undefined | Better HN

0 pointsfourfour31y ago0 comments

Looks like Arch Linux shipped both compromised versions - and 5.6.1-2 is out to hopefully resolve it.

0 comments

5.6.1-2 is not an attempted fix, it's just some tweaks to Arch's own build script to improve reproducibility. Arch's build script ultimately delegates to the compromised build script unfortunately, but it also appears the payload itself is specifically targeting deb/RPM based distros, so a narrow miss for Arch here.

(EDIT: as others have pointed out, part of the exploit is in the artifact from libxz, which Arch is now avoiding by switching to building from a git checkout)

gpm1y ago

Are you sure about that? The diff moves away from using the compromised tarballs to the not-compromised (by this) git source. The comment message says it's about reproducibility, but especially combined with the timing it looks to me like that was just to avoid breaking an embargo.

tutfbhuf1y ago

So, you suggest that Frederik Schwan had prior knowledge of the security issues but hid the real purpose of the commit under "improve reproducibility"?

3 more replies

tutfbhuf1y ago

I upgraded Arch Linux on my server a few hours ago. Arch Linux does not fetch one of the compromised tarballs but builds from source and sshd does not link against liblzma on Arch.

  [root@archlinux ~]# pacman -Qi xz | head -n2  
  Name            : xz  
  Version         : 5.6.1-2  
  [root@archlinux ~]# pacman -Qi openssh | head -n2
  Name            : openssh
  Version         : 9.7p1-1
  [root@archlinux ~]# ldd $(which sshd) | grep liblzma
  [root@archlinux ~]#

It seems that Arch Linux is not affected.

gpm1y ago

5.6.1-1 was built from what I understand to be one of the affected tarballs. This was patched in 5.6.1-2: https://gitlab.archlinux.org/archlinux/packaging/packages/xz...

I agree on the sshd linking part.

tutfbhuf1y ago

Interesting, they just switched from tarballs to source 19 hours ago. It seems to me that Frederik Schwan had prior knowledge of the security issue, or it is just a rare coincidence.

1 more reply

aquova1y ago

The project has made an official post on the subject

https://archlinux.org/news/the-xz-package-has-been-backdoore...

mook1y ago

The writeup indicates that the backdoor only gets applied when building for rpm or deb, so Arch probably would have been okay either way? Same with Nix, Homebrew, etc.

gpm1y ago

On arch, `ldd $(which sshd)` doesn't list lzma or xz, so I think it's unaffected? Obviously still not great to be shipping malicious code that just happens to not trigger.

altairprime1y ago

Deleted per below

gpm1y ago

This is what the `detect_sh.bin` attached to the email does. I can only assume that the pesron who reported the vulnerability checked that this succeeds in detecting it.

Note that I'm not looking for the vulnerable symbols, I'm looking for the library that does the patching in the first place.

1 more reply

fullstop1y ago

My Arch setup is the same, they must not patch openssh.

j / k navigate · click thread line to collapse

0 comments

Macha1y ago

(EDIT: as others have pointed out, part of the exploit is in the artifact from libxz, which Arch is now avoiding by switching to building from a git checkout)

gpm1y ago

tutfbhuf1y ago

So, you suggest that Frederik Schwan had prior knowledge of the security issues but hid the real purpose of the commit under "improve reproducibility"?

3 more replies

tutfbhuf1y ago

I upgraded Arch Linux on my server a few hours ago. Arch Linux does not fetch one of the compromised tarballs but builds from source and sshd does not link against liblzma on Arch.

  [root@archlinux ~]# pacman -Qi xz | head -n2  
  Name            : xz  
  Version         : 5.6.1-2  
  [root@archlinux ~]# pacman -Qi openssh | head -n2
  Name            : openssh
  Version         : 9.7p1-1
  [root@archlinux ~]# ldd $(which sshd) | grep liblzma
  [root@archlinux ~]#

It seems that Arch Linux is not affected.

gpm1y ago

5.6.1-1 was built from what I understand to be one of the affected tarballs. This was patched in 5.6.1-2: https://gitlab.archlinux.org/archlinux/packaging/packages/xz...

I agree on the sshd linking part.

tutfbhuf1y ago

Interesting, they just switched from tarballs to source 19 hours ago. It seems to me that Frederik Schwan had prior knowledge of the security issue, or it is just a rare coincidence.

1 more reply

aquova1y ago

The project has made an official post on the subject

https://archlinux.org/news/the-xz-package-has-been-backdoore...

mook1y ago

The writeup indicates that the backdoor only gets applied when building for rpm or deb, so Arch probably would have been okay either way? Same with Nix, Homebrew, etc.

gpm1y ago

On arch, `ldd $(which sshd)` doesn't list lzma or xz, so I think it's unaffected? Obviously still not great to be shipping malicious code that just happens to not trigger.

altairprime1y ago

Deleted per below

gpm1y ago

This is what the `detect_sh.bin` attached to the email does. I can only assume that the pesron who reported the vulnerability checked that this succeeds in detecting it.

Note that I'm not looking for the vulnerable symbols, I'm looking for the library that does the patching in the first place.

1 more reply

fullstop1y ago

My Arch setup is the same, they must not patch openssh.

j / k navigate · click thread line to collapse