- cross-posted to:
- linux@lemmy.ml
- cross-posted to:
- linux@lemmy.ml
The person that found this is a hero.
Whenever I see slightly weird behaviour, there is a temptation to just move on because there isn’t enough time, running software is complicated, and there is something else I want to do. I will try to change my attitude in future in case it uncovers a backdoor like this – it would be educational too.
A nice tl;dr was https://news.ycombinator.com/item?id=39866307
Copied here:
For those panicking, here are some key things to look for, based on the writeup:
-
A very recent version of liblzma5 - 5.6.0 or 5.6.1. This was added in the last month or so. If you’re not on a rolling release distro, your version is probably older.
-
A debian or RPM based distro of Linux on x86_64. In an apparent attempt to make reverse engineering harder, it does not seem to apply when built outside of deb or rpm packaging. It is also specific to Linux.
-
Running OpenSSH sshd from systemd. OpenSSH as patched by some distros only pulls in libsystemd for logging functionality, which pulls in the compromised liblzma5.
Debian testing already has a version called ‘5.6.1+really5.4.5-1’ that is really an older version 5.4, repackaged with a newer version to convince apt that it is in fact an upgrade.
It is possible there are other flaws or backdoors in liblzma5, though.
5.6.1+really5.4.1
Most sane Debian package management
-