this post was submitted on 31 Mar 2024
83 points (95.6% liked)

Explain Like I'm Five

14277 readers
9 users here now

Simplifying Complexity, One Answer at a Time!

Rules

  1. Be respectful and inclusive.
  2. No harassment, hate speech, or trolling.
  3. Engage in constructive discussions.
  4. Share relevant content.
  5. Follow guidelines and moderators' instructions.
  6. Use appropriate language and tone.
  7. Report violations.
  8. Foster a continuous learning environment.

founded 1 year ago
MODERATORS
 

PLEASE. I keep seeing it in memes. As I understand it the latest version of the xz package (present in rolling release distros like Arch and SUSE Tumbleweed) has "a backdoor", but I have no earthly clue what can be done by malicious folks with access to that backdoor or if I should be afraid or how to check if my distro is compromised or how to prevent damage if it is or (...)

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 18 points 7 months ago* (last edited 7 months ago) (1 children)

TL;DR don't worry (for now) - it only impacts rpm and deb builds and impacted releases only really made it into OpenSuSe tumbleweed - if you're running bleeding edge maybe you need to worry a little.

A laymans explanation about what happens is that the malicious package uses an indirect linkage (via systemd) to openssh and overrides a crypto function which either:

  • allows access to the system to a particular key
  • allows remote code execution with a particular key

Or both!

I have secondhand info that privately the reverse engineering is more advanced, but nobody wants to lead with bad info.

As for what you should do? Unless you're running an rpm or deb based distro and you have version 5.6.0 or 5.6.1 of xz-utils installed, not much. If you are, well, that comes down to your threat model and paranoia level: either upgrade (downgrade) the package to a non-vulnerable version or dust off and nuke the site from orbit; it's the only way to be sure.

[–] [email protected] 1 points 7 months ago (1 children)

Didn't it also get into Debian testing and Sid?

[–] [email protected] 1 points 7 months ago

Debian Sid would be considered "bleeding edge", not sure about Testing. It also made it into Fedora's Sid equivalent, Rawhide and the branch for Fedora 41 (due out in October)