471

submitted 3 months ago by [email protected] to c/[email protected]

93 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[-] [email protected] 88 points 3 months ago

Arch does not directly link openssh to liblzma, and thus this attack vector is not possible.

[-] [email protected] 5 points 3 months ago

It is not entirely clear either this exploit can affect other parts of the system. This is one those things you need to take extremely seriously

[-] [email protected] 2 points 3 months ago

In the case of Arch the backdoor also wasn't inserted into liblzma at all, because at build time there was a check to see if it's being built on a deb or rpm based system, and only inserts it in those two cases.

See https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 for an analysis of the situation.

So even if Arch built their xz binaries off the backdoored tarball, it was never actually vulnerable.

[-] [email protected] 1 points 3 months ago

I just know there is a lot of uncertainty. Maybe a complete wipe is a over reaction but it is better to be safe

this post was submitted on 30 Mar 2024

471 points (84.3% liked)

linuxmemes

19849 readers

317 users here now

I use Arch btw

Sister communities:

LemmyMemes: Memes
LemmyShitpost: Anything and everything goes.
RISA: Star Trek memes and shitposts

Community rules

Follow the site-wide rules and code of conduct
Be civil
Post Linux-related content
No recent reposts

Please report posts and comments that break these rules!

founded 1 year ago

MODERATORS

[email protected]