# CVE-2024-3094 — xz/liblzma backdoored sshd.
# Single service: sshd dynamically linked against the genuinely backdoored,
# ED448-seed=0-patched liblzma 5.6.1. Reachable on 127.0.0.1:2222.
services:
  sshd:
    build:
      context: .
      dockerfile: Dockerfile
    image: cve-2024-3094-sshd:latest
    platform: linux/amd64
    container_name: cve-2024-3094-sshd
    # Bind to loopback only; exploiter and verifier run on the same host.
    ports:
      - "127.0.0.1:2222:22"
    restart: "no"
    healthcheck:
      # Healthy once sshd holds a LISTEN socket on port 22 (0x0016 in
      # /proc/net/tcp); dash-safe, needs no extra tooling.
      test: ["CMD-SHELL", "grep -q ':0016 ' /proc/net/tcp || exit 1"]
      interval: 5s
      timeout: 3s
      retries: 5
      start_period: 5s