My mastodon feed is full of IT security specialist talking about the xz affair where someone let a backdoor in some library.

But beside showing the two side of Free/Libre software (anybody can add a backdoor, and anybody can spot it), I have no idea how it impacts the average person. Is it a common library or something used only by specific application ? Would my home-grade router protects me ?

  • neatchee@lemmy.world
    13·
    3 个月前

    Quick summary:

    • only impacts Debian and Linux distributions that utilize RPM for packages
    • only impacts cases where liblzma is compiled from a tarball, rather than cloned source repository or precompiled binary
    • only impacts x64 architecture
    • introduced in liblzma 5.6.0 which was released in late February so only impacts installs receiving updates to liblzma since then

    liblzma is a library for the lzma compression format. Loosely, this means it’s used by various other pieces of software that need this type of compression, rather than being an application itself.

    It is very widely used. It comes installed on most major Linux distributions and is used by software like openssh, one of the standard remote connection packages.

    However, since it was only in the tarball, you wouldn’t see it widely until debian, fedora, et al release a new version that includes the latest liblzma updates. This version hadn’t been added to any of the stable release channels yet, so the typical user wouldn’t have gotten it yet.

    I believe this would have gone out in debian 12.6 next week, and the attacker was actively petitioning fedora maintainers to get it added to fedora 40 & 41

    The interesting thing about this situation was how much effort the attacker put in to gain trust just to get to the point where they could do this, and how targeted the vulnerability seems to have been. They tried very hard to reduce the likelihood of being caught by only hitting a limited set of configurations