@[email protected] to [email protected] • 8 months agoArch with XZlemmy.worldmessage-square92fedilinkarrow-up1580
arrow-up1580imageArch with XZlemmy.world@[email protected] to [email protected] • 8 months agomessage-square92fedilink
minus-squareDefederateLemmyMllinkfedilinkEnglish2•8 months agoIn the case of Arch the backdoor also wasn’t inserted into liblzma at all, because at build time there was a check to see if it’s being built on a deb or rpm based system, and only inserts it in those two cases. See https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 for an analysis of the situation. So even if Arch built their xz binaries off the backdoored tarball, it was never actually vulnerable.
minus-squarePossibly linuxlinkfedilinkEnglish1•8 months agoI just know there is a lot of uncertainty. Maybe a complete wipe is a over reaction but it is better to be safe
In the case of Arch the backdoor also wasn’t inserted into liblzma at all, because at build time there was a check to see if it’s being built on a deb or rpm based system, and only inserts it in those two cases.
See https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 for an analysis of the situation.
So even if Arch built their xz binaries off the backdoored tarball, it was never actually vulnerable.
I just know there is a lot of uncertainty. Maybe a complete wipe is a over reaction but it is better to be safe