“Researchers have found a malicious backdoor in a compression tool that made its way into widely used Linux distributions, including those from Red Hat and Debian.”
I do know that Roon compiles their own build of ROCK Linux (and Roon wrote the compiler as well). I’d have to think ROCK users, old and new, have nothing to worry about?
This means that they first build (i.e., compile) the compilers, not that they wrote them. This is the normal approach when bootstrapping a new system. Writing a modern compiler takes years (or decades) with a rather large team. For instance, gcc (the GNU Compiler Collection) consists of 15 million lines of code.
Without doubt, Roon OS is created based on preexisting free (open source) software, like every Linux-based system. That’s what the free software is for, and it would be an insane waste of resources (read: impossible) not to leverage it. They may or may not include the Xz Utils.
@Suedkiez , the discussion started when I mentioned my router identified my ROCK/NUC as “Red Hat”. Danny made it very clear ROCK is not built on any standard distro. As I said, instead of telling me “Neil you don’t understand what Danny wrote”, ask him yourself. This conversation isn’t getting any more appealing pointing your finger at me.
System using xz are only vulnerable, if version 5.4.7 and higher is used.
Right now no Debian stable versions are known to be affected.
Compromised packages were part of the Debian testing, unstable and
experimental distributions, with versions ranging from 5.5.1alpha-0.1
(uploaded on 2024-02-01), up to and including 5.6.1-1. The package has
been reverted to use the upstream 5.4.5 code, which we have versioned
5.6.1+really5.4.5-1.
Users running Debian testing and unstable are urged to update the
xz-utils packages.
Sure, but that’s an entirely different thing. They are taking what they need from the available pool of Free and open-source software - Wikipedia, write some glue code themselves, and assemble their own specialized Linux-based system from it. Similar to how other Linux distributions do it, but not based on any existing one.
I’m only making sure of the facts. When security is involved, we don’t what to confuse anyone
1 Like
Bill_Janssen
(Wigwam wool socks now on asymmetrical isolation feet!)
15
I cannot tell you from the output you posted, if your system got the backdoor or not. Since you did upgrade some days ago I guess it could very likely be the case.
With the command pacman -Q you can see what you have installed.
Arch does not directly link openssh to liblzma, and thus this attack vector is not possible. You can confirm this by issuing the following command:
ldd "$(command -v sshd)"
However, out of an abundance of caution, we advise users to remove the malicious code from their system by upgrading either way. This is because other yet-to-be discovered methods to exploit the backdoor could exist.