A walkthrough of the xz attack shell script.
An RC4 variant in Awk, what more could you want?
https://research.swtch.com/xz-script
@rsc Thanks! I was wondering about these strange-looking sed commands, but as you note, any POSIX conformant sed can be turned into cat by "r[non-existing file]", because "[i]f rfile does not exist or cannot be read, it shall be treated as if it were an empty file, causing no error condition". https://pubs.opengroup.org/onlinepubs/9699919799.2018edition/utilities/sed.html
@rsc These things, present already in the m4, only seem to make it look more suspicious (heard Andres F talking about the attack being "over-engineered"). https://risky.biz/RB743/
@rsc thanks! reads like a thriller.
@rsc The "-ffunction-sections -fdata-sections" together with the "--sort-section=name" is probably to make sure the compiled code is in a consistent order. Something in the backdoor might be depending on that.
And you missed the the "-X" aka "--discard-locals", I recall reading on another analysis that the backdoor object used local symbols for its functions, that might be to discard these symbols?
@rsc "Shell quoting inside a quoted string inside a Makefile really is something special."
Ok that made me laugh, but ... a key part of this whole attack which your step by step makes clear is that it is convoluted enough that most of us will just skim it and move on (ie, thinking the sed is doing a line ending conversion).
Hiding in plain sight.