Well did I tell you guys, I use Debian stable btw
According to this guy Debian is the problem https://lemmy.ml/comment/9780209
Debian is not really the problem, but rather the target, just read the original announcement at https://www.openwall.com/lists/oss-security/2024/03/29/4:
== Affected Systems ==
Running as part of a debian or RPM package build:
if test -f "$srcdir/debian/rules" || test "x$RPM_ARCH" = "xx86_64";then
...
openssh does not directly use liblzma. However debian and several other
distributions patch openssh to support systemd notification, and libsystemd
does depend on lzma.
Initially starting sshd outside of systemd did not show the slowdown, despite
the backdoor briefly getting invoked. This appears to be part of some
countermeasures to make analysis harder.
Observed requirements for the exploit:
a) TERM environment variable is not set
b) argv[0] needs to be /usr/sbin/sshd
c) LD_DEBUG, LD_PROFILE are not set
d) LANG needs to be set
e) Some debugging environments, like rr, appear to be detected. Plain gdb
appears to be detected in some situations, but not others
So if you were using Arch, you were unaffected by this vulnerability because
- the script wouldn’t trigger because it uses neither DEB nor RPM packages
- even if it had triggered, the backdoor only gets activated when the calling binary is
/usr/sbin/sshdwhich doesn’t happen in Arch because they don’t patch OpenSSH to support systemd (which in turn pulls in xz).
This doesn’t mean that Arch saved you because it’s super secure or anything, but this was a supply chain attack that hit Arch (and Debian Sid, where the backdoor was actually caught because ssh logins took so long…), but it didn’t trigger because it wasn’t targeted.
Meaning there’s no immediate need to be concerned, but you should update ASAP even though the Arch package probably doesn’t contain backdoored artifacts.
Thanks for clarifying. I read through the original announcement but I couldn’t fully understand it
To be fair, the backdoor only gets enabled when built as an RPM or Deb package, which doesn’t apply to Arch Linux, and also requires openSSH to be linked to liblzma, which is also not the case on Arch. So from what we know so far, the Arch packages should not have had the vulnerability. The risk now is whether there are other vulnerabilities or backdoors that haven’t been discovered which is why Arch made the update building directly from the git source instead of the known modified source tarball.
Man, rolling release is great
I use Debian stable btw…
The downside to bleeding edge…
This backdoor has existed for the past 2 months. If anything, Arch was one of the first to roll out the fix.
Why does xz exist anyway?
It is a compression library that is in the dependency tree for a large number of other packages though not as many as zlib which is in practically everything.
xz development appears to have been compromised by some organisation in a long game targeting sshd in Debian and derivatives. Debian maintainers have a nasty habit of adding lots of patches to upstream sources which occasionally have unintended consequences. I am a long term Debian user but I wish they would stop doing this. Thankfully arch generally doesn’t modify upstream as much as Debian and arch sshd doesn’t link in the backdoored library.
Ah I see. Are there any reasons why people would choose to use xz over zlib?
It compresses much better, by a lot, as zlib/deflate is an ancient algorithm made back when computers only had a few megabytes of ram.
Nowadays though, zstd seems to be replacing both of them, as at max level it compresses about as well as xz while also being faster. Nevertheless, many programs link against all the common compression algorithms (xz/zlib/zstd/bz2) to support everything
Exactly. People should just use zip for their compression libraries. Way more efficient
In case anyone wants to enter your system
