this post was submitted on 30 Mar 2024
298 points (89.4% liked)

Memes

45734 readers
450 users here now

Rules:

  1. Be civil and nice.
  2. Try not to excessively repost, as a rule of thumb, wait at least 2 months to do it if you have to.

founded 5 years ago
MODERATORS
 
you are viewing a single comment's thread
view the rest of the comments
[–] 30p87@feddit.de 22 points 8 months ago (3 children)

Arch isn't affected afaik, as it specifically targeted Debian and RPM. Also, sshd isn't linked against liblzma (or something along those lines). And I hope that's true, because otherwise, I had a backdoor on a public system for over a month.

[–] ReversalHatchery@beehaw.org 16 points 8 months ago* (last edited 8 months ago)

Also, sshd isn't linked against liblzma

Not directly, but it's loaded through libsystemd. It is there.

Edit: except on arch, if you use that. That doesn't use libsystemd

[–] user224@lemmy.sdf.org 12 points 8 months ago* (last edited 8 months ago) (2 children)
[–] 30p87@feddit.de 4 points 8 months ago

I just updated all packages in Termux actually lol

[–] Pantherina@feddit.de 1 points 7 months ago (1 children)
[–] user224@lemmy.sdf.org 1 points 7 months ago (2 children)

What package manager is that?

[–] Pantherina@feddit.de 1 points 7 months ago

Nala, Termux is Debian based and its pkg is basically apt

[–] ngn@lemy.lol 1 points 7 months ago

I think it's nala, which is a wrapper for (lib)apt

[–] wildbus8979@sh.itjust.works 6 points 8 months ago (2 children)
[–] HopFlop@discuss.tchncs.de 8 points 8 months ago

Yeah but the backdoor does not work on Arch (as far as we currently know). It relies on a linking of libraries that Arch doesnt do by default.

[–] 30p87@feddit.de 7 points 8 months ago (1 children)

And as https://www.openwall.com/lists/oss-security/2024/03/29/4 says:

"These conditions include targeting only x86-64 linux: [...] Building with gcc and the gnu linker [...] Running as part of a debian or RPM package build:"

I'm not an expert of course.

[–] bravesilvernest@lemmy.ml 2 points 7 months ago

Holy shit that was a hell of a dive. And no wonder the dude got it working, he was just pounding those "test and translation" commits