Thanks.
The command Peter posted indicated I am affected by this issue, so I’m running pacman -Syu now.
3 Likes
Well you have the backdoored package, I guess, but aren’t affected by the known exploit (because Arch can’t be)
However, this backdoor is looking increasingly like a very professional attack and the same actor checked in many other changes to xz, so more backdoors may yet come to light and everyone should diligently keep their systems up to date (as usual, but this incident serves as a reminder)
1 Like
Thank you for the info. 
After updating, I now have the updated xz version. 
I guess I need to check the ArchLinux site on a frequent basis to see if issues pop up in the furture.
So much for my streamer being the “appliance” I had hoped it would be (I guess this applies to any “computer audio” streamer these days).
Thank you for posting this! It turns out the version of ArchLinux I recently updated to was affected by this. Had I not seen your post I would have never known. 
1 Like
This is true. All streamers are computers today. As soon as they have network connectivity they need regular updates.
1 Like
Lesson learned. 
1 Like
I don’t care what others say about Roonies 
, you guys are awesome!
1 Like
Running the general system update with pacman -Syu should keep everything in order.
IMHO, Arch is simply not a good choice for this kind of system. It has other goals. Other Linux distros can install security updates automatically with zero disruption.
It also shows how paring down the system to the absolute minimum, like ROCK, is a good idea for an appliance. It doesn’t guarantee that packages don’t need security updates, but it reduces the surface, and makes it easier for the maintainer (Roon in this case)
2 Likes
The issue I’m running into with updating is it breaks AirPlay (shairport) on my streamer. When I updated earlier this month, I figured this was because the OS hadn’t been updated in years. It seemed I was able to fix it by replacing the shairport-sync file with a copy Salk sent to me back in 2016 to fix the AirPlay/Shairport function.
When updating today, AirPlay/Shairport broke again. Even though it appeared the shairport-sync file had not changed, I again replaced it with the copy from Salk I had saved, but this time it didn’t seem to work. After a few reboots, it seems to be working again. I have no idea why this is happening. Will I have to go through this every time I update? I’m not feeling confident next time I’ll be able to get it working again.
I’d really not prefer to add additional equipment to get AirPlay (my pre/pro is an oldie and lacks AirPlay/network features, but it’s a goodie I want to keep!) if I can avoid it.
When it comes time to replace the Salkstream, I’ll definately be looking at using something with ROCK to get more of an “appliance” experience.
Speaking up regular updates, how often should the “mirror list” be updated?
For clarity for those reading this thread, when I checked the xz version I had, it reported xz 5.6.1-1 (bad!). After the update, it reports xz 5.6.1-2 (good!).
1 Like
Unfortunately, I am not an expert on Arch (or other distros that want me to dedicate my life to maintaining them - they have their uses, but they are not for me). I’d expect my distro to keep its mirrors up to date automatically, but no idea about ARC Arch.
That’s unfortunate. It’s typical that package management systems overwrite the files that are in the package when you update, but the maintainer is expected to create their own package if they need a specific edited file. But, sorry to say, this whole Salk system seems to be quite poorly cobbled together, based on what you write about it.
Lol, yeah, recently it feels like I’m dedicating too much time to this.
What OS do you use?
Overall, I’ve been very happy with the Salkstream’s performance and Mr. Salk has always provided great customer service (even since his retirement). But then, I’m far from qualified to make any real judgements about how well the Salkstream is put together. 
PS - I posted a link to this thread on AudioCircle/Salk forum in case other Salkstream owners are affected.
EDIT: Oops! I see you use ROCK. 
OK, but such a system should take care of itself, not expect the user to run pacman commands or need customer service that one person can‘t realistically provide.
Yes, and precisely because my life is computers and I don’t want to be bothered by them when listening to music.
1 Like
On one hand I understand using Arch being a rolling release but it’s not infallible and it’s bleeding edge, hence my use of vanilla Debian for my NUC and anything where I want reliability.
I don’t know how this streamer was updated over the years, hopefully it pulled updates from it’s own repos like Manjaro, needing no manual conf file intervention for the user etc
Expecting someone to run Pacman is ridiculous.
1 Like
This certainly has been a learning experience and will be useful information when it comes time for a new streamer.
1 Like
xkcd pointed out the problem long ago, as usual 
3 Likes
Updates.
3 Likes
This seems to me a somewhat more detailed and fascinating read on this attack. The discussion raises some interesting points, amongst much speculation. Further more technical payload analysis are referenced.
1 Like
And for the still more technically inclined, here a detailed and interesting walk-through of the xz-utils attack shell script, by Russ Cox, one of the original authors of the Go programming language:
https://research.swtch.com/xz-script
As someone else commented, this reads like a thriller…
1 Like