PLEASE. I keep seeing it in memes. As I understand it the latest version of the xz package (present in rolling release distros like Arch and SUSE Tumbleweed) has “a backdoor”, but I have no earthly clue what can be done by malicious folks with access to that backdoor or if I should be afraid or how to check if my distro is compromised or how to prevent damage if it is or (…)

  • hydroptic@sopuli.xyz
    link
    fedilink
    English
    arrow-up
    0
    arrow-down
    1
    ·
    edit-2
    8 months ago

    Based on this very handy HN comment the long and short of it is that it would probably only have been a problem if you were running:

    • A very recent version of liblzma5 - 5.6.0 or 5.6.1. This was added in the last month or so. If you’re not on a rolling release distro, your version is probably older.

    • A debian or RPM based distro of Linux on x86_64. In an apparent attempt to make reverse engineering harder, it does not seem to apply when built outside of deb or rpm packaging. It is also specific to Linux.

    • Running OpenSSH sshd from systemd. OpenSSH as patched by some distros only pulls in libsystemd for logging functionality, which pulls in the compromised liblzma5.

    So if all of those weren’t true for you, you’re most likely fine. Not a guarantee though since the backdoor’s still being analyzed and that comment is a couple of days old, but as far as I can tell it’s still reasonably accurate.

    • TheFinn@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      0
      ·
      8 months ago

      I’ve been wondering if there’s some kind of notification code that let’s the bad actor know they’ve successfully infected someone. Otherwise what’s the plan, trawl the entire IP space for devices your key can access? Wouldn’t it need UPNP or some other method to reach most people’s systems?

      • hydroptic@sopuli.xyz
        link
        fedilink
        English
        arrow-up
        0
        arrow-down
        1
        ·
        7 months ago

        I think the intention probably wasn’t to get into Jane Q. Public’s home computer, but was aimed at being able to infiltrate more high value targets – corporations, governments etc. While I haven’t kept up with the latest findings in this, I’d guess the intention was to have the backdoor spread widely enough that you really wouldn’t need to scan for targets – Debian and distros that use RPM are very popular after all.

        It’d definitely require the target to have their sshd open to the world, but that’s not uncommon at all unfortunately.