PLEASE. I keep seeing it in memes. As I understand it the latest version of the xz package (present in rolling release distros like Arch and SUSE Tumbleweed) has “a backdoor”, but I have no earthly clue what can be done by malicious folks with access to that backdoor or if I should be afraid or how to check if my distro is compromised or how to prevent damage if it is or (…)

  • @[email protected]
    link
    fedilink
    English
    18
    edit-2
    8 months ago

    TL;DR don’t worry (for now) - it only impacts rpm and deb builds and impacted releases only really made it into OpenSuSe tumbleweed - if you’re running bleeding edge maybe you need to worry a little.

    A laymans explanation about what happens is that the malicious package uses an indirect linkage (via systemd) to openssh and overrides a crypto function which either:

    • allows access to the system to a particular key
    • allows remote code execution with a particular key

    Or both!

    I have secondhand info that privately the reverse engineering is more advanced, but nobody wants to lead with bad info.

    As for what you should do? Unless you’re running an rpm or deb based distro and you have version 5.6.0 or 5.6.1 of xz-utils installed, not much. If you are, well, that comes down to your threat model and paranoia level: either upgrade (downgrade) the package to a non-vulnerable version or dust off and nuke the site from orbit; it’s the only way to be sure.

      • @[email protected]
        link
        fedilink
        English
        18 months ago

        Debian Sid would be considered “bleeding edge”, not sure about Testing. It also made it into Fedora’s Sid equivalent, Rawhide and the branch for Fedora 41 (due out in October)