this post was submitted on 31 Mar 2024
83 points (95.6% liked)

Explain Like I'm Five

17867 readers
28 users here now

Simplifying Complexity, One Answer at a Time!

Rules

  1. Be respectful and inclusive.
  2. No harassment, hate speech, or trolling.
  3. Engage in constructive discussions.
  4. Share relevant content.
  5. Follow guidelines and moderators' instructions.
  6. Use appropriate language and tone.
  7. Report violations.
  8. Foster a continuous learning environment.

founded 2 years ago
MODERATORS
sabbah@lemmy.world
AradFort@lemmy.world
rikudou@lemmings.world
Don_Dickle@lemmy.world
Rikudou_Sage@lemmy.world
83
ELI5: The Linux xz backdoor situation (pawb.social)
submitted 1 year ago by VinesNFluff@pawb.social to c/explainlikeimfive@lemmy.world
33 comments fedilink hide all child comments
 

PLEASE. I keep seeing it in memes. As I understand it the latest version of the xz package (present in rolling release distros like Arch and SUSE Tumbleweed) has "a backdoor", but I have no earthly clue what can be done by malicious folks with access to that backdoor or if I should be afraid or how to check if my distro is compromised or how to prevent damage if it is or (...)

you are viewing a single comment's thread
view the rest of the comments
[–] hydroptic@sopuli.xyz 8 points 1 year ago* (last edited 1 year ago) (5 children)

Based on this very handy HN comment the long and short of it is that it would probably only have been a problem if you were running:

  • A very recent version of liblzma5 - 5.6.0 or 5.6.1. This was added in the last month or so. If you're not on a rolling release distro, your version is probably older.

  • A debian or RPM based distro of Linux on x86_64. In an apparent attempt to make reverse engineering harder, it does not seem to apply when built outside of deb or rpm packaging. It is also specific to Linux.

  • Running OpenSSH sshd from systemd. OpenSSH as patched by some distros only pulls in libsystemd for logging functionality, which pulls in the compromised liblzma5.

So if all of those weren't true for you, you're most likely fine. Not a guarantee though since the backdoor's still being analyzed and that comment is a couple of days old, but as far as I can tell it's still reasonably accurate.

[–] TheFinn@discuss.tchncs.de 2 points 1 year ago (1 children)

I've been wondering if there's some kind of notification code that let's the bad actor know they've successfully infected someone. Otherwise what's the plan, trawl the entire IP space for devices your key can access? Wouldn't it need UPNP or some other method to reach most people's systems?

[–] hydroptic@sopuli.xyz 1 points 1 year ago

I think the intention probably wasn't to get into Jane Q. Public's home computer, but was aimed at being able to infiltrate more high value targets – corporations, governments etc. While I haven't kept up with the latest findings in this, I'd guess the intention was to have the backdoor spread widely enough that you really wouldn't need to scan for targets – Debian and distros that use RPM are very popular after all.

It'd definitely require the target to have their sshd open to the world, but that's not uncommon at all unfortunately.

load more comments (3 replies)