@qwioeue@lemmy.world to linuxmemes@lemmy.world • 3 months agoArch with XZlemmy.worldimagemessage-square93fedilinkarrow-up1581arrow-down1108
arrow-up1473arrow-down1imageArch with XZlemmy.world@qwioeue@lemmy.world to linuxmemes@lemmy.world • 3 months agomessage-square93fedilink
minus-squareDefederateLemmyMllinkfedilinkEnglish2•3 months agoIn the case of Arch the backdoor also wasn’t inserted into liblzma at all, because at build time there was a check to see if it’s being built on a deb or rpm based system, and only inserts it in those two cases. See https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 for an analysis of the situation. So even if Arch built their xz binaries off the backdoored tarball, it was never actually vulnerable.
minus-squarePossibly linuxlinkfedilinkEnglish1•3 months agoI just know there is a lot of uncertainty. Maybe a complete wipe is a over reaction but it is better to be safe
In the case of Arch the backdoor also wasn’t inserted into liblzma at all, because at build time there was a check to see if it’s being built on a deb or rpm based system, and only inserts it in those two cases.
See https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 for an analysis of the situation.
So even if Arch built their xz binaries off the backdoored tarball, it was never actually vulnerable.
I just know there is a lot of uncertainty. Maybe a complete wipe is a over reaction but it is better to be safe