• Possibly linux
    link
    fedilink
    English
    arrow-up
    5
    ·
    8 months ago

    It is not entirely clear either this exploit can affect other parts of the system. This is one those things you need to take extremely seriously

    • DefederateLemmyMl@feddit.nl
      link
      fedilink
      English
      arrow-up
      2
      ·
      8 months ago

      In the case of Arch the backdoor also wasn’t inserted into liblzma at all, because at build time there was a check to see if it’s being built on a deb or rpm based system, and only inserts it in those two cases.

      See https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 for an analysis of the situation.

      So even if Arch built their xz binaries off the backdoored tarball, it was never actually vulnerable.

      • Possibly linux
        link
        fedilink
        English
        arrow-up
        1
        ·
        8 months ago

        I just know there is a lot of uncertainty. Maybe a complete wipe is a over reaction but it is better to be safe