The interest in OSS-Fuzz was because it was used to monitor libxz, and so one of the necessary subgoals was to trick its maintainers into exempting libxz from a check that may have caught the backdoor, or at least drawn attention to it for unrelated reasons: https://github.com/google/oss-fuzz/pull/10667
So did he plan all this from the beginning or somewhere down the line he went full yolo?! I am looking at his mailing chat[0] and he seemed pretty enthusiastic about improving and fixing XZ.
> Either way, it's your preference and I will follow your lead. Jia Tan
> It's out of the scope for this patch, but it is something worth considering. Just trying to do my part as a helper elf! Jia Tan
Sounds like someone pulling the strings and using the "it's your idea, I'm just following!" strategy.
My hunch from reading over all the language used is that this person spent a good deal of time in America and has a carefully crafted 'customer service' manner of speaking. I may be wrong on the spending time in America part, but they are most definitely used to putting people at ease with their word choice.
I also found this bit interesting, as it's one of the few times they referred to "us" and "we"
>The contributors to this project are hobbyists so we can't
dedicate 40+ hours a week for fast releases of high quality. Thank you
for your understanding and if you want to help work on anything you
can always submit a patch :)
What a guy....he is trying his best to gain people's trust and then shove a backdoor down your throat. And that smiley face at the end is just straight out trolling.
From what I've seen (and I've not seen much, mind you) - someone went through and carefully categorized various libraries by the ability to be injected into OpenSSH on the target systems AND those that were lightly maintained, if at all.
xz was the winner, but there are likely others that could have been used.
