Saw this today. There’s a new malware surfaced in Linux compression library “xz” which all Linux folks should be aware of. But the story says,
There are no known reports of those versions being incorporated into any production releases for major Linux distributions,
I don’t know what version of xz is in ROCK, but I expect it’s an older one that the version which contains this malware.
It’s xz, xv is an image editor for the X Window System.
Thanks! Fixed.
Interesting stuff though 
I took the liberty to fix the thread title as well.
“Researchers have found a malicious backdoor in a compression tool that made its way into widely used Linux distributions, including those from Red Hat and Debian.”
I do know that Roon compiles their own build of ROCK Linux (and Roon wrote the compiler as well). I’d have to think ROCK users, old and new, have nothing to worry about?
I very much doubt that. Source? (Not that it would matter if the source code of a utility was compromised)
This means that they first build (i.e., compile) the compilers, not that they wrote them. This is the normal approach when bootstrapping a new system. Writing a modern compiler takes years (or decades) with a rather large team. For instance, gcc (the GNU Compiler Collection) consists of 15 million lines of code.
Without doubt, Roon OS is created based on preexisting free (open source) software, like every Linux-based system. That’s what the free software is for, and it would be an insane waste of resources (read: impossible) not to leverage it. They may or may not include the Xz Utils.
@Suedkiez , in my exchange with @danny , that is incorrect, but I’ll let you take that up with him. The last time I said that, I lost. Cheers.
Well, Linux itself as well as the mentioned crosstools-ng and buildroot are freely available preexisting free software.
Even if they wrote some things on their own, as mentioned by Danny. He didn’t say anything about writing a compiler.
Fair enough. My incorrect wording.
@Suedkiez , the discussion started when I mentioned my router identified my ROCK/NUC as “Red Hat”. Danny made it very clear ROCK is not built on any standard distro. As I said, instead of telling me “Neil you don’t understand what Danny wrote”, ask him yourself. This conversation isn’t getting any more appealing pointing your finger at me.
System using xz are only vulnerable, if version 5.4.7 and higher is used.
Right now no Debian stable versions are known to be affected.
Compromised packages were part of the Debian testing, unstable and
experimental distributions, with versions ranging from 5.5.1alpha-0.1
(uploaded on 2024-02-01), up to and including 5.6.1-1. The package has
been reverted to use the upstream 5.4.5 code, which we have versioned
5.6.1+really5.4.5-1.Users running Debian testing and unstable are urged to update the
xz-utils packages.
More information:
No reason to panic, but keeping your systems up to date is good practice anyway.
Sure, but that’s an entirely different thing. They are taking what they need from the available pool of Free and open-source software - Wikipedia, write some glue code themselves, and assemble their own specialized Linux-based system from it. Similar to how other Linux distributions do it, but not based on any existing one.
I’m only making sure of the facts. When security is involved, we don’t what to confuse anyone
All very sneaky, too.
Thanks. Crazy stuff and a very long con. We got lucky here, this time. Looking forward to the ongoing investigation.
Yikes! With a lot of help from here I recently updated the OS, ArchLinux version 5.8.5 before update, on my Salkstream III.
I see some versions of ArchLinux are affected by this issue.
The system info on my Salkstream shows this
Am I interpreting this info (version numbers?) correctly to mean my system isn’t affected by this issue?
I also found this on the Wiikipedia page;
I’m guessing this means the version of ArchLinux I have doesn’t use the xz compression tool that is affected by the backdoor issue?
This stuff is above my paygrade, so any help/guidence is greatly appreciated! 
I cannot tell you from the output you posted, if your system got the backdoor or not. Since you did upgrade some days ago I guess it could very likely be the case.
With the command pacman -Q you can see what you have installed.
Run
pacman -Q | grep xz
You can also PM me.
PM sent.
10char
https://archlinux.org/news/the-xz-package-has-been-backdoored/
Note:
Arch does not directly link openssh to liblzma, and thus this attack vector is not possible. You can confirm this by issuing the following command:
ldd "$(command -v sshd)"However, out of an abundance of caution, we advise users to remove the malicious code from their system by upgrading either way. This is because other yet-to-be discovered methods to exploit the backdoor could exist.