoor.md b/xz-backdoor.md
@@ -263,10 +263,10 @@ to analyse the situation carefully.
 
 This is the part which is very much in flux, even compared to the rest of this. It's early days yet.
 
-* [xz/liblzma: Bash-stage Obfuscation Explained by gynvael](https://gynvael.coldwind.pl/?lang=en&id=782)
+* [xz/liblzma: Bash-stage Obfuscation Explained by @gynvael](https://gynvael.coldwind.pl/?lang=en&id=782)
 * [Filippo Valsorda's bluesky thread](https://bsky.app/profile/did:plc:x2nsupeeo52oznrmplwapppl/post/3kowjkx2njy2b)
 * [XZ Backdoor Analysis by @smx-smx (WIP)](https://gist.github.com/smx-smx/a6112d54777845d389bd7126d6e9f504) 
-* [xz backdoor documentation wiki](https://github.com/Midar/xz-backdoor-documentation/wiki)
+* [xz backdoor documentation wiki by @Midar et. al](https://github.com/Midar/xz-backdoor-documentation/wiki)
 * [modify_ssh_rsa_pubkey.py by @keeganryan](https://gist.github.com/keeganryan/a6c22e1045e67c17e88a606dfdf95ae4) - script to trigger more parts of the payload in a compromised `sshd`
 
 ## Other projects

diff --git a/xz-backdoor.md b/xz-backdoor.md
@@ -229,6 +229,9 @@ things we know:
 * Jia Tan's [328c52da8a2bbb81307644efdb58db2c422d9ba7](https://git.tukaani.org/?p=xz.git;a=commitdiff;h=328c52da8a2bbb81307644efdb58db2c422d9ba7) commit contained a `.` in the CMake check for landlock sandboxing support. This caused the check to always fail so landlock support was detected as absent.
   * Hardening of CMake's `check_c_source_compiles` has been proposed (see _Other projects_).
 
+* IFUNC was introduced for _crc64_ in [ee44863ae88e377a5df10db007ba9bfadde3d314](https://git.tukaani.org/?p=xz.git;a=commit;h=ee44863ae88e377a5df10db007ba9bfadde3d314) by _Hans Jensen_.
+  * _Hans Jensen_ later went on to ask Debian to update xz-utils in https://bugs.debian.org/1067708, but this is quite a common thing for eager users to do, so it's not necessarily nefarious.
+
 ## People
 
 We do not want to speculate on the people behind this project in this

diff --git a/xz-backdoor.md b/xz-backdoor.md
@@ -205,7 +205,7 @@ things we know:
   * Lennart Poettering had [mentioned](https://news.ycombinator.com/item?id=39867126) that it may happen
   via pam->libselinux->liblzma, and possibly in other cases too, but...
   * libselinux does not link to liblzma. It turns out the confusion was because of an old downstream-only patch in Fedora and a stale dependency in the RPM spec which persisted long-beyond its removal.
-  * PAM modules are loaded too late in the process AFAIK for this to work (another possible example was pam_fprintd). Solar Designer [raised this issue](https://openwall.com/lists/oss-security/2024/03/31/9) as well on oss-security.
+  * PAM modules are loaded too late in the process AFAIK for this to work (another possible example was `pam_fprintd`). Solar Designer [raised this issue](https://openwall.com/lists/oss-security/2024/03/31/9) as well on _oss-security_.
 
 * The payload is loaded into `sshd` indirectly. `sshd` is often patched
   to support

diff --git a/xz-backdoor.md b/xz-backdoor.md
@@ -224,6 +224,11 @@ things we know:
   to explain why.~
     * Filippo Valsorda has shared [analysis](https://bsky.app/profile/filippo.abyssdomain.expert/post/3kowjkx2njy2b) indicating that the attacker must supply a key which is verified by the payload and then attacker input is passed to `system()`, giving remote code execution (RCE).
 
+## Tangential xz bits
+
+* Jia Tan's [328c52da8a2bbb81307644efdb58db2c422d9ba7](https://git.tukaani.org/?p=xz.git;a=commitdiff;h=328c52da8a2bbb81307644efdb58db2c422d9ba7) commit contained a `.` in the CMake check for landlock sandboxing support. This caused the check to always fail so landlock support was detected as absent.
+  * Hardening of CMake's `check_c_source_compiles` has been proposed (see _Other projects_).
+
 ## People
 
 We do not want to speculate on the people behind this project in this
@@ -296,7 +301,6 @@ There are concerns some other projects are affected (either by themselves or cha
 
 ## TODO for this doc
 
-* Mention the CMake landlock thing
 * Add a table of releases + signer?
 * Include the injection script after the macro
 * Mention detection?

diff --git a/xz-backdoor.md b/xz-backdoor.md
@@ -274,6 +274,10 @@ There are concerns some other projects are affected (either by themselves or cha
 * https://github.com/google/oss-fuzz/pull/10667 was made by Jia Tan to disable IFUNC in oss-fuzz when testing xz-utils
   * It is unclear if this was safe or not. Obviously, it doesn't look great, but see below.
   * Note that IFUNC _is_ a brittle mechanism and it is known to be sensitive to e.g. ASAN, which is why the change didn't raise alarm bells. i.e. It is possible that such a change was genuinely made in good faith, although it's of course suspicious in hindsight. But I wouldn't say the oss-fuzz maintainers should have rejected it, either.
+    * gcc [PR70082](https://gcc.gnu.org/PR70082)
+    * gcc [PR87482](https://gcc.gnu.org/PR87482)
+    * gcc [PR110442](https://gcc.gnu.org/PR110442)
+    * gcc [PR114115](https://gcc.gnu.org/PR114115) - a real bug which xz found(!)
 
 ## Tangential efforts as a result of this incident
 

diff --git a/xz-backdoor.md b/xz-backdoor.md
@@ -278,11 +278,9 @@ There are concerns some other projects are affected (either by themselves or cha
 ## Tangential efforts as a result of this incident
 
 * CMake: [Consider hardening check_c_source_compiles](https://gitlab.kitware.com/cmake/cmake/-/issues/25846) - [MR](https://gitlab.kitware.com/cmake/cmake/-/merge_requests/9391)
-
 * bug-autoconf: [autoreconf --force seemingly does not forcibly update everything](https://lists.gnu.org/archive/html/bug-autoconf/2024-03/msg00000.html)
 * systemd: [Reduce dependencies of libsystemd](https://github.com/systemd/systemd/issues/32028)
   * _Note_: There was prior work already on this in e.g. https://github.com/systemd/systemd/pull/31550. Solar Designer [suggested](https://openwall.com/lists/oss-security/2024/03/31/9) this _may_ have caused acceleration of plans to backdoor xz, as the systemd changes had not yet landed in a release. (I saw this mentioned in a few places, IIRC.)
-
 * fedora-devel: [Three steps we could take to make supply chain attacks a bit harder](https://lists.fedoraproject.org/archives/list/[email protected]/thread/YWMNOEJ34Q7QLBWQAB5TM6A2SVJFU4RV/)
 
 ## Acknowledgements

diff --git a/xz-backdoor.md b/xz-backdoor.md
@@ -308,7 +308,7 @@ Anyone can and should work on these. I'm just listing them so people have a roug
 * Reverse engineering the payload (it's still fairly early days here on this)
 * Auditing all possibly-tainted xz-utils commits
 * Investigate other paths for `sshd` to get `liblzma` in its process (not just via `libsystemd`, or at least not directly)
-  * _Update_: The PAM route is totally bunk (too late) and the libselinux thing was a downstream-only patch (TODO: write about this).
+  * This is already partly done and it looks like none exist, but it would be nice to be sure.
 * Checking other projects for similar injection mechanisms (e.g. similar build system lines)
 * ??? 
 

diff --git a/xz-backdoor.md b/xz-backdoor.md
@@ -279,7 +279,6 @@ There are concerns some other projects are affected (either by themselves or cha
 
 * CMake: [Consider hardening check_c_source_compiles](https://gitlab.kitware.com/cmake/cmake/-/issues/25846) - [MR](https://gitlab.kitware.com/cmake/cmake/-/merge_requests/9391)
 
-<!-- TODO: explain? -->
 * bug-autoconf: [autoreconf --force seemingly does not forcibly update everything](https://lists.gnu.org/archive/html/bug-autoconf/2024-03/msg00000.html)
 * systemd: [Reduce dependencies of libsystemd](https://github.com/systemd/systemd/issues/32028)
   * _Note_: There was prior work already on this in e.g. https://github.com/systemd/systemd/pull/31550. Solar Designer [suggested](https://openwall.com/lists/oss-security/2024/03/31/9) this _may_ have caused acceleration of plans to backdoor xz, as the systemd changes had not yet landed in a release. (I saw this mentioned in a few places, IIRC.)
@@ -299,6 +298,7 @@ There are concerns some other projects are affected (either by themselves or cha
 * Add a table of releases + signer?
 * Include the injection script after the macro
 * Mention detection?
+* Explain the bug-autoconf thing maybe wrt serial
 
 ## TODO overall
 

diff --git a/xz-backdoor.md b/xz-backdoor.md
@@ -231,13 +231,14 @@ document. This is not a productive use of our time, and law
 enforcement will be able to handle identifying those responsible. They
 are likely patching their systems too.
 
-xz-utils has two maintainers:
+xz-utils had two maintainers:
 
 * Lasse Collin (_Larhzu_) who has maintained xz since the beginning
   (~2009), and before that, `lzma-utils`.
 * Jia Tan (_JiaT75_) who started contributing to xz in the last 2-2.5
   years and gained commit access, and then release manager rights,
-  about 1.5 years ago.
+  about 1.5 years ago. He was removed on 2024-03-31 as Lasse begins
+  his long work ahead.
 
 Lasse regularly has internet breaks and is on one at the moment,
 started before this all kicked off. He has posted an update

diff --git a/xz-backdoor.md b/xz-backdoor.md
@@ -276,15 +276,14 @@ There are concerns some other projects are affected (either by themselves or cha
 
 ## Tangential efforts as a result of this incident
 
-<!-- TODO: Mention the CMake bit elsewhere as well first? -->
-<!-- * https://gitlab.kitware.com/cmake/cmake/-/issues/25846 -->
+* CMake: [Consider hardening check_c_source_compiles](https://gitlab.kitware.com/cmake/cmake/-/issues/25846) - [MR](https://gitlab.kitware.com/cmake/cmake/-/merge_requests/9391)
 
 <!-- TODO: explain? -->
-* [autoreconf --force seemingly does not forcibly update everything](https://lists.gnu.org/archive/html/bug-autoconf/2024-03/msg00000.html)
-* [Reduce dependencies of libsystemd](https://github.com/systemd/systemd/issues/32028)
+* bug-autoconf: [autoreconf --force seemingly does not forcibly update everything](https://lists.gnu.org/archive/html/bug-autoconf/2024-03/msg00000.html)
+* systemd: [Reduce dependencies of libsystemd](https://github.com/systemd/systemd/issues/32028)
   * _Note_: There was prior work already on this in e.g. https://github.com/systemd/systemd/pull/31550. Solar Designer [suggested](https://openwall.com/lists/oss-security/2024/03/31/9) this _may_ have caused acceleration of plans to backdoor xz, as the systemd changes had not yet landed in a release. (I saw this mentioned in a few places, IIRC.)
 
-* [Three steps we could take to make supply chain attacks a bit harder - fedora-devel](https://lists.fedoraproject.org/archives/list/[email protected]/thread/YWMNOEJ34Q7QLBWQAB5TM6A2SVJFU4RV/)
+* fedora-devel: [Three steps we could take to make supply chain attacks a bit harder](https://lists.fedoraproject.org/archives/list/[email protected]/thread/YWMNOEJ34Q7QLBWQAB5TM6A2SVJFU4RV/)
 
 ## Acknowledgements
 

diff --git a/xz-backdoor.md b/xz-backdoor.md
@@ -203,9 +203,8 @@ things we know:
 * Vanilla upstream OpenSSH isn't affected unless one of its
   dependencies links `liblzma`.
   * Lennart Poettering had [mentioned](https://news.ycombinator.com/item?id=39867126) that it may happen
-  via pam->libselinux->liblzma, and possibly in other cases too, but I have not yet seen a path
-  for this to happen.
-  * libselinux does not link to liblzma.
+  via pam->libselinux->liblzma, and possibly in other cases too, but...
+  * libselinux does not link to liblzma. It turns out the confusion was because of an old downstream-only patch in Fedora and a stale dependency in the RPM spec which persisted long-beyond its removal.
   * PAM modules are loaded too late in the process AFAIK for this to work (another possible example was pam_fprintd). Solar Designer [raised this issue](https://openwall.com/lists/oss-security/2024/03/31/9) as well on oss-security.
 
 * The payload is loaded into `sshd` indirectly. `sshd` is often patched

diff --git a/xz-backdoor.md b/xz-backdoor.md
@@ -309,7 +309,7 @@ Anyone can and should work on these. I'm just listing them so people have a roug
 * Reverse engineering the payload (it's still fairly early days here on this)
 * Auditing all possibly-tainted xz-utils commits
 * Investigate other paths for `sshd` to get `liblzma` in its process (not just via `libsystemd`, or at least not directly)
-  * (Pretty confident some exist, others have mentioned libselinux & pam but I've not checked it yet.)
+  * _Update_: The PAM route is totally bunk (too late) and the libselinux thing was a downstream-only patch (TODO: write about this).
 * Checking other projects for similar injection mechanisms (e.g. similar build system lines)
 * ??? 
 

diff --git a/xz-backdoor.md b/xz-backdoor.md
@@ -285,6 +285,8 @@ There are concerns some other projects are affected (either by themselves or cha
 * [Reduce dependencies of libsystemd](https://github.com/systemd/systemd/issues/32028)
   * _Note_: There was prior work already on this in e.g. https://github.com/systemd/systemd/pull/31550. Solar Designer [suggested](https://openwall.com/lists/oss-security/2024/03/31/9) this _may_ have caused acceleration of plans to backdoor xz, as the systemd changes had not yet landed in a release. (I saw this mentioned in a few places, IIRC.)
 
+* [Three steps we could take to make supply chain attacks a bit harder - fedora-devel](https://lists.fedoraproject.org/archives/list/[email protected]/thread/YWMNOEJ34Q7QLBWQAB5TM6A2SVJFU4RV/)
+
 ## Acknowledgements
 
 * Andres Freund who discovered the issue and reported it to *linux-distros* and then *oss-security*.

diff --git a/xz-backdoor.md b/xz-backdoor.md
@@ -290,7 +290,7 @@ There are concerns some other projects are affected (either by themselves or cha
 * Andres Freund who discovered the issue and reported it to *linux-distros* and then *oss-security*.
 * All the hard-working security teams helping to coordinate a response and push out fixes.
 * Xe Iaso who resummarized this page for readability.
-* Everybody who has provided me tips privately or in the comments on this gist.
+* Everybody who has provided me tips privately, in #tukaani, or in comments on this gist.
 
 ## TODO for this doc
 

diff --git a/xz-backdoor.md b/xz-backdoor.md
@@ -290,6 +290,7 @@ There are concerns some other projects are affected (either by themselves or cha
 * Andres Freund who discovered the issue and reported it to *linux-distros* and then *oss-security*.
 * All the hard-working security teams helping to coordinate a response and push out fixes.
 * Xe Iaso who resummarized this page for readability.
+* Everybody who has provided me tips privately or in the comments on this gist.
 
 ## TODO for this doc
 

diff --git a/xz-backdoor.md b/xz-backdoor.md
@@ -280,7 +280,7 @@ There are concerns some other projects are affected (either by themselves or cha
 <!-- TODO: Mention the CMake bit elsewhere as well first? -->
 <!-- * https://gitlab.kitware.com/cmake/cmake/-/issues/25846 -->
 
-<!-- TODO: explain -->
+<!-- TODO: explain? -->
 * [autoreconf --force seemingly does not forcibly update everything](https://lists.gnu.org/archive/html/bug-autoconf/2024-03/msg00000.html)
 * [Reduce dependencies of libsystemd](https://github.com/systemd/systemd/issues/32028)
   * _Note_: There was prior work already on this in e.g. https://github.com/systemd/systemd/pull/31550. Solar Designer [suggested](https://openwall.com/lists/oss-security/2024/03/31/9) this _may_ have caused acceleration of plans to backdoor xz, as the systemd changes had not yet landed in a release. (I saw this mentioned in a few places, IIRC.)

diff --git a/xz-backdoor.md b/xz-backdoor.md
@@ -202,10 +202,12 @@ things we know:
   investigating.
 * Vanilla upstream OpenSSH isn't affected unless one of its
   dependencies links `liblzma`.
-  <!-- Commented out because I can't actually see where this comes from yet. -->
-  <!-- TODO: Seen someone mention it might happen via pam_fprintd? -->
-  <!-- * _Update_: Lennart Poettering (via @Foxboron) [mentions](https://news.ycombinator.com/item?id=39867126) that it may happen
-  via pam->libselinux->liblzma, and possibly in other cases too. -->
+  * Lennart Poettering had [mentioned](https://news.ycombinator.com/item?id=39867126) that it may happen
+  via pam->libselinux->liblzma, and possibly in other cases too, but I have not yet seen a path
+  for this to happen.
+  * libselinux does not link to liblzma.
+  * PAM modules are loaded too late in the process AFAIK for this to work (another possible example was pam_fprintd). Solar Designer [raised this issue](https://openwall.com/lists/oss-security/2024/03/31/9) as well on oss-security.
+
 * The payload is loaded into `sshd` indirectly. `sshd` is often patched
   to support
   [systemd-notify](https://www.freedesktop.org/software/systemd/man/249/systemd-notify.html)

diff --git a/xz-backdoor.md b/xz-backdoor.md
@@ -281,7 +281,7 @@ There are concerns some other projects are affected (either by themselves or cha
 <!-- TODO: explain -->
 * [autoreconf --force seemingly does not forcibly update everything](https://lists.gnu.org/archive/html/bug-autoconf/2024-03/msg00000.html)
 * [Reduce dependencies of libsystemd](https://github.com/systemd/systemd/issues/32028)
-  * _Note_: There was prior work already on this in e.g. https://github.com/systemd/systemd/pull/31550. Some have speculated this may have caused acceleration of plans to backdoor xz, as the systemd changes had not yet landed in a release.
+  * _Note_: There was prior work already on this in e.g. https://github.com/systemd/systemd/pull/31550. Solar Designer [suggested](https://openwall.com/lists/oss-security/2024/03/31/9) this _may_ have caused acceleration of plans to backdoor xz, as the systemd changes had not yet landed in a release. (I saw this mentioned in a few places, IIRC.)
 
 ## Acknowledgements
 

diff --git a/xz-backdoor.md b/xz-backdoor.md
@@ -281,7 +281,7 @@ There are concerns some other projects are affected (either by themselves or cha
 <!-- TODO: explain -->
 * [autoreconf --force seemingly does not forcibly update everything](https://lists.gnu.org/archive/html/bug-autoconf/2024-03/msg00000.html)
 * [Reduce dependencies of libsystemd](https://github.com/systemd/systemd/issues/32028)
-  * _Note_: There was prior work already on this in e.g. https://github.com/systemd/systemd/pull/31550. Some have speculated this may have caused acceleration of plans to backdoor xz.
+  * _Note_: There was prior work already on this in e.g. https://github.com/systemd/systemd/pull/31550. Some have speculated this may have caused acceleration of plans to backdoor xz, as the systemd changes had not yet landed in a release.
 
 ## Acknowledgements