qwioeue@lemmy.world to linuxmemes@lemmy.world · 8 months agoArch with XZlemmy.worldimagemessage-square87fedilinkarrow-up1579arrow-down1107
arrow-up1472arrow-down1imageArch with XZlemmy.worldqwioeue@lemmy.world to linuxmemes@lemmy.world · 8 months agomessage-square87fedilink
minus-squareobservantTrapezium@lemmy.calinkfedilinkarrow-up91arrow-down3·8 months agoArch does not directly link openssh to liblzma, and thus this attack vector is not possible.
minus-squarePossibly linux@lemmy.ziplinkfedilinkEnglisharrow-up5·8 months agoIt is not entirely clear either this exploit can affect other parts of the system. This is one those things you need to take extremely seriously
minus-squareDefederateLemmyMl@feddit.nllinkfedilinkEnglisharrow-up2·8 months agoIn the case of Arch the backdoor also wasn’t inserted into liblzma at all, because at build time there was a check to see if it’s being built on a deb or rpm based system, and only inserts it in those two cases. See https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 for an analysis of the situation. So even if Arch built their xz binaries off the backdoored tarball, it was never actually vulnerable.
minus-squarePossibly linux@lemmy.ziplinkfedilinkEnglisharrow-up1·8 months agoI just know there is a lot of uncertainty. Maybe a complete wipe is a over reaction but it is better to be safe
Arch does not directly link openssh to liblzma, and thus this attack vector is not possible.
It is not entirely clear either this exploit can affect other parts of the system. This is one those things you need to take extremely seriously
In the case of Arch the backdoor also wasn’t inserted into liblzma at all, because at build time there was a check to see if it’s being built on a deb or rpm based system, and only inserts it in those two cases.
See https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 for an analysis of the situation.
So even if Arch built their xz binaries off the backdoored tarball, it was never actually vulnerable.
I just know there is a lot of uncertainty. Maybe a complete wipe is a over reaction but it is better to be safe