qwioeue@lemmy.world to linuxmemes@lemmy.world · 7 months agoArch with XZlemmy.worldimagemessage-square93fedilinkarrow-up1582arrow-down1108
arrow-up1474arrow-down1imageArch with XZlemmy.worldqwioeue@lemmy.world to linuxmemes@lemmy.world · 7 months agomessage-square93fedilink
minus-squareDefederateLemmyMl@feddit.nllinkfedilinkEnglisharrow-up2·7 months agoIn the case of Arch the backdoor also wasn’t inserted into liblzma at all, because at build time there was a check to see if it’s being built on a deb or rpm based system, and only inserts it in those two cases. See https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 for an analysis of the situation. So even if Arch built their xz binaries off the backdoored tarball, it was never actually vulnerable.
minus-squarePossibly linux@lemmy.ziplinkfedilinkEnglisharrow-up1·7 months agoI just know there is a lot of uncertainty. Maybe a complete wipe is a over reaction but it is better to be safe
In the case of Arch the backdoor also wasn’t inserted into liblzma at all, because at build time there was a check to see if it’s being built on a deb or rpm based system, and only inserts it in those two cases.
See https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 for an analysis of the situation.
So even if Arch built their xz binaries off the backdoored tarball, it was never actually vulnerable.
I just know there is a lot of uncertainty. Maybe a complete wipe is a over reaction but it is better to be safe